diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index f58beeac0b..b38cf78717 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -1,6 +1,6 @@ --- title: Microsoft Edge system and language requirements -description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. +description: Overview information about Microsoft Edge, the default browser for Windows 10. This topic includes links to other Microsoft Edge topics. ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb ms.reviewer: manager: dansimp @@ -18,7 +18,7 @@ ms.date: 10/02/2018 # Microsoft Edge system and language requirements >Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile -Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. +Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge lets you stay up-to-date through the Microsoft Store and to manage your enterprise through Group Policy or your mobile device management (MDM) tools. >[!IMPORTANT] @@ -29,136 +29,138 @@ Microsoft Edge is the new, default web browser for Windows 10, helping you to e Some of the components might also need additional system resources. Check the component's documentation for more information. -| Item | Minimum requirements | -| ------------------ | -------------------------------------------- | -| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | -| Operating system |

**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | -| Memory |

| -| Hard drive space | | -| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | -| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | -| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | -| Peripherals | Internet connection and a compatible pointing device | +| Item | Minimum requirements | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | +| Operating system |

Note
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | +| Memory |

| +| Hard drive space | | +| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | +| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | +| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | +| Peripherals | Internet connection and a compatible pointing device | + --- -  + ## Supported languages -Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. +Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. -| Language | Country/Region | Code | -| ------------------------ | -------------- | ------ | -| Afrikaans (South Africa) | South Africa | af-ZA | -| Albanian (Albania) | Albania | sq-AL | -| Amharic | Ethiopia | am-ET | -| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | -| Armenian | Armenia | hy-AM | -| Assamese | India | as-IN | -| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | -| Bangla (Bangladesh) | Bangladesh | bn-BD | -| Bangla (India) | India | bn-IN | -| Basque (Basque) | Spain | eu-ES | -| Belarusian (Belarus) | Belarus | be-BY | -| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | -| Bulgarian (Bulgaria) | Bulgaria | bg-BG | -| Catalan (Catalan) | Spain | ca-ES | -| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | -| Cherokee (Cherokee) | United States | chr-Cher-US | -| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | -| Chinese (Simplified, China) | People's Republic of China | zh-CN | -| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | -| Croatian (Croatia) | Croatia | hr-HR | -| Czech (Czech Republic) | Czech Republic | cs-CZ | -| Danish (Denmark) | Denmark | da-DK | -| Dari | Afghanistan | prs-AF | -| Dutch (Netherlands) | Netherlands | nl-NL | -| English (United Kingdom) | United Kingdom | en-GB | -| English (United States) | United States | en-US | -| Estonian (Estonia) | Estonia | et-EE | -| Filipino (Philippines) | Philippines | fil-PH | -| Finnish (Finland) | Finland | fi_FI | -| French (Canada) | Canada | fr-CA | -| French (France) | France | fr-FR | -| Galician (Galician) | Spain | gl-ES | -| Georgian | Georgia | ka-GE | -| German (Germany) | Germany | de-DE | -| Greek (Greece) | Greece | el-GR | -| Gujarati | India | gu-IN | -| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | -| Hebrew (Israel) | Israel | he-IL | -| Hindi (India) | India | hi-IN | -| Hungarian (Hungary) | Hungary | hu-HU | -| Icelandic | Iceland | is-IS | -| Igbo | Nigeria | ig-NG | -| Indonesian (Indonesia) | Indonesia | id-ID | -| Irish | Ireland | ga-IE | -| isiXhosa | South Africa | xh-ZA | -| isiZulu | South Africa | zu-ZA | -| Italian (Italy) | Italy | it-IT | -| Japanese (Japan) | Japan | ja-JP | -| Kannada | India | kn-IN | -| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | -| Khmer (Cambodia) | Cambodia | km-KH | -| K'iche' | Guatemala | quc-Latn-GT | -| Kinyarwanda | Rwanda | rw-RW | -| KiSwahili | Kenya, Tanzania | sw-KE | -| Konkani | India | kok-IN | -| Korean (Korea) | Korea | ko-KR | -| Kyrgyz | Kyrgyzstan | ky-KG | -| Lao (Laos) | Lao P.D.R. | lo-LA | -| Latvian (Latvia) | Latvia | lv-LV | -| Lithuanian (Lithuania) | Lithuania | lt-LT | -| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | -| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | -| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | -| Malayalam | India | ml-IN | -| Maltese | Malta | mt-MT | -| Maori | New Zealand | mi-NZ | -| Marathi | India | mr-IN | -| Mongolian (Cyrillic) | Mongolia | mn-MN | -| Nepali | Federal Democratic Republic of Nepal | ne-NP | -| Norwegian (Nynorsk) | Norway | nn-NO | -| Norwegian, Bokmål (Norway) | Norway | nb-NO | -| Odia | India | or-IN | -| Polish (Poland) | Poland | pl-PL | -| Portuguese (Brazil) | Brazil | pt-BR | -| Portuguese (Portugal) | Portugal | pt-PT | -| Punjabi | India | pa-IN | -| Punjabi (Arabic) | Pakistan | pa-Arab-PK | -| Quechua | Peru | quz-PE | -| Romanian (Romania) | Romania | ro-RO | -| Russian (Russia) | Russia | ru-RU | -| Scottish Gaelic | United Kingdom | gd-GB | -| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | -| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | -| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | -| Sesotho sa Leboa | South Africa | nso-ZA | -| Setswana (South Africa) | South Africa and Botswana | tn-ZA | -| Sindhi (Arabic) | Pakistan | sd-Arab-PK | -| Sinhala | Sri Lanka | si-LK | -| Slovak (Slovakia) | Slovakia | sk-SK | -| Slovenian (Slovenia) | Slovenia | sl-SL | -| Spanish (Mexico) | Mexico | es-MX | -| Spanish (Spain, International Sort) | Spain | en-ES | -| Swedish (Sweden) | Sweden | sv-SE | -| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | -| Tamil (India) | India and Sri Lanka | ta-IN | -| Tatar | Russia | tt-RU | -| Telugu | India | te-IN | -| Thai (Thailand) | Thailand | th-TH | -| Tigrinya (Ethiopia) | Ethiopia | ti-ET | -| Turkish (Turkey) | Turkey | tr-TR | -| Turkmen | Turkmenistan | tk-TM | -| Ukrainian (Ukraine) | Ukraine | uk-UA | -| Urdu | Pakistan | ur-PK | -| Uyghur | People's Republic of China | ug-CN | -| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | -| Valencian | Spain | ca-ES-valencia | -| Vietnamese | Vietnam | vi-VN | -| Welsh | United Kingdom | cy-GB | -| Wolof | Senegal | wo-SN | -| Yoruba | Nigeria | yo-NG | +| Language | Country/Region | Code | +|----------------------------------------------------|-----------------------------------------|----------------| +| Afrikaans (South Africa) | South Africa | af-ZA | +| Albanian (Albania) | Albania | sq-AL | +| Amharic | Ethiopia | am-ET | +| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | +| Armenian | Armenia | hy-AM | +| Assamese | India | as-IN | +| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | +| Bangla (Bangladesh) | Bangladesh | bn-BD | +| Bangla (India) | India | bn-IN | +| Basque (Basque) | Spain | eu-ES | +| Belarusian (Belarus) | Belarus | be-BY | +| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | +| Bulgarian (Bulgaria) | Bulgaria | bg-BG | +| Catalan (Catalan) | Spain | ca-ES | +| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | +| Cherokee (Cherokee) | United States | chr-Cher-US | +| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | +| Chinese (Simplified, China) | People's Republic of China | zh-CN | +| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | +| Croatian (Croatia) | Croatia | hr-HR | +| Czech (Czech Republic) | Czech Republic | cs-CZ | +| Danish (Denmark) | Denmark | da-DK | +| Dari | Afghanistan | prs-AF | +| Dutch (Netherlands) | Netherlands | nl-NL | +| English (United Kingdom) | United Kingdom | en-GB | +| English (United States) | United States | en-US | +| Estonian (Estonia) | Estonia | et-EE | +| Filipino (Philippines) | Philippines | fil-PH | +| Finnish (Finland) | Finland | fi_FI | +| French (Canada) | Canada | fr-CA | +| French (France) | France | fr-FR | +| Galician (Galician) | Spain | gl-ES | +| Georgian | Georgia | ka-GE | +| German (Germany) | Germany | de-DE | +| Greek (Greece) | Greece | el-GR | +| Gujarati | India | gu-IN | +| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | +| Hebrew (Israel) | Israel | he-IL | +| Hindi (India) | India | hi-IN | +| Hungarian (Hungary) | Hungary | hu-HU | +| Icelandic | Iceland | is-IS | +| Igbo | Nigeria | ig-NG | +| Indonesian (Indonesia) | Indonesia | id-ID | +| Irish | Ireland | ga-IE | +| isiXhosa | South Africa | xh-ZA | +| isiZulu | South Africa | zu-ZA | +| Italian (Italy) | Italy | it-IT | +| Japanese (Japan) | Japan | ja-JP | +| Kannada | India | kn-IN | +| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | +| Khmer (Cambodia) | Cambodia | km-KH | +| K'iche' | Guatemala | quc-Latn-GT | +| Kinyarwanda | Rwanda | rw-RW | +| KiSwahili | Kenya, Tanzania | sw-KE | +| Konkani | India | kok-IN | +| Korean (Korea) | Korea | ko-KR | +| Kyrgyz | Kyrgyzstan | ky-KG | +| Lao (Laos) | Lao P.D.R. | lo-LA | +| Latvian (Latvia) | Latvia | lv-LV | +| Lithuanian (Lithuania) | Lithuania | lt-LT | +| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | +| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | +| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | +| Malayalam | India | ml-IN | +| Maltese | Malta | mt-MT | +| Maori | New Zealand | mi-NZ | +| Marathi | India | mr-IN | +| Mongolian (Cyrillic) | Mongolia | mn-MN | +| Nepali | Federal Democratic Republic of Nepal | ne-NP | +| Norwegian (Nynorsk) | Norway | nn-NO | +| Norwegian, Bokmål (Norway) | Norway | nb-NO | +| Odia | India | or-IN | +| Polish (Poland) | Poland | pl-PL | +| Portuguese (Brazil) | Brazil | pt-BR | +| Portuguese (Portugal) | Portugal | pt-PT | +| Punjabi | India | pa-IN | +| Punjabi (Arabic) | Pakistan | pa-Arab-PK | +| Quechua | Peru | quz-PE | +| Romanian (Romania) | Romania | ro-RO | +| Russian (Russia) | Russia | ru-RU | +| Scottish Gaelic | United Kingdom | gd-GB | +| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | +| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | +| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | +| Sesotho sa Leboa | South Africa | nso-ZA | +| Setswana (South Africa) | South Africa and Botswana | tn-ZA | +| Sindhi (Arabic) | Pakistan | sd-Arab-PK | +| Sinhala | Sri Lanka | si-LK | +| Slovak (Slovakia) | Slovakia | sk-SK | +| Slovenian (Slovenia) | Slovenia | sl-SL | +| Spanish (Mexico) | Mexico | es-MX | +| Spanish (Spain, International Sort) | Spain | en-ES | +| Swedish (Sweden) | Sweden | sv-SE | +| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | +| Tamil (India) | India and Sri Lanka | ta-IN | +| Tatar | Russia | tt-RU | +| Telugu | India | te-IN | +| Thai (Thailand) | Thailand | th-TH | +| Tigrinya (Ethiopia) | Ethiopia | ti-ET | +| Turkish (Turkey) | Turkey | tr-TR | +| Turkmen | Turkmenistan | tk-TM | +| Ukrainian (Ukraine) | Ukraine | uk-UA | +| Urdu | Pakistan | ur-PK | +| Uyghur | People's Republic of China | ug-CN | +| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | +| Valencian | Spain | ca-ES-valencia | +| Vietnamese | Vietnam | vi-VN | +| Welsh | United Kingdom | cy-GB | +| Wolof | Senegal | wo-SN | +| Yoruba | Nigeria | yo-NG | + --- diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 6fe890772a..888b51a3bc 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -17,8 +17,7 @@ ms.reviewer: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. -# [2018](#tab/2018) - +#### [2018](#tab/2018/) ## October 2018 The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable @@ -32,45 +31,45 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi -| **New or updated** | **Group Policy** | **Description** | -|------------|-----------------|--------------------| -| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | -| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | -| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | -| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | -| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | -| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | -| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | -| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | -| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | -| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | -| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | -| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | -| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | -| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | -| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | -| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | -| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | -| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | -| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | - - -# [2017](#tab/2017) +| **New or updated** | **Group Policy** | **Description** | +|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------| +| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | +| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | +| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | +| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | +| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | +| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | +| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | +| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | +| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | +| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | +| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) | [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | +| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | +| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | +| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | +| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | +| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | +| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | +| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | +| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | +#### [2017](#tab/2017/) ## September 2017 + |New or changed topic | Description | |---------------------|-------------| |[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | ## February 2017 + |New or changed topic | Description | |----------------------|-------------| |[Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](available-policies.md) |Added new Group Policy and MDM settings for the Windows Insider Program. Reformatted for easier readability outside of scrolling table. | -# [2016](#tab/2016) - +#### [2016](#tab/2016/) ## November 2016 + |New or changed topic | Description | |----------------------|-------------| |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added the infographic image and a download link.| @@ -80,6 +79,7 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi |[Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md) |Added a link to the Microsoft Edge infographic, helping you to evaluate the potential impact of using Microsoft Edge in your organization. | ## July 2016 + |New or changed topic | Description | |----------------------|-------------| |[Microsoft Edge requirements and language support](hardware-and-software-requirements.md)| Updated to include a note about the Long Term Servicing Branch (LTSB). | @@ -88,6 +88,7 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi ## June 2016 + |New or changed topic | Description | |----------------------|-------------| |[Security enhancements for Microsoft Edge](security-enhancements-microsoft-edge.md) |New | @@ -98,4 +99,4 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi |----------------------|-------------| |[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | ---- +* * * diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 981615d98b..aecc8b6828 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -1,38 +1,45 @@ { "build": { - "content": - [ - { - "files": ["**/*.md","**/*.yml"], - "exclude": ["**/obj/**"] - } - ], + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**" + ] + } + ], "resource": [ - { - "files": ["**/images/**"], - "exclude": ["**/obj/**"] - } + { + "files": [ + "**/images/**" + ], + "exclude": [ + "**/obj/**" + ] + } ], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json", - "ROBOTS": "INDEX, FOLLOW", - "ms.technology": "microsoft-edge", - "ms.topic": "article", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "Win.microsoft-edge", - "folder_relative_path_in_docset": "./" - } - } + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json", + "ROBOTS": "INDEX, FOLLOW", + "ms.technology": "microsoft-edge", + "ms.topic": "article", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.microsoft-edge", + "folder_relative_path_in_docset": "./" + } + } }, - "externalReference": [ - ], + "externalReference": [], "template": "op.html", "dest": "browsers/edge", - "markdownEngineName": "dfm" + "markdownEngineName": "markdig" } } diff --git a/browsers/edge/edge-technical-demos.md b/browsers/edge/edge-technical-demos.md index 7bcda6fb62..5e6a3bbd9f 100644 --- a/browsers/edge/edge-technical-demos.md +++ b/browsers/edge/edge-technical-demos.md @@ -29,10 +29,10 @@ Find out more about new and improved features of Microsoft Edge, and how you can Get a behind the scenes look at Microsoft Edge and the improvements we've made to make it faster and more efficient. -![VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es14] +> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es14/player] ### Building a safer browser: Four guards to keep users safe Learn about our security strategy and how we use the Four Guards to keep your users safe while they browse the Internet. -![VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es03] +> [!VIDEO https://channel9.msdn.com/events/webplatformsummit/microsoft-edge-web-summit-2017/es03/player] diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md index a01c5de255..d2322bf7dc 100644 --- a/browsers/edge/group-policies/security-privacy-management-gp.md +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -57,17 +57,18 @@ Another method thieves often use _hacking_ to attack a system through malformed Microsoft Edge addresses these threats to help make browsing the web a safer experience. -| Feature | Description | -|---|---| -| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | -| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | -| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include | -| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | -| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | -| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | -| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | -| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | -| **All web content runs in an app container sandbox** |Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | -| **Extension model and HTML5 support** |Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | -| **Reduced attack surfaces** |Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | +| Feature | Description | +|-----------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | +| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | +| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include

| +| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | +| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | +| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | +| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | +| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | +| **All web content runs in an app container sandbox** | Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | +| **Extension model and HTML5 support** | Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | +| **Reduced attack surfaces** | Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | + --- diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md index a6508f582f..f929fb7f8f 100644 --- a/browsers/edge/includes/allow-address-bar-suggestions-include.md +++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md @@ -18,10 +18,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented. Hide the Address bar drop-down list and disable the _Show search and site suggestions as I type_ toggle in Settings. |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured **(default)** |1 |1 |Allowed. Show the Address bar drop-down list and make it available. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|-----------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. Hide the Address bar drop-down list and disable the *Show search and site suggestions as I type* toggle in Settings. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured **(default)** | 1 | 1 | Allowed. Show the Address bar drop-down list and make it available. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md index 4ba4f118cc..6747a07952 100644 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled |0 |0 |Prevented | -|Enabled **(default)** |1 |1 |Allowed | +| Group Policy | MDM | Registry | Description | +|-----------------------|:---:|:--------:|-------------| +| Disabled | 0 | 0 | Prevented | +| Enabled **(default)** | 1 | 1 | Allowed | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md index dd501d8938..5c3ce25d1e 100644 --- a/browsers/edge/includes/allow-clearing-browsing-data-include.md +++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md @@ -17,10 +17,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured **(default)** |0 |0 |Prevented. Users can configure the _Clear browsing data_ option in Settings. | | -|Enabled |1 |1 |Allowed. Clear the browsing data upon exit automatically. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|------------------------------------------|:---:|:--------:|------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured **(default)** | 0 | 0 | Prevented. Users can configure the *Clear browsing data* option in Settings. | | +| Enabled | 1 | 1 | Allowed. Clear the browsing data upon exit automatically. | ![Most restricted value](../images/check-gn.png) | + --- diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md index 536b7cd59d..345cc3f9b9 100644 --- a/browsers/edge/includes/allow-config-updates-books-include.md +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented. |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md index 6cd445255d..afd31cd7e8 100644 --- a/browsers/edge/includes/allow-cortana-include.md +++ b/browsers/edge/includes/allow-cortana-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) | -|Enabled
**(default)** |1 |1 |Allowed. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:---:|:--------:|------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. Users can still search to find items on their device. | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed. | | + --- ### ADMX info and settings @@ -35,7 +36,7 @@ ms:topic: include - **Supported devices:** Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana - **Data type:** Integer - + #### Registry settings - **Path:** HKLM\Software\Policies\Microsoft\Windows\Windows Search - **Value name:** AllowCortana diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md index f3b1aa0082..be5ef149fb 100644 --- a/browsers/edge/includes/allow-dev-tools-include.md +++ b/browsers/edge/includes/allow-dev-tools-include.md @@ -17,10 +17,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed | | + --- @@ -35,12 +36,12 @@ ms:topic: include #### MDM settings - **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) - **Supported devices:** Desktop -- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools +- **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools - **Data type:** Integer #### Registry settings - **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12 -- **Value name:** AllowDeveloperTools +- **Value name:** AllowDeveloperTools - **Value type:** REG_DWORD

diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md index 5ca32757c9..71fb486b11 100644 --- a/browsers/edge/includes/allow-enable-book-library-include.md +++ b/browsers/edge/includes/allow-enable-book-library-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md index 437f65b18f..2af0ce9447 100644 --- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Gather and send only basic diagnostic data. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in _Settings > Diagnostics & feedback_ to **Full**. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Gather and send only basic diagnostic data. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Gather all diagnostic data. For this policy to work correctly, you must set the diagnostic data in *Settings > Diagnostics & feedback* to **Full**. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md index 3d12e5f90c..88e44401f9 100644 --- a/browsers/edge/includes/allow-extensions-include.md +++ b/browsers/edge/includes/allow-extensions-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled |0 |0 |Prevented | -|Enabled or not configured
**(default)** |1 |1 |Allowed | +| Group Policy | MDM | Registry | Description | +|--------------------------------------------|:---:|:--------:|-------------| +| Disabled | 0 | 0 | Prevented | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md index 8ff63f3232..1554d6cbd9 100644 --- a/browsers/edge/includes/allow-full-screen-include.md +++ b/browsers/edge/includes/allow-full-screen-include.md @@ -18,10 +18,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | -|Enabled
**(default)** |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md index 9fe4fb4177..b7789c77a2 100644 --- a/browsers/edge/includes/allow-inprivate-browsing-include.md +++ b/browsers/edge/includes/allow-inprivate-browsing-include.md @@ -18,10 +18,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md index 9e965f5074..acefcbd014 100644 --- a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md +++ b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md index 4e24776b6f..3762725027 100644 --- a/browsers/edge/includes/allow-prelaunch-include.md +++ b/browsers/edge/includes/allow-prelaunch-include.md @@ -17,10 +17,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restrictive value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + --- diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md index 0e0e7dafa6..2a1743d2e2 100644 --- a/browsers/edge/includes/allow-printing-include.md +++ b/browsers/edge/includes/allow-printing-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restrictive value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:-------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restrictive value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md index 60b91e3ff4..46d3314710 100644 --- a/browsers/edge/includes/allow-saving-history-include.md +++ b/browsers/edge/includes/allow-saving-history-include.md @@ -17,10 +17,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md index d35e08c39e..05eed1a7ca 100644 --- a/browsers/edge/includes/allow-search-engine-customization-include.md +++ b/browsers/edge/includes/allow-search-engine-customization-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md index 05b6d2c669..d1db5f5f93 100644 --- a/browsers/edge/includes/allow-shared-folder-books-include.md +++ b/browsers/edge/includes/allow-shared-folder-books-include.md @@ -17,10 +17,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Prevented. Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account.| | + +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Microsoft Edge downloads book files to a per-user folder for each user. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account. | | + --- ![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md index 955f16982a..bb8637ba79 100644 --- a/browsers/edge/includes/allow-sideloading-extensions-include.md +++ b/browsers/edge/includes/allow-sideloading-extensions-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured |0 |0 |Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |![Most restricted value](../images/check-gn.png) | -|Enabled
**(default)** |1 |1 |Allowed. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured | 0 | 0 | Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | 1 | Allowed. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md index c9e8f9e4f0..c691d20211 100644 --- a/browsers/edge/includes/allow-tab-preloading-include.md +++ b/browsers/edge/includes/allow-tab-preloading-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented. |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed. Preload Start and New Tab pages. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|-------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled or not configured
**(default)** | 1 | 1 | Allowed. Preload Start and New Tab pages. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md index 335c4f9fdb..ac9e26abee 100644 --- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -18,10 +18,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled |0 |0 |Load a blank page instead of the default New Tab page and prevent users from making changes. | -|Enabled or not configured **(default)** |1 |1 |Load the default New Tab page and the users make changes. | +| Group Policy | MDM | Registry | Description | +|-----------------------------------------|:---:|:--------:|----------------------------------------------------------------------------------------------| +| Disabled | 0 | 0 | Load a blank page instead of the default New Tab page and prevent users from making changes. | +| Enabled or not configured **(default)** | 1 | 1 | Load the default New Tab page and the users make changes. | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md index 452ba46a6c..b248006ae5 100644 --- a/browsers/edge/includes/always-enable-book-library-include.md +++ b/browsers/edge/includes/always-enable-book-library-include.md @@ -17,10 +17,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Show the Books Library only in countries or regions where supported. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Show the Books Library, regardless of the device’s country or region. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Show the Books Library only in countries or regions where supported. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show the Books Library, regardless of the device’s country or region. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md index d7361434c1..42bd2950bd 100644 --- a/browsers/edge/includes/configure-additional-search-engines-include.md +++ b/browsers/edge/includes/configure-additional-search-engines-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md index 38af855aea..4b312f4e12 100644 --- a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md +++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Load and run Adobe Flash content automatically. | | -|Enabled or not configured
**(default)** |1 |1 |Do not load or run Adobe Flash content and require action from the user. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled | 0 | 0 | Load and run Adobe Flash content automatically. | | +| Enabled or not configured
**(default)** | 1 | 1 | Do not load or run Adobe Flash content and require action from the user. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md index 63e3cfe42b..463319afbe 100644 --- a/browsers/edge/includes/configure-autofill-include.md +++ b/browsers/edge/includes/configure-autofill-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured
**(default)** | Blank |Blank |Users can choose to use Autofill. | | -|Disabled | 0 | no | Prevented. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |yes | Allowed. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|-----------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Users can choose to use Autofill. | | +| Disabled | 0 | no | Prevented. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | yes | Allowed. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md index 765f774561..9b5202659a 100644 --- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -15,24 +15,25 @@ ms:topic: include [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] ->[!IMPORTANT] ->For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. -> ->You can find these policies in the following location of the Group Policy Editor: +> [!IMPORTANT] +> For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. > ->**Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** ->

+> You can find these policies in the following location of the Group Policy Editor: +> +> **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** +> ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |No data collected or sent |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Send intranet history only | | -|Enabled |2 |2 |Send Internet history only | | -|Enabled |3 |3 |Send both intranet and Internet history | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | No data collected or sent | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Send intranet history only | | +| Enabled | 2 | 2 | Send Internet history only | | +| Enabled | 3 | 3 | Send both intranet and Internet history | | + --- diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md index 1b8c916461..a4b9740cfc 100644 --- a/browsers/edge/includes/configure-cookies-include.md +++ b/browsers/edge/includes/configure-cookies-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Enabled |0 |0 |Block all cookies from all sites. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Block only coddies from third party websites. | | -|Disabled or not configured
**(default)** |2 |2 |Allow all cookies from all sites. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------|:------------------------------------------------:| +| Enabled | 0 | 0 | Block all cookies from all sites. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Block only coddies from third party websites. | | +| Disabled or not configured
**(default)** | 2 | 2 | Allow all cookies from all sites. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md index d13f5ae1c6..0270133a94 100644 --- a/browsers/edge/includes/configure-do-not-track-include.md +++ b/browsers/edge/includes/configure-do-not-track-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured
**(default)** |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | | -|Disabled |0 |0 |Never send tracking information. | | -|Enabled |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Do not send tracking information but let users choose to send tracking information to sites they visit. | | +| Disabled | 0 | 0 | Never send tracking information. | | +| Enabled | 1 | 1 | Send tracking information. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md index 4ac2d35ec2..bb5cb307bb 100644 --- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -39,7 +39,7 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br #### Registry settings - **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode -- **Value name:**ConfigureKioskResetAfterIdleTimeout +- Value name:ConfigureKioskResetAfterIdleTimeout - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md index aeb849adf4..65c68c67e1 100644 --- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -9,10 +9,11 @@ ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled or not configured
**(default)** |0 |0 |Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | -|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 seconds, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | +| Enabled | 1 | 1 | Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 seconds, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | + --- ### ADMX info and settings @@ -29,7 +30,7 @@ - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList - **Data type:** String - + #### Registry settings - **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode - **Value name:** SiteList diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index cb98dc3b03..9796369a9f 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -18,12 +18,13 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled or not configured
**(default)** |0 |0 |Load the Start page. | -|Enabled |1 |1 |Load the New Tab page. | -|Enabled |2 |2 |Load the custom URL defined in the Set Home Button URL policy. | -|Enabled |3 |3 |Hide the home button. | +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the custom URL defined in the Set Home Button URL policy. | +| Enabled | 3 | 3 | Hide the home button. | + --- @@ -53,7 +54,7 @@ ms:topic: include ### Related policies - [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] - + - [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] diff --git a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md index 7a6b1bcf78..cfbcfccd50 100644 --- a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md +++ b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md @@ -8,8 +8,10 @@ ms.prod: edge ms:topic: include --- -| | | -|---|---| -| **Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

**Public browsing**

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an **End session** button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

_**Example.**_ A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

**Policy setting** = Enabled (1) | -| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

**Public browsing**

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

_**Example.**_ A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

**Policy setting** = Enabled (1) | + +| | | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | +| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | + --- diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index 85b00f84eb..966a8be23e 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -21,13 +21,14 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -|Enabled |0 |0 |Load the Start page. | -|Enabled |1 |1 |Load the New Tab page. | -|Enabled |2 |2 |Load the previous pages. | -|Enabled
**(default)** |3 |3 |Load a specific page or pages. | +| Group Policy | MDM | Registry | Description | +|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | +| Enabled | 0 | 0 | Load the Start page. | +| Enabled | 1 | 1 | Load the New Tab page. | +| Enabled | 2 | 2 | Load the previous pages. | +| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. | + --- diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md index 833c1be142..ab0e78ca5b 100644 --- a/browsers/edge/includes/configure-password-manager-include.md +++ b/browsers/edge/includes/configure-password-manager-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured |Blank |Blank |Users can choose to save and manage passwords locally. | | -|Disabled |0 |no |Not allowed. |![Most restricted value](../images/check-gn.png) | -|Enabled
**(default)** |1 |yes |Allowed. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|--------------------------|:-----:|:--------:|--------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to save and manage passwords locally. | | +| Disabled | 0 | no | Not allowed. | ![Most restricted value](../images/check-gn.png) | +| Enabled
**(default)** | 1 | yes | Allowed. | | + --- Verify not allowed/disabled settings: diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md index 8b68bb7b70..5355cbae5f 100644 --- a/browsers/edge/includes/configure-pop-up-blocker-include.md +++ b/browsers/edge/includes/configure-pop-up-blocker-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | | -|Disabled
**(default)** |0 |0 |Turned off. Allow pop-up windows to open. | | -|Enabled |1 |1 |Turned on. Prevent pop-up windows from opening. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------|:-----:|:--------:|-------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Pop-up Blocker. | | +| Disabled
**(default)** | 0 | 0 | Turned off. Allow pop-up windows to open. | | +| Enabled | 1 | 1 | Turned on. Prevent pop-up windows from opening. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md index 37c141db0a..f12debc9ab 100644 --- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md +++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured
**(default)** |Blank |Blank |Users can choose to see search suggestions. | | -|Disabled |0 |0 |Prevented. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Allowed. Show the search suggestions. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|---------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Users can choose to see search suggestions. | | +| Disabled | 0 | 0 | Prevented. Hide the search suggestions. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Allowed. Show the search suggestions. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md index 5708f60d6a..04b7eeddd9 100644 --- a/browsers/edge/includes/configure-start-pages-include.md +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Not configured |Blank |Blank |Load the pages specified in App settings as the default Start pages. | -|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | +| Group Policy | MDM | Registry | Description | +|----------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Not configured | Blank | Blank | Load the pages specified in App settings as the default Start pages. | +| Enabled | String | String | Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index 7874743f5c..fcc95b0d57 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen. | | -|Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | | -|Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | Blank | Blank | Users can choose to use Windows Defender SmartScreen. | | +| Disabled | 0 | 0 | Turned off. Do not protect users from potential threats and prevent users from turning it on. | | +| Enabled | 1 | 1 | Turned on. Protect users from potential threats and prevent users from turning it off. | ![Most restricted value](../images/check-gn.png) | + --- To verify Windows Defender SmartScreen is turned off (disabled): diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md index 817a291655..e240862638 100644 --- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md +++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md @@ -13,13 +13,14 @@ ms:topic: include >*Default setting: Enabled (Start pages are not editable)* [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] - + ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured |0 |0 |Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|----------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured | 0 | 0 | Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | + --- diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md index f97e8b0c13..2ec6bea84d 100644 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | -|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the _Sync your Settings_ option. | +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|-------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. The “browser” group syncs automatically between user’s devices and lets users to make changes. | +| Enabled | 2 | 2 | Prevented/turned off. The “browser” group does not use the *Sync your Settings* option. | + --- diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md index 7d9388b660..96aa814d4b 100644 --- a/browsers/edge/includes/do-not-sync-include.md +++ b/browsers/edge/includes/do-not-sync-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Users can choose what to sync to their device. | | -|Enabled |2 |2 |Prevented/turned off. Disables the _Sync your Settings_ toggle and prevents syncing. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Users can choose what to sync to their device. | | +| Enabled | 2 | 2 | Prevented/turned off. Disables the *Sync your Settings* toggle and prevents syncing. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md index 7de128d758..7e9bb90bc1 100644 --- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md +++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Turned off/not syncing | | -|Enabled |1 |1 |Turned on/syncing |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Turned off/not syncing | | +| Enabled | 1 | 1 | Turned on/syncing | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md index 595c2cc771..d6ca2253e6 100644 --- a/browsers/edge/includes/prevent-access-about-flag-include.md +++ b/browsers/edge/includes/prevent-access-about-flag-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed | | -|Enabled |1 |1 |Prevented |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed | | +| Enabled | 1 | 1 | Prevented | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md index 47cd4f63ad..a16217ae07 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | -|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s). | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md index 0d8461017b..beca20210f 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed/turned off. Users can ignore the warning and continue to the site.| | -|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|----------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned off. Users can ignore the warning and continue to the site. | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md index 0a36924b36..a0a47406eb 100644 --- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md +++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md @@ -15,10 +15,11 @@ ms:topic: include [!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed/turned on. Override the security warning to sites that have SSL errors. | | -|Enabled |1 |1 |Prevented/turned on. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/turned on. Override the security warning to sites that have SSL errors. | | +| Enabled | 1 | 1 | Prevented/turned on. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md index 4c2b951cc4..71476b4e98 100644 --- a/browsers/edge/includes/prevent-changes-to-favorites-include.md +++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | -|Enabled |1 |1 |Prevented/locked down. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | +| Enabled | 1 | 1 | Prevented/locked down. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md index 8cc0ad81cf..e28cd73fb5 100644 --- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md +++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed. Load the First Run webpage. | | -|Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Load the First Run webpage. | | +| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings @@ -35,7 +36,7 @@ ms:topic: include - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage - **Data type:** Integer -####Registry +#### Registry - **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main - **Value name:** PreventFirstRunPage - **Value type:** REG_DWORD diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md index 60ec4453f1..36535b4ccc 100644 --- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md +++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Collect and send Live Tile metadata. | | -|Enabled |1 |1 |Do not collect data. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Collect and send Live Tile metadata. | | +| Enabled | 1 | 1 | Do not collect data. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md index c5cd71a6b5..8314edbe14 100644 --- a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md +++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed. Show localhost IP addresses. | | -|Enabled |1 |1 |Prevented. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|---------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | Allowed. Show localhost IP addresses. | | +| Enabled | 1 | 1 | Prevented. | ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md index 2fa95014b3..68042aad34 100644 --- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -17,10 +17,11 @@ ms:topic: include ### Supported values -|Group Policy |Description | -|---|---| -|Disabled or not configured
**(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | -|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper extension prevents users from turning it off:

_Microsoft.OneNoteWebClipper8wekyb3d8bbwe_

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | +| Group Policy | Description | +|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | +| Enabled | Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

*Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe*

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | + --- diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md index 403d70ff30..3a06e77d5d 100644 --- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md +++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md @@ -15,10 +15,12 @@ ms:topic: include [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled |0 |0 |Allowed/turned on. Users can sync the browser settings. | -|Enabled or not configured
**(default)** |1 |1 |Prevented/turned off. | + +| Group Policy | MDM | Registry | Description | +|--------------------------------------------|:---:|:--------:|---------------------------------------------------------| +| Disabled | 0 | 0 | Allowed/turned on. Users can sync the browser settings. | +| Enabled or not configured
**(default)** | 1 | 1 | Prevented/turned off. | + --- diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index 7e999d423d..33df41bb77 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -20,10 +20,11 @@ ms:topic: include ### Supported values -|Group Policy |Description |Most restricted | -|---|---|:---:| -|Disabled or not configured
**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
|![Most restricted value](../images/check-gn.png) | +| Group Policy | Description | Most restricted | +|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | +| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
| ![Most restricted value](../images/check-gn.png) | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index 22737a2490..7cc7123258 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -20,10 +20,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | + --- diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md index a1bef8ac09..4a3ddd44fa 100644 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -16,11 +16,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Not configured
**(default)** |Blank |Blank |Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | -|Disabled |0 |0 |Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | -|Enabled |1 |1 |Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------|:-----:|:--------:|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Not configured
**(default)** | Blank | Blank | Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | +| Disabled | 0 | 0 | Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | +| Enabled | 1 | 1 | Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. | ![Most restricted value](../images/check-gn.png) | + --- diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md index 8e55ec69ab..355240ff1a 100644 --- a/browsers/edge/includes/set-home-button-url-include.md +++ b/browsers/edge/includes/set-home-button-url-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled or not configured
**(default)** |Blank |Blank |Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | -|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option. | +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:------:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Blank | Blank | Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | +| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the *Show home button & set a specific page* option. | + --- diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md index 6f8b68e0b4..a53dd93220 100644 --- a/browsers/edge/includes/set-new-tab-url-include.md +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled or not configured
**(default)** |Blank |Blank |Load the default New Tab page. | -|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:------:|:--------:|----------------------------------------------------------------------------------------------------------------------------------| +| Disabled or not configured
**(default)** | Blank | Blank | Load the default New Tab page. | +| Enabled - String | String | String | Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| + --- ### ADMX info and settings @@ -44,7 +45,7 @@ ms:topic: include ### Related policies [Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] - +

diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md index 849b1e17a3..fe01511d36 100644 --- a/browsers/edge/includes/show-message-opening-sites-ie-include.md +++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md @@ -19,11 +19,12 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |No additional message displays. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Show an additional message stating that a site has opened in IE11. | | -|Enabled |2 |2 |Show an additional message with a _Keep going in Microsoft Edge_ link to allow users to open the site in Microsoft Edge. | | +| Group Policy | MDM | Registry | Description | Most restricted | +|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:| +| Disabled or not configured
**(default)** | 0 | 0 | No additional message displays. | ![Most restricted value](../images/check-gn.png) | +| Enabled | 1 | 1 | Show an additional message stating that a site has opened in IE11. | | +| Enabled | 2 | 2 | Show an additional message with a *Keep going in Microsoft Edge* link to allow users to open the site in Microsoft Edge. | | + --- ### ADMX info and settings diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md index 812908d86f..bf30d5d9ed 100644 --- a/browsers/edge/includes/unlock-home-button-include.md +++ b/browsers/edge/includes/unlock-home-button-include.md @@ -16,10 +16,11 @@ ms:topic: include ### Supported values -|Group Policy |MDM |Registry |Description | -|---|:---:|:---:|---| -|Disabled or not configured
**(default)** |0 |0 |Locked, preventing users from making changes. | -|Enabled |1 |1 |Unlocked, letting users make changes. | +| Group Policy | MDM | Registry | Description | +|---------------------------------------------|:---:|:--------:|-----------------------------------------------| +| Disabled or not configured
**(default)** | 0 | 0 | Locked, preventing users from making changes. | +| Enabled | 1 | 1 | Unlocked, letting users make changes. | + --- ### ADMX info and settings @@ -43,7 +44,7 @@ ms:topic: include ### Related policies - [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] - + - [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] diff --git a/browsers/edge/microsoft-edge-forrester.md b/browsers/edge/microsoft-edge-forrester.md index 5b4dc702fb..a68908bb52 100644 --- a/browsers/edge/microsoft-edge-forrester.md +++ b/browsers/edge/microsoft-edge-forrester.md @@ -16,7 +16,7 @@ Forrester Research measures the return on investment (ROI) of Microsoft Edge in ## Forrester report video summary View a brief overview of the Forrester TEI case study that Microsoft commissioned to examine the value your organization can achieve by utilizing Microsoft Edge: ->![VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE26zQm] +> ![VIDEO ] ## Forrester Study report diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index b2442289ca..b1d69471cd 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -234,21 +234,21 @@ Make sure to check with your provider for instructions. ## Feature comparison of kiosk mode and kiosk browser app In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. -| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** | -|---------------|:----------------:|:---------------:| -| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | -| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | -| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* | -| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | -| Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -|SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | +| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** | +|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:| +| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. | ![Supported](images/148767.png) | +| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | +| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* | +| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | +| Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | **\*Windows Defender Firewall**

To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 4446936eb1..7590327773 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -1,41 +1,48 @@ { "build": { - "content": - [ - { - "files": ["**/*.md","**/*.yml"], - "exclude": ["**/obj/**"] - } - ], + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**" + ] + } + ], "resource": [ - { - "files": ["**/images/**"], - "exclude": ["**/obj/**"] - } + { + "files": [ + "**/images/**" + ], + "exclude": [ + "**/obj/**" + ] + } ], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", - "ROBOTS": "INDEX, FOLLOW", - "ms.author": "shortpatti", - "author": "eross-msft", - "ms.technology": "internet-explorer", - "ms.topic": "article", - "ms.date": "04/05/2017", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "Win.internet-explorer", - "folder_relative_path_in_docset": "./" - } - } + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", + "ROBOTS": "INDEX, FOLLOW", + "ms.author": "shortpatti", + "author": "eross-msft", + "ms.technology": "internet-explorer", + "ms.topic": "article", + "ms.date": "04/05/2017", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "Win.internet-explorer", + "folder_relative_path_in_docset": "./" + } + } }, - "externalReference": [ - ], + "externalReference": [], "template": "op.html", "dest": "edges/internet-explorer", - "markdownEngineName": "dfm" + "markdownEngineName": "markdig" } } diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md index e93bc7fdf4..ab6bed0da5 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md @@ -47,11 +47,11 @@ You can create and use a custom XML file with the Enterprise Mode Site List Mana Each XML file must include: -- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. +- **Version number.** This number must be incremented with each version of the Enterprise Mode site list, letting Internet Explorer know whether the list is new. Approximately 65 seconds after Internet Explorer 11 starts, it compares your site list version to the stored version number. If your file has a higher number, the newer version is loaded.

**Important**
After this check, IE11 won’t look for an updated list again until you restart the browser. -- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. +- **<emie> tag.** This tag specifies the domains and domain paths that must be rendered using IE7 Enterprise Mode, IE8 Enterprise Mode, or the default IE11 browser environment.

**Important**
If you decide a site requires IE7 Enterprise Mode, you must add `forceCompatView=”true”` to your XML file. That code tells Enterprise Mode to check for a `DOCTYPE` tag on the specified webpage. If there is, the site renders using Windows Internet Explorer 7. If there’s no tag, the site renders using Microsoft Internet Explorer 5. -- **<docMode> tag.**This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). +- <docMode> tag.This tag specifies the domains and domain paths that need either to appear using the specific doc mode you assigned to the site. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). ### Enterprise Mode v.1 XML schema example The following is an example of what your XML file should look like when you’re done adding your sites. For more info about how to create your XML file, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). @@ -104,9 +104,9 @@ After you’ve added all of your sites to the tool and saved the file to XML, yo ## Related topics - [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md) - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md index 4b3ef6fd4e..6286b356ea 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md @@ -87,9 +87,9 @@ The following is an example of what your XML file should look like when you’re ``` In the above example, the following is true: -- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. +- www.cpandl.com, as the main domain, must use IE8 Enterprise Mode. However, www.cpandl.com/images must use IE7 Enterprise Mode. -- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. +- contoso.com, and all of its domain paths, can use the default compatibility mode for the site. To make sure your site list is up-to-date; wait 65 seconds after opening IE and then check that the `CurrentVersion` value in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode\` registry key matches the version number in your file.

**Important**
If `CurrentVersion` is not set or is wrong, it means that the XML parsing failed. This can mean that the XML file isn’t there, that there are access problems, or that the XML file format is wrong. Don’t manually change the `CurrentVersion` registry setting. You must make your changes to your site list and then update the list using the import function in the Enterprise Mode Site List Manager (schema v.2). @@ -114,9 +114,9 @@ After you’ve added all of your sites to the tool and saved the file to XML, yo ## Related topics - [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) - [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index f75680f2fb..06f0afe48d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -25,11 +25,11 @@ ms.date: 07/27/2017 Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. -

**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see [Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md). +

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see Add multiple sites to the Enterprise Mode site list using a file and the Windows 7 and 8.1 Enterprise Mode Site List Manager. ## Adding a site to your compatibility list You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager. -

**Note**
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see [Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md). +

Note
If you're using the v.2 version of the Enterprise Mode schema, you'll need to use the Enterprise Mode Site List Manager (schema v.1). For more info, see Add sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2). **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.1)** @@ -47,20 +47,20 @@ The path within a domain can require a different compatibility mode from the dom Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). -5. Click **Save** to validate your website and to add it to the site list for your enterprise.

-If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. +5. Click **Save** to validate your website and to add it to the site list for your enterprise.

+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. -6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). +6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). ## Next steps After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). ## Related topics - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index 710cff8a0a..481ddaa91a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -25,7 +25,7 @@ ms.date: 07/27/2017 Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.

**Important**
You can only add specific URLs, not Internet or Intranet Zones. -

**Note**
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system. +

Note
If you need to include a lot of sites, instead of adding them one at a time, you can create a list of websites and add them all at the same time. For more information, see the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2) or the Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1) topic, based on your operating system. ## Adding a site to your compatibility list You can add individual sites to your compatibility list by using the Enterprise Mode Site List Manager.

@@ -33,50 +33,50 @@ You can add individual sites to your compatibility list by using the Enterprise **To add a site to your compatibility list using the Enterprise Mode Site List Manager (schema v.2)** -1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. +1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. -2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. +2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

+ Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. -3. Type any comments about the website into the **Notes about URL** box.

-Administrators can only see comments while they’re in this tool. +3. Type any comments about the website into the **Notes about URL** box.

+ Administrators can only see comments while they’re in this tool. -4. In the **Compat Mode** box, choose one of the following: +4. In the **Compat Mode** box, choose one of the following: - - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. + - **IE8Enterprise**. Loads the site in IE8 Enterprise Mode. - - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. + - **IE7Enterprise**. Loads the site in IE7 Enterprise Mode. - - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. + - **IE\[*x*\]**. Where \[x\] is the document mode number and the site loads in the specified document mode. - - **Default Mode**. Loads the site using the default compatibility mode for the page. + - **Default Mode**. Loads the site using the default compatibility mode for the page. The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, **IE8 Enterprise Mode** is automatically selected. Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual. For more specific info about using document modes, see [Fix web compatibility issues using document modes and the Enterprise Mode site list](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md). -5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. +5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site. - - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. + - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. - - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. + - **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee. - - **None**. Opens in whatever browser the employee chooses. + - **None**. Opens in whatever browser the employee chooses. -6. Click **Save** to validate your website and to add it to the site list for your enterprise.

-If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. +6. Click **Save** to validate your website and to add it to the site list for your enterprise.

+ If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. -7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

-You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). +7. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

+ You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your registry key. For more information about the registry key, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). ## Next steps After you’ve added all of your sites to the tool and saved the file to XML, you can configure the rest of the Enterprise Mode functionality to use it. You can also turn Enterprise Mode on locally, so your users have the option to use Enterprise Mode on individual websites from the **Tools** menu. For more information, see [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md). ## Related topics - [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md index 18ef7efc43..455b64a3a0 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md @@ -38,11 +38,11 @@ Administrative Templates are XML-based, multi-language files that define the reg ## How do I store Administrative Templates? As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs). -

**Important**
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see [Scenario 1: Editing the Local GPO Using ADMX Files](https://go.microsoft.com/fwlink/p/?LinkId=276810). +

Important
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files. ## Administrative Templates-related Group Policy settings When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder. -

**Note**
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the **PolicyDefinitions** folder on this computer. +

Note
You won't see the new policy settings if you try to view or edit your policy settings on a computer that isn't running IE11. To fix this, you can either install IE11, or you can copy the updated Inetres.admx and Inetres.adml files from another computer to the PolicyDefinitions folder on this computer. IE11 provides these new policy settings, which are editable in the Local Group Policy Editor, and appear in the following policy paths: diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md index c7a1ebbebd..d109a8971f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md @@ -30,33 +30,33 @@ If you experience issues while setting up your proxy server, you can try these t - Check that the browser is pointing to the right automatic configuration script location. - **To check your proxy server address** + **To check your proxy server address** -1. On the **Tools** menu, click **Internet Options**, and then **Connections**. +1. On the **Tools** menu, click **Internet Options**, and then **Connections**. -2. Click **Settings** or **LAN Settings**, and then look at your proxy server address. +2. Click **Settings** or **LAN Settings**, and then look at your proxy server address. -3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.

**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652). +3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.

**Note**
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652). - **To check that you've turned on the correct settings** + **To check that you've turned on the correct settings** -1. On the **Tools** menu, click **Internet Options**, and then click **Connections**. +4. On the **Tools** menu, click **Internet Options**, and then click **Connections**. -2. Click **Settings** or **LAN Settings**. +5. Click **Settings** or **LAN Settings**. -3. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.

**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again. +6. In the **Automatic configuration** area, check that you've clicked the **Automatically detect settings** box. If you've turned on automatic configuration, check to make sure that you've also clicked the **Use automatic configuration script** box.

**Note**
If at this point everything is set up correctly, but the proxy server still isn't behaving properly, click the **Detect my network settings** box in the **Error** dialog box to try to detect the proxy server, again. - **To check that you're pointing to the correct automatic configuration script location** + **To check that you're pointing to the correct automatic configuration script location** -1. On the **Tools** menu, click **Internet Options**, and then click **Connections**. +7. On the **Tools** menu, click **Internet Options**, and then click **Connections**. -2. Click **Settings** or **LAN Settings**. +8. Click **Settings** or **LAN Settings**. -3. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL. +9. In the **Automatic configuration** area, check that you've chosen the **Use automatic configuration script** box, and that it has the correct location to your automatic configuration script or for your automatic proxy URL. -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md index 08f17b9b1b..1e912f54d0 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md @@ -41,7 +41,7 @@ For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry ## Updating your automatic configuration settings After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding. -

**Important**
Your branding changes won't be added or updated if you've previously chosen the **Disable external branding of IE** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). +

Important
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter. **To update your settings** @@ -66,9 +66,9 @@ You have two options to restrict your users' ability to override the automatic c - **Not Using Active Directory.** Choose the **Disable changing Automatic Configuration settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md index 6eb98e9842..508da17224 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md @@ -29,27 +29,27 @@ To use automatic detection, you have to set up your DHCP and DNS servers.

**No **To turn on automatic detection for DHCP servers** -1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page. +1. Open the Internet Explorer Customization Wizard 11, and go to the **Automatic Configuration** page. -2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). +2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md). -3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). +3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). - **To turn on automatic detection for DNS servers** + **To turn on automatic detection for DNS servers** -1. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. +4. Open the IE Customization Wizard 11, and go to the **Automatic Configuration** page. -2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. +5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. -3. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).  +6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651). -4. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. +7. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. -   + -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md index bc8dbcd54c..eee4b1425c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md +++ b/browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md @@ -35,7 +35,9 @@ You will receive a notification if a webpage tries to load one of the following **Silverlight** + | Everything below (but not including) Silverlight 5.1.50907.0 | |--------------------------------------------------------------| +| | For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864). diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md index e97747ee2f..4e6630b0f1 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-deploy-ie11.md @@ -18,13 +18,14 @@ ms.date: 07/27/2017 In this section, you can learn about how to deploy your custom version of Internet Explorer using Automatic Version Synchronization (AVS) or using your software distribution tools. ## In this section + | Topic | Description | |------------------------------------------------------------- | ------------------------------------------------------ | |[Deploy IE11 using Automatic Version Synchronization (AVS)](deploy-ie11-using-automatic-version-synchronization-avs.md) |Guidance about how to deploy your custom browser packages using Automatic Version Synchronization (AVS). | -|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). | -  - -  +|[Deploy IE11 using software distribution tools](deploy-ie11-using-software-distribution-tools.md) |Guidance about how to deploy your custom browser packages using System Center 2012 R2, Windows Server Update Services (WSUS), Group Policy software installation, or Microsoft Deployment toolkit (MDT). | + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index db879fca5c..e1bd5ba5d6 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -248,7 +248,7 @@ You can use both the WMI and XML settings individually or together: -**To turn on both WMI and XML recording** +To turn on both WMI and XML recording @@ -476,7 +476,7 @@ You can completely remove the data stored on your employee’s computers. ## Related topics * [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) * [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md index b12889bdeb..090b718581 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md @@ -17,13 +17,13 @@ ms.date: 07/27/2017 # Create packages for multiple operating systems or languages You'll create multiple versions of your custom browser package if: -- You support more than 1 version of Windows®. +- You support more than 1 version of Windows®. -- You support more than 1 language. +- You support more than 1 language. -- You have custom installation packages with only minor differences. Like, having a different phone number. +- You have custom installation packages with only minor differences. Like, having a different phone number. - **To create a new package** + **To create a new package** 1. Create an installation package using the Internet Explorer Customization Wizard 11, as described in the [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](../ie11-ieak/ieak11-wizard-custom-options.md) topic. @@ -33,11 +33,11 @@ You'll create multiple versions of your custom browser package if: **Important**
Except for the **Title bar** text, **Favorites**, **Links bar**, **Home page**, and **Search bar**, keep all of your wizard settings the same for all of your build computers. -   + -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md index 6b7fa1df4c..e964d84927 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md @@ -22,14 +22,14 @@ Automatic Version Synchronization (AVS) lets you use the Internet Explorer Admin You must synchronize the setup files at least once on the local computer, for each language and operating system combination, before proceeding through the rest of the wizard. If your packages have more than one version of IE, you need to keep the versions in separate component download folders, which can be pointed to from the **File Locations** page of the IEAK 11. For more information about using the AVS feature, see [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](../ie11-ieak/auto-version-sync-ieak11-wizard.md) . -##Related topics +## Related topics - [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md) - [Customize Internet Explorer 11 installation packages](customize-ie11-install-packages.md) -  + -  + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md index e6fc523907..f3ffd4bf9f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md @@ -19,15 +19,16 @@ ms.date: 07/27/2017 **Applies to:** -- Windows 10 -- Windows 8.1 -- Windows 7 -- Windows Server 2012 R2 -- Windows Server 2008 R2 with Service Pack 1 (SP1) +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. ## In this section + |Topic |Description | |---------------------------------------------------------------|-----------------------------------------------------------------------------------| |[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | @@ -44,11 +45,11 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an |[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | |[Remove sites from a local compatibility view list](remove-sites-from-a-local-compatibililty-view-list.md) |Guidance about how to remove websites from a device's local compatibility view list. | |[Turn off Enterprise Mode](turn-off-enterprise-mode.md) |Guidance about how to stop using your site list and how to turn off local control, using Group Policy or the registry. | -  - -  - -  + + + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index c5d717cf66..72522b17ec 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -75,7 +75,7 @@ This table includes the elements used by the Enterprise Mode schema. - @@ -134,11 +134,11 @@ This table includes the elements used by the Enterprise Mode schema.

Example 

 <emie>
-  <domain exclude="true">fabrikam.com
-    <path exclude="false">/products</path>
+  <domain exclude="true">fabrikam.com
+    <path exclude="false">/products</path>
   </domain>
 </emie>

-Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. +Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does.

Setting nameRoot node for the schema.

Example 

-<rules version="205">
+<rules version="205">
   <emie>
     <domain>contoso.com</domain>
   </emie>
@@ -87,19 +87,19 @@ This table includes the elements used by the Enterprise Mode schema.
The parent node for the Enterprise Mode section of the schema. All <domain> entries will have either IE8 Enterprise Mode or IE7 Enterprise Mode applied.

Example 

-<rules version="205">
+<rules version="205">
   <emie>
     <domain>contoso.com</domain>
   </emie>
 </rules>
-or- -

For IPv6 ranges:

<rules version="205">
+
For IPv6 ranges:
<rules version="205">
   <emie>
     <domain>[10.122.34.99]:8080</domain>
   </emie>
   </rules>

 -or-
-
For IPv4 ranges:
<rules version="205">
+
For IPv4 ranges:
<rules version="205">
   <emie>
     <domain>10.122.34.99:8080</domain>
   </emie>
@@ -108,12 +108,12 @@ This table includes the elements used by the Enterprise Mode schema.
<docMode>The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied. +The parent node for the document mode section of the section. All <domain> entries will get IE5 - IE11 document modes applied. If there's a <domain> element in the <docMode> section that uses the same value as a <domain> element in the <emie> section, the <emie> element is applied.

Example 

-<rules version="205">
+<rules version="205">
   <docMode>
-    <domain docMode="7">contoso.com</domain>
+    <domain docMode="7">contoso.com</domain>
   </docMode>
 </rules>
 Internet Explorer 11Internet Explorer 11 and Microsoft Edge
@@ -166,11 +166,11 @@ This table includes the attributes used by the Enterprise Mode schema.

Example 

 <emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
+  <domain exclude="false">fabrikam.com
+    <path exclude="true">/products</path>
   </domain>
 </emie>

-Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not. +Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not. Internet Explorer 11 and Microsoft Edge @@ -179,8 +179,8 @@ Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/pr

Example 

 <docMode>
-  <domain exclude="false">fakrikam.com
-    <path docMode="7">/products</path>
+  <domain exclude="false">fakrikam.com
+    <path docMode="7">/products</path>
   </domain>
 </docMode>
Internet Explorer 11 diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index c0e9084fb7..187ba67198 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -42,7 +42,7 @@ The following is an example of the v.2 version of the Enterprise Mode schema. **Important**
Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both https://contoso.com and https://contoso.com. -  + ``` xml @@ -106,8 +106,8 @@ This table includes the elements used by the v.2 version of the Enterprise Mode A new root node with this text is using the updated v.2 version of the schema. It replaces <rules>.

Example 

-<site-list version="205">
-  <site url="contoso.com">
+<site-list version="205">
+  <site url="contoso.com">
     <compat-mode>IE8Enterprise</compat-mode>
     <open-in>IE11</open-in>
   </site>
@@ -119,19 +119,19 @@ This table includes the elements used by the v.2 version of the Enterprise Mode
 A unique entry added for each site you want to put on the Enterprise Mode site list. The first <site> element will overrule any additional <site> elements that use the same value for the <url> element.
 
Example
 
-<site url="contoso.com">
+<site url="contoso.com">
   <compat-mode>default</compat-mode>
   <open-in>none</open-in>
 </site>

 -or-
-
For IPv4 ranges:
<site url="10.122.34.99:8080">
+
For IPv4 ranges:
<site url="10.122.34.99:8080">
   <compat-mode>IE8Enterprise</compat-mode>
 <site>

 -or-
-
For IPv6 ranges:
<site url="[10.122.34.99]:8080">
+
For IPv6 ranges:
<site url="[10.122.34.99]:8080">
   <compat-mode>IE8Enterprise</compat-mode>
 <site>

-You can also use the self-closing version, <url="contoso.com" />, which also sets:
+You can also use the self-closing version, <url="contoso.com" />, which also sets:
 
    
   
  • <compat-mode>default</compat-mode>
    • 
   
  • <open-in>none</open-in>
    • 
@@ -143,21 +143,21 @@ You can also use the self-closing version, <url="contoso.com" />, which al
 A child element that controls what compatibility setting is used for specific sites or domains. This element is only supported in IE11.
 
    Example
 
    -<site url="contoso.com">
+<site url="contoso.com">
   <compat-mode>IE8Enterprise</compat-mode>
 </site>
    
 -or-
-
    For IPv4 ranges:
    <site url="10.122.34.99:8080">
+
    For IPv4 ranges:
    <site url="10.122.34.99:8080">
   <compat-mode>IE8Enterprise</compat-mode>
 <site>
    
 -or-
-
    For IPv6 ranges:
    <site url="[10.122.34.99]:8080">
+
    For IPv6 ranges:
    <site url="[10.122.34.99]:8080">
   <compat-mode>IE8Enterprise</compat-mode>
 <site>
    
 Where:
 
      
   
    • IE8Enterprise. Loads the site in IE8 Enterprise Mode.
      This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE8 Enterprise Mode.
      • 
-  
    • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
      This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
      Important
      This tag replaces the combination of the `"forceCompatView"="true"` attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
      • 
+  
    • IE7Enterprise. Loads the site in IE7 Enterprise Mode.
      This element is required for sites included in the EmIE section of the v.1 schema and is needed to load in IE7 Enterprise Mode.
      Important
      This tag replaces the combination of the "forceCompatView"="true" attribute and the list of sites specified in the EmIE section of the v.1 version of the schema.
      • 
   
    • IE[x]. Where [x] is the document mode number into which the site loads.
      • 
   
    • Default or not specified. Loads the site using the default compatibility mode for the page. In this situation, X-UA-compatible meta tags or HTTP headers are honored.
      • 
 
    
@@ -168,7 +168,7 @@ Where:
 A child element that controls what browser is used for sites. This element supports the Open in IE11 or Open in Microsoft Edge experiences, for devices running Windows 10.
 
    Example
 
    -<site url="contoso.com">
+<site url="contoso.com">
   <open-in>none</open-in>
 </site>
    
 Where:
@@ -195,13 +195,13 @@ The <url> attribute, as part of the <site> element in the v.2 versio
 
 
 allow-redirect
-A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
+A boolean attribute of the <open-in> element that controls the behavior for redirected sites. Setting this attribute to "true" indicates that the site will open in IE11 or Microsoft Edge even if the site is navigated to as part of a HTTP or meta refresh redirection chain. Omitting the attribute is equivalent to "false" (sites in redirect chain will not open in another browser).
 
    Example
 
    -<site url="contoso.com/travel">
-  <open-in allow-redirect="true">IE11</open-in>
+<site url="contoso.com/travel">
+  <open-in allow-redirect="true">IE11</open-in>
 </site>
    
-In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
+In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer.
 Internet Explorer 11 and Microsoft Edge
 
 
@@ -213,14 +213,14 @@ In this example, if https://contoso.com/travel is encountered in a redirect chai
 url
 Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
 
    Note
    
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
+Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.
 
    Example
 
    -<site url="contoso.com:8080">
+<site url="contoso.com:8080">
   <compat-mode>IE8Enterprise</compat-mode>
   <open-in>IE11</open-in>
 </site>
    
-In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.
+In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode.
 Internet Explorer 11 and Microsoft Edge
 
 
@@ -240,17 +240,17 @@ These v.1 version schema attributes have been deprecated in the v.2 version of t
 
 <forceCompatView>
 <compat-mode>
-Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
+Replace <forceCompatView="true"> with <compat-mode>IE7Enterprise</compat-mode>
 
 
 <docMode>
 <compat-mode>
-Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
+Replace <docMode="IE5"> with <compat-mode>IE5</compat-mode>
 
 
 <doNotTransition>
 <open-in>
-Replace <doNotTransition="true"> with <open-in>none</open-in>
+Replace <doNotTransition="true"> with <open-in>none</open-in>
 
 
 <domain> and <path>
@@ -258,24 +258,24 @@ These v.1 version schema attributes have been deprecated in the v.2 version of t
 Replace:
 
     <emie>
-  <domain exclude="false">contoso.com</domain>
+  <domain exclude="false">contoso.com</domain>
 </emie>
    
 With:
 
    -<site url="contoso.com"/>
+<site url="contoso.com"/>
   <compat-mode>IE8Enterprise</compat-mode>
 </site>
    
 -AND-
    
 Replace:
 
     <emie>
-  <domain exclude="true">contoso.com
-     <path exclude="false" forceCompatView="true">/about</path>
+  <domain exclude="true">contoso.com
+     <path exclude="false" forceCompatView="true">/about</path>
   </domain>
 </emie>
    
 With:
 
    -<site url="contoso.com/about">
+<site url="contoso.com/about">
   <compat-mode>IE7Enterprise</compat-mode>
 </site>
    
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
index 61ea34d333..3c8c913f1f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-ie11.md
@@ -38,11 +38,11 @@ Use the topics in this section to learn about Group Policy and how to use it to
 |[Group policy preferences and Internet Explorer 11](group-policy-preferences-and-ie11.md) |Info about Group Policy preferences, as compared to Group Policy settings. |
 |[Administrative templates and Internet Explorer 11](administrative-templates-and-ie11.md) |Info about Administrative Templates, including where to store them and the related Group Policy settings. | 
 |[Enable and disable add\-ons using administrative templates and group policy](enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) |Guidance about how to use your local Group Policy editor or the CLSID and Administrative Templates to manage your Group Policy objects.
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index eb04a4a464..247e023667 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -33,7 +33,7 @@ After deploying IE11 to your organization, you can continue to manage the browse
 **Note**
    
 Whenever possible, we recommend that you manage IE11 using Administrative Templates, because these settings are always written to secure policy branches in the registry. In addition, we recommend that you deploy using standard user accounts instead of letting your users log on to their computers as administrators. This helps to prevent your users from making unwanted changes to their systems or overriding Group Policy settings.
 
-     
+     
 Users won't be able to use the IE11 user interface or the registry to change any managed settings on their computers. However, they will be able to change many of the preferences associated with the settings you set up using the Internet Explorer Administration Kit 11 (IEAK 11).
 
 ## Which GPO tool should I use?
@@ -47,9 +47,9 @@ You can use any of these tools to create, manage, view, and troubleshoot Group P
 
 -   [Group Policy, Windows Powershell, and Internet Explorer 11](group-policy-windows-powershell-ie11.md). A command-line shell and scripting language that helps automate Windows and application administration on a single computer locally, or across many computers remotely.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index 67ff23ab52..0b4e605611 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -70,39 +70,39 @@ Automatic Updates will start to distribute Internet Explorer 11 shortly after th
 
 Internet Explorer 11 will be released to WSUS as an Update Rollup package. Therefore, if you’ve configured WSUS to “auto-approve” Update Rollup packages, it’ll be automatically approved and installed. To stop Internet Explorer 11 from being automatically approved for installation, you need to:
 
-1.  Click **Start**, click **Administrative Tools**, and then click **Microsoft
-    Windows Server Update Services 3.0**.
+1. Click **Start**, click **Administrative Tools**, and then click **Microsoft
+   Windows Server Update Services 3.0**.
 
-2.  Expand *ComputerName*, and then click **Options**.
+2. Expand *ComputerName*, and then click **Options**.
 
-3.  Click **Automatic Approvals**.
+3. Click **Automatic Approvals**.
 
-4.  Click the rule that automatically approves an update that is classified as
-    Update Rollup, and then click **Edit.**
+4. Click the rule that automatically approves an update that is classified as
+   Update Rollup, and then click **Edit.**
 
-    >[!Note]
-    >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
+   >[!Note]
+   >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else.
 
-5.  Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
+5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section.
 
-    >[!Note]
-    >The properties for this rule will resemble the following:
    • When an update is in Update Rollups
    • Approve the update for all computers
    
+   >[!Note]
+   >The properties for this rule will resemble the following:
    • When an update is in Update Rollups
    • Approve the update for all computers
    
 
-6.  Clear the **Update Rollup** check box, and then click **OK**.
+6. Clear the **Update Rollup** check box, and then click **OK**.
 
-7.  Click **OK** to close the **Automatic Approvals** dialog box.
    After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed.
+7. Click **OK** to close the **Automatic Approvals** dialog box.
    After the new Internet Explorer 11 package is available for download, you should manually synchronize the new package to your WSUS server, so that when you re-enable auto-approval it won’t be automatically installed.
 
-8.  Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
+8. Click **Start**, click **Administrative Tools**, and then click **Microsoft Windows Server Update Services 3.0**.
 
-9.  Expand *ComputerName*, and then click **Synchronizations**.
+9. Expand *ComputerName*, and then click **Synchronizations**.
 
-10.  Click **Synchronize Now**.
+10. Click **Synchronize Now**.
 
-11.  Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
+11. Expand *ComputerName*, expand **Updates**, and then click **All Updates**.
 
-12.  Choose **Unapproved** in the **Approval**drop down box.
+12. Choose **Unapproved** in the **Approval**drop down box.
 
-13.  Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
+13. Check to make sure that Microsoft Internet Explorer 11 is listed as an unapproved update.
 
     >[!Note]
     >There may be multiple updates, depending on the imported language and operating system updates.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
index ab7cdcd98b..a84fbae316 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
@@ -42,9 +42,9 @@ Importing your file overwrites everything that’s currently in the tool, so mak
 - [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
 - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
 - [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
index ba02ed0210..3f147df80e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-and-deploy-ie11.md
@@ -34,11 +34,11 @@ Use the topics in this section to learn how to customize your Internet Explorer
 |[Choose how to install Internet Explorer 11 (IE11)](choose-how-to-install-ie11.md) |Guidance for the different ways you can install IE, including using System Center 2012 R2 Configuration Manager, Windows Server Update Services (WSUS), Microsoft Intune, your network, the operating system deployment system, or third-party tools. |
 |[Choose how to deploy Internet Explorer 11 (IE11)](choose-how-to-deploy-ie11.md) |Guidance about how to deploy your custom version of IE using Automatic Version Synchronization (AVS) or using your software distribution tools. |
 |[Virtualization and compatibility with Internet Explorer 11](virtualization-and-compatibility-with-ie11.md) |Info about the Microsoft-supported options for virtualizing web apps. |
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
index a84212c6a5..7816ad8190 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-the-network.md
@@ -21,22 +21,22 @@ You can install Internet Explorer 11 (IE11) over your network by putting your c
 
  **To manually create the folder structure**
 
--   Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees.
+- Copy your custom IE11 installation file into a folder on your network, making sure it's available to your employees.
 
- **To create the folder structure using IEAK 11**
+  **To create the folder structure using IEAK 11**
 
--   Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.
    
-The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files.
+- Run the Internet Explorer Customization Wizard 11 in IEAK 11, using the **Full Installation Package** option.
    
+  The wizard automatically puts your custom installation files in your `\\Flat` folder. Where the `` is the location of your other build files.
 
 **Note**
    Use the localized versions of the IE Customization Wizard 11 to create localized IE11 installation packages.
 
 ## Related topics
 - [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md)
-     
+     
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index 2d390c0f69..3bc741dbc0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -19,34 +19,34 @@ Windows Server Update Services (WSUS) lets you download a single copy of the Mic
 
  **To import from Windows Update to WSUS**
 
-1.  Open your WSUS admin site. For example, `https:///WSUSAdmin/`.
    
-Where `` is the name of your WSUS server.
+1. Open your WSUS admin site. For example, `https:///WSUSAdmin/`.
    
+   Where `` is the name of your WSUS server.
 
-2.  Choose the top server node or the **Updates** node, and then click **Import Updates**.
+2. Choose the top server node or the **Updates** node, and then click **Import Updates**.
 
-3.  To get the updates, install the Microsoft Update Catalog ActiveX control.
+3. To get the updates, install the Microsoft Update Catalog ActiveX control.
 
-4.  Search for Internet Explorer 11 and add its contents to your basket.
+4. Search for Internet Explorer 11 and add its contents to your basket.
 
-5.  After you're done browsing, go to your basket and click **Import**.
+5. After you're done browsing, go to your basket and click **Import**.
 
-    You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box.
+   You can also download the updates without importing them by unchecking the **Import directly into Windows Server Update Services** box.
 
- **To approve Internet Explorer in WSUS for installation**
+   **To approve Internet Explorer in WSUS for installation**
 
-1.  Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list.
+6. Open your WSUS admin site and check the **Review synchronization settings** box from the **To Do** list.
 
-2.  Click **Synchronize now** to sync your WSUS server with Windows Update, and then click **Updates** from the navigation bar.
+7. Click **Synchronize now** to sync your WSUS server with Windows Update, and then click **Updates** from the navigation bar.
 
-3.  Enter **Internet Explorer 11** into the **Search Contains** box, and then click **Apply**.
+8. Enter **Internet Explorer 11** into the **Search Contains** box, and then click **Apply**.
 
-4.  Choose the right version of IE11 for your operating system, and click **Approve for installation**.
+9. Choose the right version of IE11 for your operating system, and click **Approve for installation**.
 
-5.  Click each computer group you want to set up for the WSUS server, picking the right approval level, and then click **OK**.
+10. Click each computer group you want to set up for the WSUS server, picking the right approval level, and then click **OK**.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
index 89dd3179d4..3a9b502928 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
@@ -34,9 +34,9 @@ Use the topics in this section to learn about how to auto detect your settings,
 |[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. |
 |[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. | 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index 76393fbbba..42ffd10dc8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -64,7 +64,7 @@ The IEM settings have replacements you can use in either Group Policy Preference
 |Automatic browser configuration |Lets you update your employee's computer after you've deployed IE11, by specifying a URL to an .ins file, an auto-proxy URL, or both. You can decide when the update occurs, in minutes. Typing zero, or not putting in any number, means that automatic configuration only happens after the browser is started and used to go to a page. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Automatic Configuration** tab, and then add your URL.
    On the **Automatic Configuration** page of IEAK 11, modify the configuration settings, including providing the URL to an .ins file or an auto-proxy site. |
 |Proxy settings |Lets you specify your proxy servers. |In the **Internet Settings Group Policy Preferences** dialog box, click the **Connections** tab, click **LAN Settings**, and then choose whether to turn on automatic detection of your configuration settings and if you want to use proxy servers.
    -OR-
    On the **Proxy Settings** page of IEAK 11, turn on your proxy settings, adding your proxy server addresses and exceptions. |
 |User Agent string |Lets the browser provide identification to visited servers. This string is often used to keep Internet traffic statistics. |This setting isn't available anymore. |
- 
+ 
 ### URLs replacements
 
 |IEM setting |Description |Replacement tool |
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 0c31d97187..5098fab9f0 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -16,42 +16,43 @@ ms.date: 07/27/2017
 
 
 # New group policy settings for Internet Explorer 11
-Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
+Internet Explorer 11 gives you some new Group Policy settings to help you manage your company's web browser configurations, including:
 
-|Policy |Category Path |Supported on |Explanation |
-|-------|--------------|-------------|------------|
-|Allow IE to use the HTTP2 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.
    If you enable this policy setting, IE uses the HTTP2 network protocol.
    If you disable this policy setting, IE won't use the HTTP2 network protocol.
    If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on. |
-|Allow IE to use the SPDY/3 network protocol |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.
    If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.
    If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.
    If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced* tab of the **Internet Options** dialog box. The default is on.
    **Note**
    We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting. |
-|Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
    If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
    If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
    If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm. |
-|Allow only approved domains to use the TDC ActiveX control |
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
     |IE11 in Windows 10 |This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.
    If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.
    If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone. |
-|Allow SSL3 Fallback |Administrative Templates\Windows Components\Internet Explorer\Security Features |Internet Explorer 11 on Windows 10 |This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.
    If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.
    If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.
    **Important:**
    By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks. |
-|Allow VBScript to run in Internet Explorer|
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
     |Internet Explorer 11|This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.
    If you enable this policy setting (default), you must also pick one of the following options from the Options box:
    • Enable. VBScript runs on pages in specific zones, without any interaction.
    • Prompt. Employees are prompted whether to allow VBScript to run in the zone.
    • Disable. VBScript is prevented from running in the zone.
    If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone.|
-|Always send Do Not Track header |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 |This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
    If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
    **In Internet Explorer 9 and 10:**
    If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
    **In at least IE11:**
    If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
    If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced* tab of the **Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. |
-|Don't run antimalware programs against ActiveX controls
    (Internet, Restricted Zones) |
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
     |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
    If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. |
-|Don't run antimalware programs against ActiveX controls
    (Intranet, Trusted, Local Machine Zones) |
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
     |IE11 on Windows 10 |This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
    If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. |
-|Hide the button (next to the New Tab button) that opens Microsoft Edge |User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ |IE11 on Windows 10, version 1703|This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.
    If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.
    If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.
    If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. |
-|Let users turn on and use Enterprise Mode from the **Tools** menu |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10 |This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
    If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
    If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. |
-|Limit Site Discovery output by Domain |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.
    **Note:**
    You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
-|Limit Site Discovery output by Zone |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.
    To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
    • 0 – Restricted Sites zone
    • 0 – Internet zone
    • 0 – Trusted Sites zone
    • 0 – Local Intranet zone
    • 0 – Local Machine zone

    **Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
    • 0 – Restricted Sites zone
    • 0 – Internet zone
    • 0 – Trusted Sites zone
    • 1 – Local Intranet zone
    • 0 – Local Machine zone

    **Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
    • 1 – Restricted Sites zone
    • 0 – Internet zone
    • 1 – Trusted Sites zone
    • 1 – Local Intranet zone
    • 1 – Local Machine zone
    **Note:**
    You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
-|Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
    This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
    **In IE11:**
    This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
    If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
    If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
    If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. |
-|Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.
    If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.
    If you disable or don't configure this policy setting, all sites will open based on the currently active browser.
    **Note:**
    If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. |
-|Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
    If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
    If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. |
-|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.
    If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.
    If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.
    **Important:**
    Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. |
-|Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.
    If you enable this policy setting, IE doesn't load any websites or content in the background.
    If you disable this policy setting, IE preemptively loads websites and content in the background.
    If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. |
-|Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
    If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
    If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
    If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. |
-|Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.
    If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
    If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
    If you don't configure this policy setting, users can turn this behavior on or off. |
-|Turn off sending UTF-8 query strings for URLs |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
    If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
    • **0.** Never encode query strings.
    • **1.** Only encode query strings for URLs that aren't in the Intranet zone.
    • **2.** Only encode query strings for URLs that are in the Intranet zone.
    • **3.** Always encode query strings.
    If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8. |
-|Turn off the ability to launch report site problems using a menu option |Administrative Templates\Windows Components\Internet Explorer\Browser menus |Internet Explorer 11 |This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
    If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
    If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu. |
-|Turn off the flip ahead with page prediction feature |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |At least Internet Explorer 10 on Windows 8 |This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
    If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
    If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
    If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
    **Note**
    Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop. |
-|Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
    If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
    If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
    If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
    **Important**
    When using 64-bit processes, some ActiveX controls and toolbars might not be available. |
-|Turn on Site Discovery WMI output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
    **Note:**
    Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
-|Turn on Site Discovery XML output |Administrative Templates\Windows Components\Internet Explorer |At least Internet Explorer 8 |This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
    **Note:**
    Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit. |
-|Use the Enterprise Mode IE website list |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1511 |This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
    If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
    If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode. |
+
+|                                               Policy                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       Category Path                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                Supported on                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Explanation                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+|-----------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                             Allow IE to use the HTTP2 network protocol                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                                                                                                                              This policy setting determines whether IE uses the HTTP2 network protocol. HTTP2 works with HTTP requests to optimize the latency of network requests through compression, multiplexing, and prioritization.
    If you enable this policy setting, IE uses the HTTP2 network protocol.
    If you disable this policy setting, IE won't use the HTTP2 network protocol.
    If you don't configure this policy setting, users can turn this behavior on or off, using the **Internet Explorer Advanced Internet Options** settings. The default is on.                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+|                             Allow IE to use the SPDY/3 network protocol                             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                      This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimize the latency of network requests through compression, multiplexing and prioritization.
    If you enable this policy setting, Internet Explorer uses the SPDY/3 network protocol.
    If you disable this policy setting, Internet Explorer won't use the SPDY/3 network protocol.
    If you don't configure this policy setting, users can turn this behavior on or off, on the **Advanced\* tab of the \*\*Internet Options** dialog box. The default is on.
    **Note**
    We've replaced the SPDY/3 protocol with the HTTP2 protocol in Windows 10. You can configure the HTTP2 protocol by using the **Allow IE to use the HTTP2 network protocol** setting.                                                                                                                                                                                                                                                                                                                                       |
+|    Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                       This policy setting allows IE to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user’s keystrokes are sent to Microsoft through Microsoft services.
    If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
    If you disable this policy setting, users won’t receive enhanced suggestions while typing in the Address bar. In addition, users won’t be able to change the **Suggestions** setting on the **Settings** charm.
    If you don’t configure this policy setting, users can change the **Suggestions** setting on the **Settings** charm.                                                                                                                                                                                                                                                                                                                                                        |
+|                     Allow only approved domains to use the TDC ActiveX control                      |                                                                                                                                                                                                                                                                                                                                                  
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
                                                                                                                                                                                                                                                                                                                                                      |             IE11 in Windows 10             |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This policy setting determines whether users can run the Tabular Data Control (TDC) ActiveX control, based on security zone. By default, the TDC ActiveX Control is disabled in the **Internet** and **Restricted Sites** security zones.
    If you enable this policy setting, users won’t be able to run the TDC ActiveX control from all sites in the specified zone.
    If you disable this policy setting, users can run the TDC Active X control from all sites in the specified zone.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|                                         Allow SSL3 Fallback                                         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Administrative Templates\Windows Components\Internet Explorer\Security Features                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |     Internet Explorer 11 on Windows 10     |                                                                                                                                                                                                                                                                                                                                                       This policy setting allows you to stop websites from falling back to using Secure Socket Layer (SSL) 3.0 or lower, if Transport Layer Security (TLS) 1.0 or higher, fails. This setting doesn’t affect which security protocols are enabled.
    If you enable this policy setting and a website fails while using the TLS 1.0 or higher security protocols, Internet Explorer will try to fallback and use SSL 3.0 or lower security protocols.
    If you disable or don’t configure this setting, Internet Explorer uses the default system protocols.
    **Important:**
    By default, SSL 3.0 is disabled. If you choose to enable SSL 3.0, we recommend that you disable or don't configure this setting to help mitigate potential man-in-the-middle attacks.                                                                                                                                                                                                                                                                                                                                                        |
+|                             Allow VBScript to run in Internet Explorer                              | 
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Internet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Intranet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Local Machine Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Internet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Intranet Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Local Machine Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Restricted Sites Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Locked-Down Trusted Sites Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Restricted Sites Zone
    •  Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone/Trusted Sites Zone
     |            Internet Explorer 11            |                                                                                                                                                                                                                                                                                                                                                                                                                                   This policy setting lets you decide whether VBScript can run on pages in specific Internet Explorer zones.
    If you enable this policy setting (default), you must also pick one of the following options from the Options box:
    • Enable. VBScript runs on pages in specific zones, without any interaction.
    • Prompt. Employees are prompted whether to allow VBScript to run in the zone.
    • Disable. VBScript is prevented from running in the zone.
    If you disable or don’t configure this policy setting, VBScript runs without any interaction in the specified zone.                                                                                                                                                                                                                                                                                                                                                                                                                                    |
+|                                   Always send Do Not Track header                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |       At least Internet Explorer 10        |                                                                                                                                                                                                                                    This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.
    If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.
    **In Internet Explorer 9 and 10:**
    If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.
    **In at least IE11:**
    If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.
    If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled.                                                                                                                                                                                                                                     |
+|       Don't run antimalware programs against ActiveX controls
    (Internet, Restricted Zones)       |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                                               This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
    If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings.                                                                                                                                                                                                                                                                                                                                                                                |
+| Don't run antimalware programs against ActiveX controls
    (Intranet, Trusted, Local Machine Zones) |                                                                                                                                                                                                                                                                                                                                                  
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
    • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
                                                                                                                                                                                                                                                                                                                                                      |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                                                  This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
    If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.
    If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings.                                                                                                                                                                                                                                                                                                                                                                                   |
+|               Hide the button (next to the New Tab button) that opens Microsoft Edge                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |      IE11 on Windows 10, version 1703      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.
    If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.
    If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.
    If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+|                  Let users turn on and use Enterprise Mode from the **Tools** menu                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                                      This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.
    If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.
    If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally.                                                                                                                                                                                                                                                                                                                                                                       |
+|                                Limit Site Discovery output by Domain                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |        At least Internet Explorer 8        |                                                                                                                                                                                                                                                                                                                                                                                                              This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.
    **Note:**
    You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit.                                                                                                                                                                                                                                                                                                                                                                                                              |
+|                                 Limit Site Discovery output by Zone                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |        At least Internet Explorer 8        | This policy setting allows you to control which zones are included in the discovery function of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all specified security zones.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all security zones.
    To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:
    • 0 – Restricted Sites zone
    • 0 – Internet zone
    • 0 – Trusted Sites zone
    • 0 – Local Intranet zone
    • 0 – Local Machine zone

    **Example 1:** Include only the Local Intranet zone (binary representation: 00010), based on:
    • 0 – Restricted Sites zone
    • 0 – Internet zone
    • 0 – Trusted Sites zone
    • 1 – Local Intranet zone
    • 0 – Local Machine zone

    **Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones (binary representation: 10110), based on:
    • 1 – Restricted Sites zone
    • 0 – Internet zone
    • 1 – Trusted Sites zone
    • 1 – Local Intranet zone
    • 1 – Local Machine zone
    **Note:**
    You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. |
+|            Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |    At least Windows Internet Explorer 9    |                                                                                                                                    **In Internet Explorer 9 and Internet Explorer 10:**
    This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.
    **In IE11:**
    This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.
    If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.
    If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.
    If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**.                                                                                                                                    |
+|           Send all sites not included in the Enterprise Mode Site List to Microsoft Edge            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |      IE11 on Windows 10, version 1607      |                                                                                                                                                                                                                                                                                                                                         This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.
    If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.
    If you disable or don't configure this policy setting, all sites will open based on the currently active browser.
    **Note:**
    If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11.                                                                                                                                                                                                                                                                                                                                         |
+|               Show message when opening sites in Microsoft Edge using Enterprise Mode               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |      IE11 on Windows 10, version 1607      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
    If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.
    If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|                       Turn off automatic download of the ActiveX VersionList                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |    At least Windows Internet Explorer 8    |                                                                                                                                                                                                                                                                                                This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.
    If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.
    If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.
    **Important:**
    Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking () topic.                                                                                                                                                                                                                                                                                                |
+|           Turn off loading websites and content in the background to optimize performance           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                                                                                                        This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.
    If you enable this policy setting, IE doesn't load any websites or content in the background.
    If you disable this policy setting, IE preemptively loads websites and content in the background.
    If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+|                                   Turn off phone number detection                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                                                                                                                              This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.
    If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.
    If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.
    If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on.                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+|                                 Turn off sending URL path as UTF-8                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |    At least Windows Internet Explorer 7    |                                                                                                                                                                                                                                                                                                                                                                                                                                                  This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.
    If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.
    If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.
    If you don't configure this policy setting, users can turn this behavior on or off.                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+|                            Turn off sending UTF-8 query strings for URLs                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                                This policy setting determines whether IE uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.
    If you enable this policy setting, you must specify when to use UTF-8 to encode query strings:
    • **0.** Never encode query strings.
    • **1.** Only encode query strings for URLs that aren't in the Intranet zone.
    • **2.** Only encode query strings for URLs that are in the Intranet zone.
    • **3.** Always encode query strings.
    If you disable or don't configure this policy setting, users can turn this behavior on or off, using IE Advanced Options settings. The default is to encode all query strings in UTF-8.                                                                                                                                                                                                                                                                                                                                                                |
+|               Turn off the ability to launch report site problems using a menu option               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Administrative Templates\Windows Components\Internet Explorer\Browser menus                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |            Internet Explorer 11            |                                                                                                                                                                                                                                                                                                                                                                                                                                                           This policy setting allows you to manage whether users can start the **eport Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.
    If you enable this policy setting, users won’t be able to start the **Report Site Problems** dialog box from the Internet Explorer settings or the Tools menu.
    If you disable or don’t configure this policy setting, users will be able to start the **Report Site Problems** dialog box from the **Internet Explorer** settings area or from the **Tools** menu.                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+|                        Turn off the flip ahead with page prediction feature                         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | At least Internet Explorer 10 on Windows 8 |                                                                                                                                                                                                                                                                                                                                                                           This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.
    If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn’t loaded into the background.
    If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.
    If you don’t configure this setting, users can turn this behavior on or off, using the **Settings** charm.
    **Note**
    Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn’t available for Internet Explorer for the desktop.                                                                                                                                                                                                                                                                                                                                                                            |
+| Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |             IE11 on Windows 10             |                                                                                                                                                                                                                                                                                                                                                   This policy setting determines whether IE11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.
    If you enable this policy setting, IE11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
    If you disable this policy setting, IE11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.
    If you don't configure this policy setting, users can turn this feature on or off using IE settings. This feature is turned off by default.
    **Important**
    When using 64-bit processes, some ActiveX controls and toolbars might not be available.                                                                                                                                                                                                                                                                                                                                                    |
+|                                  Turn on Site Discovery WMI output                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |        At least Internet Explorer 8        |                                                                                                                                                                                                                                                                                                                                                                                                      This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an WMI class, which can be aggregated by using a client-management solution, such as System Center Configuration Manager.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an WMI class.
    **Note:**
    Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit.                                                                                                                                                                                                                                                                                                                                                                                                       |
+|                                  Turn on Site Discovery XML output                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |        At least Internet Explorer 8        |                                                                                                                                                                                                                                                                                                                                                                                                                                            This policy setting allows you to manage the XML output functionality of the Internet Explorer Site Discovery Toolkit.
    If you enable this policy setting, the Internet Explorer Site Discovery Toolkit will log its collected data to an XML file, stored in your specified location.
    If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit won’t log its collected data to an XML file.
    **Note:**
    Enabling or disabling this setting won’t impact any other output methods available to the Internet Explorer Site Discovery Toolkit.                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+|                               Use the Enterprise Mode IE website list                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               Administrative Templates\Windows Components\Internet Explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |      IE11 on Windows 10, version 1511      |                                                                                                                                                                                                                                                                                                                                                                 This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode, instead of Standard mode, because of compatibility issues. Users can’t edit this list.
    If you enable this policy setting, Internet Explorer downloads the Enterprise Mode website list from the `HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE`\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode hive, opening all included websites using Enterprise Mode. We recommend storing and downloading your list from a secure web server `(https://)`, to help protect against data tampering.
    If you disable or don’t configure this policy setting, Internet Explorer opens all websites using **Standard** mode.                                                                                                                                                                                                                                                                                                                                                                 |
 
 ## Removed Group Policy settings
 IE11 no longer supports these Group Policy settings:
 
--   Turn on Internet Explorer 7 Standards Mode
+-   Turn on Internet Explorer 7 Standards Mode
 
 -   Turn off Compatibility View button
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 94a29994eb..825f199730 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -191,15 +191,15 @@ Before running the PowerShell script, you must copy both the .ps1 and .mof file
 
  **To configure IE to use WMI logging**
 
-1.  Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting.
+1. Open your Group Policy editor and turn on the `Administrative Templates\Windows Components\Internet Explorer\Turn on ActiveX control logging in IE` setting.
 
-2.  On the client device, start PowerShell in elevated mode (using admin privileges) and run `ConfigureWMILogging.ps1` by by-passing the PowerShell execution policy, using this command:
-```
-powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1
-``` 
-For more info, see [about_Execution_Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
+2. On the client device, start PowerShell in elevated mode (using admin privileges) and run `ConfigureWMILogging.ps1` by by-passing the PowerShell execution policy, using this command:
+   ```
+   powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1
+   ``` 
+   For more info, see [about_Execution_Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
 
-3.  **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
+3. **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
 
 The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
index c1bd69ef92..dfa4a9576b 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/problems-after-installing-ie11.md
@@ -45,29 +45,29 @@ If you notice that CPU usage is running higher than normal, or that IE is freque
 
  **To check your browser add-ons**
 
-1.  Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box.
+1. Start IE11 in **No Add-ons mode** by running the **Run** command from the **Start** menu, and then typing `iexplore.exe -extoff` into the box.
 
-2.  Check if IE still crashes.
    
-If the browser doesn't crash, open Internet Explorer for the desktop, click the **Tools** menu, and click **Manage Add-ons**.
+2. Check if IE still crashes.
    
+   If the browser doesn't crash, open Internet Explorer for the desktop, click the **Tools** menu, and click **Manage Add-ons**.
 
-3.  Click **Toolbars and Extensions**, click each toolbar or extension, clicking **Disable** to turn off all of the browser extensions and toolbars.
+3. Click **Toolbars and Extensions**, click each toolbar or extension, clicking **Disable** to turn off all of the browser extensions and toolbars.
 
-4.  Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.
    
-After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer.
+4. Restart IE11. Go back to the **Manage Add-Ons** window and turn on each item, one-by-one.
    
+   After you turn each item back on, see if IE crashes or slows down. Doing it this way will help you identify the add-on that's causing IE to crash. After you've figured out which add-on was causing the problem, turn it off until you have an update from the manufacturer.
 
- **To check for Software Rendering mode**
+   **To check for Software Rendering mode**
 
-1.  Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
+5. Open Internet Explorer for the desktop, click the **Tools** menu, and then click **Internet Options**.
 
-2.  On the **Advanced** tab, go to the **Accelerated graphics** section, and then turn on Software Rendering mode by choosing the **Use software rendering instead of GPU rendering** box.
    
-If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588).
+6. On the **Advanced** tab, go to the **Accelerated graphics** section, and then turn on Software Rendering mode by choosing the **Use software rendering instead of GPU rendering** box.
    
+   If the **Use software rendering instead of GPU rendering** option is greyed out, it means that your current video card or video driver doesn't support GPU hardware acceleration. For more information, see [Windows 10 Support](https://go.microsoft.com/fwlink/?LinkId=746588).
 
 ## Adaptive streaming and DRM playback don’t work with Windows Server 2012 R2
 IE11 in Windows Server 2012 R2 doesn’t include media features like adaptive streaming or Digital Rights Management (DRM) playback. To add these features, you’ll need to download and install the Media Feature Pack from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=320789), as well as an app that uses PlayReady DRM from the Microsoft Store, such as the Xbox Music app or Xbox Video app. The app must be installed to specifically turn on DRM features, while all other media features are installed with the Media Feature Pack.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 76b1854096..40db70828c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -40,9 +40,9 @@ This is a permanent removal and erases everything. However, if you determine it
 - [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
 - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
 - [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
index 263df4b50c..f78022cc56 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
@@ -29,16 +29,16 @@ You can search to see if a specific site already appears in your global Enterpri
 
  **To search your compatibility list**
 
--   From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
    
-The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
+- From the Enterprise Mode Site List Manager, type part of the URL into the **Search** box.
    
+  The search query searches all of the text. For example, entering *“micro”* will return results like, www.microsoft.com, microsoft.com, and microsoft.com/images. Wildcard characters aren’t supported.
 
 ## Related topics
 - [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
 - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
 - [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 7e1eaa1a80..3d3726d938 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -40,33 +40,33 @@ When you turn logging on, you need a valid URL that points to a server that can
 
  **To set up an endpoint server**
 
-1.  Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609).
+1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609).
 
-2.  Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.
    
-This lets you create an ASP form that accepts the incoming POST messages.
+2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.
    
+   This lets you create an ASP form that accepts the incoming POST messages.
 
-3.  Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
+3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
 
-    ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png)
+   ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png)
 
-4.  Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
+4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
 
-    ![IIS Manager, setting logging options](images/ie-emie-logging.png)
+   ![IIS Manager, setting logging options](images/ie-emie-logging.png)
 
-5.  Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
    
-Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
+5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
    
+   Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
 
-6.  Apply these changes to your default website and close the IIS Manager.
+6. Apply these changes to your default website and close the IIS Manager.
 
-7.  Put your EmIE.asp file into the root of the web server, using this command:
+7. Put your EmIE.asp file into the root of the web server, using this command:
 
    ``` 
-    <% @ LANGUAGE=javascript %>
-    <%
-    Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode"));
-    %>
-    ```
-This code logs your POST fields to your IIS log file, where you can review all of the collected data.
+   <% @ LANGUAGE=javascript %>
+   <%
+   Response.AppendToLog(" ;" + Request.Form("URL") + " ;" + Request.Form("EnterpriseMode"));
+   %>
+   ```
+   This code logs your POST fields to your IIS log file, where you can review all of the collected data.
 
 
 ### IIS log file information
@@ -86,47 +86,47 @@ For logging, you’re going to need a valid URL that points to a server that can
 
  **To set up the sample**
 
-1.  Set up a server to collect your Enterprise Mode information from your users.
+1. Set up a server to collect your Enterprise Mode information from your users.
 
-2.  Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project.
+2. Go to the Internet Explorer/[EMIE-Data_Collection_Sample](https://go.microsoft.com/fwlink/p/?LinkId=507401) page on GitHub and tap or click the **Download ZIP** button to download the complete project.
 
-3.  Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file.
+3. Open Microsoft Visual Studio 2013 with Update 2, and then open the PhoneHomeSample.sln file.
 
-4.  On the **Build** menu, tap or click **Build Solution**.
    
-The required packages are automatically downloaded and included in the solution.
+4. On the **Build** menu, tap or click **Build Solution**.
    
+   The required packages are automatically downloaded and included in the solution.
 
- **To set up your endpoint server**
+   **To set up your endpoint server**
 
-1.  Right-click on the name, PhoneHomeSample, and click **Publish**.
+5. Right-click on the name, PhoneHomeSample, and click **Publish**.
 
-    ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png)
+   ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png)
 
-2.  In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
+6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
 
    **Important**
    
    Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website. 
 
-    ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png)
+   ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png)
 
    After you finish the publishing process, you need to test to make sure the app deployed successfully.
 
- **To test, deploy, and use the app**
+   **To test, deploy, and use the app**
 
-1.  Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to:
+7. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to:
 
-    ``` "Enable"="https:///api/records/"
-    ```
- Where `` points to your deployment URL.
+   ``` "Enable"="https:///api/records/"
+   ```
+   Where `` points to your deployment URL.
 
-2.  After you’re sure your deployment works, you can deploy it to your users using one of the following:
+8. After you’re sure your deployment works, you can deploy it to your users using one of the following:
 
-    -   Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box.
+   -   Turn on the **Let users turn on and use Enterprise Mode from the Tools menu** Group Policy setting, putting your `` information into the **Options** box.
 
-    -   Deploy the registry key in Step 3 using System Center or other management software.
+   -   Deploy the registry key in Step 3 using System Center or other management software.
 
-3.  Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary.
+9. Get your users to visit websites, turning Enterprise Mode on or off locally, as necessary.
 
- **To view the report results**
+   **To view the report results**
 
 -   Go to `https:///List` to see the report results.
    
 If you’re already on the webpage, you’ll need to refresh the page to see the results.
@@ -152,9 +152,9 @@ You may need to do some additional package cleanup to remove older package versi
 - [What is Enterprise Mode?](what-is-enterprise-mode.md)
 - [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
 - [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index 5adbf749fc..b04869b6fe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -34,16 +34,16 @@ IE11 isn't supported on Windows 8 or Windows Server 2012.
 
 Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
 
-|Item                        |Minimum requirements                                    |
-|----------------------------|--------------------------------------------------------|
-|Computer/processor          |1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64)          |
-|Operating system            |
    • Windows 10 (32-bit or 64-bit)
    • Windows 8.1 Update (32-bit or 64-bit)
    • Windows 7 with SP1 (32-bit or 64-bit)
    • Windows Server 2012 R2
    • Windows Server 2008 R2 with SP1 (64-bit only)
     |
-|Memory            |
    • Windows 10 (32-bit)-1 GB
    • Windows 10 (64-bit)-2 GB
    • Windows 8.1 Update (32-bit)-1 GB
    • Windows 8.1 Update (64-bit)-2 GB
    • Windows 7 with SP1 (32-bit or 64-bit)-512 MB
    • Windows Server 2012 R2-512 MB
    • Windows Server 2008 R2 with SP1 (64-bit only)-512 MB
     |
-|Hard drive space            |
    • Windows 10 (32-bit)-16 GB
    • Windows 10 (64-bit)-20 GB
    • Windows 8.1 Update (32-bit)-16 GB
    • Windows 8.1 Update (64-bit)-20 GB
    • Windows 7 with SP1 (32-bit)-70 MB
    • Windows 7 with SP1 (64-bit)-120 MB
    • Windows Server 2012 R2-32 GB
    • Windows Server 2008 R2 with SP1 (64-bit only)-200 MB
        •  |
-|Drive                       |CD-ROM drive (if installing from a CD-ROM) |
-|Display                     |Super VGA (800 x 600) or higher-resolution monitor with 256 colors |
-|Peripherals                 |Internet connection and a compatible pointing device               |
 
+|        Item        |                                                                                                                                                                  Minimum requirements                                                                                                                                                                   |
+|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Computer/processor |                                                                                                                                                     1 gigahertz (GHz) 32-bit (x86) or 64-bit (x64)                                                                                                                                                      |
+|  Operating system  |                                                            
        • Windows 10 (32-bit or 64-bit)
        • Windows 8.1 Update (32-bit or 64-bit)
        • Windows 7 with SP1 (32-bit or 64-bit)
        • Windows Server 2012 R2
        • Windows Server 2008 R2 with SP1 (64-bit only)
                                                                     |
+|       Memory       |                  
        • Windows 10 (32-bit)-1 GB
        • Windows 10 (64-bit)-2 GB
        • Windows 8.1 Update (32-bit)-1 GB
        • Windows 8.1 Update (64-bit)-2 GB
        • Windows 7 with SP1 (32-bit or 64-bit)-512 MB
        • Windows Server 2012 R2-512 MB
        • Windows Server 2008 R2 with SP1 (64-bit only)-512 MB
                          |
+|  Hard drive space  | 
        • Windows 10 (32-bit)-16 GB
        • Windows 10 (64-bit)-20 GB
        • Windows 8.1 Update (32-bit)-16 GB
        • Windows 8.1 Update (64-bit)-20 GB
        • Windows 7 with SP1 (32-bit)-70 MB
        • Windows 7 with SP1 (64-bit)-120 MB
        • Windows Server 2012 R2-32 GB
        • Windows Server 2008 R2 with SP1 (64-bit only)-200 MB
            •  |
+|       Drive        |                                                                                                                                                       CD-ROM drive (if installing from a CD-ROM)                                                                                                                                                        |
+|      Display       |                                                                                                                                           Super VGA (800 x 600) or higher-resolution monitor with 256 colors                                                                                                                                            |
+|    Peripherals     |                                                                                                                                                  Internet connection and a compatible pointing device                                                                                                                                                   |
 
 ## Support for .NET Framework
 You might experience start up issues where IE11 fails to launch an application that uses managed browser hosting controls with your legacy apps. This is because, starting with Internet Explorer 10, the browser started blocking legacy apps from using the .NET Framework 1.1 and 2.0. To fix this problem, see [.NET Framework problems with Internet Explorer 11](net-framework-problems-with-ie11.md).
@@ -53,9 +53,9 @@ IE11 is available in 108 languages for Windows 8.1 and Windows 10 and in 97 lan
 
 Computers running localized versions of Windows should run the same version of IE11. For example, if your employees use the Spanish edition of Windows, you should deploy the Spanish version of IE11. On the other hand, if your employees use multiple localized versions of Windows, like Spanish, French, and Catalan, you should install IE11 in one of the languages, and then install language packs for the others.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
index 70e872d6e8..ae44dfb1ef 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-enterprise-mode.md
@@ -32,49 +32,49 @@ In addition, if you no longer want your users to be able to turn Enterprise Mode
 **Important**
            
 Turning off both of these features turns off Enterprise Mode for your company. Turning off Enterprise Mode also causes any websites included in your employee’s manual site lists to not appear in Enterprise Mode.
 
-  **To turn off the site list using Group Policy**
+  **To turn off the site list using Group Policy**
 
-1.  Open your Group Policy editor, like Group Policy Management Console (GPMC).
+1. Open your Group Policy editor, like Group Policy Management Console (GPMC).
 
-2.  Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.
            
-Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately.
+2. Go to the **Use the Enterprise Mode IE website list** setting, and then click **Disabled**.
            
+   Enterprise Mode will no longer look for the site list, effectively turning off Enterprise Mode. However, if you previously turned on local control for your employees, Enterprise Mode will still be available from the **Tools** menu. You need to turn that part of the functionality off separately.
 
- **To turn off local control using Group Policy**
+   **To turn off local control using Group Policy**
 
-1.  Open your Group Policy editor, like Group Policy Management Console (GPMC).
+3. Open your Group Policy editor, like Group Policy Management Console (GPMC).
 
-2.  Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**.
+4. Go to the **Let users turn on and use Enterprise Mode from the Tools menu** setting, and then click **Disable**.
 
-3.  Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality.
+5. Enterprise Mode no longer shows up on the **Tools** menu for your employees. However, if you are still using an Enterprise Mode site list, all of the globally listed sites will still appear in Enterprise Mode. If you want to turn off all of Enterprise Mode, you will need to also turn off the site list functionality.
 
- **To turn off the site list using the registry**
+   **To turn off the site list using the registry**
 
-1.  Open a registry editor, such as regedit.exe.
+6. Open a registry editor, such as regedit.exe.
 
-2.  Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.
            
-You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers.
+7. Go to `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **SiteList** value.
            
+   You can also use HKEY_LOCAL_MACHINE, depending whether you want to turn off the Enterprise Mode site list for users or for computers.
 
-3.  Close all and restart all instances of Internet Explorer.
            
-IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on).
+8. Close all and restart all instances of Internet Explorer.
            
+   IE11 stops looking at the site list for rendering instructions. However, Enterprise Mode is still available to your users locally (if it was turned on).
 
- **To turn off local control using the registry**
+   **To turn off local control using the registry**
 
-1.  Open a registry editor, such as regedit.exe.
+9. Open a registry editor, such as regedit.exe.
 
-2.  Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.
            
-You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers.
+10. Go `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`, and then delete the **Enable** value.
            
+    You can also use HKEY_CURRENT_USER, depending whether you want to turn off Enterprise Mode for users or for computers.
 
-3.  Close and restart all instances of IE.
            
-Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on).
+11. Close and restart all instances of IE.
            
+    Enterprise Mode is no longer a user option on the **Tools** menu in IE11. However, IE11 still looks at the site list (if it was turned on).
 
 ## Related topics
 - [What is Enterprise Mode?](what-is-enterprise-mode.md)
 - [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
 - [Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md)
 - [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
index 3db018d21c..c562b6862a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-off-natural-metrics.md
@@ -23,15 +23,15 @@ However, you might find that many intranet sites need you to use Windows Graphic
 
 -   Add the following HTTP header to each site: `X-UA-TextLayoutMetrics: gdi`
 
-
            **-OR-**
            
+
            -OR-
            
 
 - Add the following <meta> tag to each site: ``
 
 Turning off natural metrics automatically turns on GDI metrics.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 13237f05a6..ba48d04b38 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -37,28 +37,28 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
 
  **To turn on Enterprise Mode using Group Policy**
 
-1.  Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
            
-Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
+1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
            
+   Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
 
-    ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png)
+   ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png)
 
-2.  Click **Enabled**, and then in the **Options** area, type the location to your site list.
+2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
 
- **To turn on Enterprise Mode using the registry**
+   **To turn on Enterprise Mode using the registry**
 
-1.  **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
-
            -OR-
            
-**For all users on the device:** Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
+3. **For only the local user:** Open a registry editor, like regedit.exe and go to `HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
+   
            -OR-
            
+   For all users on the device: Open a registry editor, like regedit.exe and go to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode.
 
-2.  Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
+4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
 
-    ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
+   ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
 
-    -   **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
+   -   **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
 
-    -   **Local network:** `"SiteList"="\\network\shares\sites.xml"`
+   -   **Local network:** `"SiteList"="\\network\shares\sites.xml"`
 
-    -   **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"`
+   -   **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"`
     
    All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. For information about how to create and use an Enterprise Mode site list, see [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md).
 
@@ -67,9 +67,9 @@ Turning this setting on also requires you to create and store a site list. For m
 - [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
 - [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
 - [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index cab96d7e77..830bb995d5 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -31,34 +31,34 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
  **To turn on local control of Enterprise Mode using Group Policy**
 
-1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
+1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
 
-    ![group policy editor with emie setting](images/ie-emie-editpolicy.png)
+   ![group policy editor with emie setting](images/ie-emie-editpolicy.png)
 
-2.  Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
+2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
 
- **To turn on local control of Enterprise Mode using the registry**
+   **To turn on local control of Enterprise Mode using the registry**
 
-1.  Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
+3. Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode`.
 
-2.  In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**.
+4. In the right pane, right-click and click **New**, click **String Value**, and then name the new value **Enable**.
 
-3.  Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
+5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
 
-    ![edit registry string for data collection location](images/ie-emie-editregistrystring.png)
+   ![edit registry string for data collection location](images/ie-emie-editregistrystring.png)
 
 Your **Value data** location can be any of the following types:
 
--   **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
            **Important**
            
-The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API.
--   **Local network location (like, https://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
--   **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data.
+- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.
            **Important**
            
+  The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API.
+- **Local network location (like, https://emieposturl/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu.
+- **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data.
 
 For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
index ee54df987f..41c083dc6e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/user-interface-problems-with-ie11.md
@@ -32,15 +32,15 @@ For IE11, the UI has been changed to provide just the controls needed to support
 
  **To turn the toolbars back on**
 
--   Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu.
-
            -OR-
            
-In IE, press **ALT+V** to show the **View** menu, press **T** to enter the **Toolbars** menu, and then press:
+- Right click in the IE toolbar heading and choose to turn on the **Command bar**, **Favorites bar**, and **Status bar** from the menu.
+  
            -OR-
            
+  In IE, press ALT+V to show the View menu, press T to enter the Toolbars menu, and then press:
 
-    -   **C** to turn on the **Command Bar**
+  -   **C** to turn on the **Command Bar**
 
-    -   **F** to turn on the **Favorites Bar**
+  -   **F** to turn on the **Favorites Bar**
 
-    -   **S** to turn on the **Status Bar**
+  -   **S** to turn on the **Status Bar**
 
 ## Where did the search box go?
 IE11 uses the **One Box** feature, which lets users type search terms directly into the **Address bar**. Any text entered into the **Address bar** that doesn't appear to be a URL is automatically sent to the currently selected search provider.
@@ -48,11 +48,11 @@ IE11 uses the **One Box** feature, which lets users type search terms directly i
 >[!NOTE]
 >Depending on how you've set up your intranet search, the text entry might resolve to an intranet site. For more information about this, see  [Intranet problems with Internet Explorer 11](intranet-problems-and-ie11.md).
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index 1599b24aa4..6c1dd0c421 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -19,14 +19,14 @@ IEAK 11 uses Setup information (.inf) files to provide uninstallation instructi
 
  **To add uninstallation instructions to the .inf files**
 
--   Open the Registry Editor (regedit.exe) and add these registry keys:
-```
-HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"
-HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString",,"command-line"
-```
-Where **"description"** is the name that shows up in the **Uninstall or change a program** box and **"command-line"** is the command that runs after the component is picked.
-
            **Note**
            
-Make sure your script removes the uninstallation registry key, too. Otherwise, the component name will continue to show up in the **Uninstall or change a program**.
+- Open the Registry Editor (regedit.exe) and add these registry keys:
+  ```
+  HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"DisplayName",,"description"
+  HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\app-name,"UninstallString",,"command-line"
+  ```
+  Where **"description"** is the name that shows up in the **Uninstall or change a program** box and **"command-line"** is the command that runs after the component is picked.
+  
            Note
            
+  Make sure your script removes the uninstallation registry key, too. Otherwise, the component name will continue to show up in the Uninstall or change a program.
 
 ## Limitations
 .Inf files have limitations:
@@ -37,9 +37,9 @@ Make sure your script removes the uninstallation registry key, too. Otherwise, t
 
 -   You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298510).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
index 1712939781..0eb0c067b3 100644
--- a/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-for-it-pros-ie11.md
@@ -15,31 +15,31 @@ ms.date: 10/16/2017
 
 
 # Internet Explorer 11 - FAQ for IT Pros
-Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
+Answering frequently asked questions about Internet Explorer 11 (IE11) features, operating system support, integration with the Windows operating system, Group Policy, and general configuration.
 
 ## Frequently Asked Questions
 
 **Q: What operating system does IE11 run on?**
 
--   Windows 10
+-   Windows 10
 
--   Windows 8.1
+-   Windows 8.1
 
--   Windows Server 2012 R2
+-   Windows Server 2012 R2
 
--   Windows 7 with Service Pack 1 (SP1)
+-   Windows 7 with Service Pack 1 (SP1)
 
--   Windows Server 2008 R2 with Service Pack 1 (SP1)
+-   Windows Server 2008 R2 with Service Pack 1 (SP1)
 
 
-**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**
            
-IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required.
+**Q: How do I install IE11 on Windows 10, Windows 8.1, or Windows Server 2012 R2?**
            
+IE11 is preinstalled with Windows 8.1 and Windows Server 2012 R2. No additional action is required.
 
-**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**
            
-You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956).
+**Q: How do I install IE11 on Windows 7 with SP1 or Windows Server 2008 R2 with SP1?**
            
+You can install IE11 on computers running either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. To download IE11, see the IE11 [home page](https://go.microsoft.com/fwlink/p/?LinkId=290956).
 
-**Q: How does IE11 integrate with Windows 8.1?**
            
-IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences.
+**Q: How does IE11 integrate with Windows 8.1?**
            
+IE11 is the default handler for the HTTP and HTTPS protocols and the default browser for Windows 8.1. There are two experiences in Windows 8.1: Internet Explorer and Internet Explorer for the desktop. IE is the default browser for touch-first, immersive experiences. Internet Explorer for the desktop provides a more traditional window and tab management experience. The underlying platform of IE11 is fully interoperable across both IE and the familiar Internet Explorer for the desktop, letting developers write the same markup for both experiences.
 
 **Q: What are the new or improved security features?**
            
 IE11 offers improvements to Enhanced Protected Mode, password manager, and other security features. IE11 also turns on Transport Layer Security (TLS) 1.2 by default.
@@ -65,9 +65,9 @@ Supported web standards include:
 For more information about specific changes and additions, see the [IE11 guide for developers](https://go.microsoft.com/fwlink/p/?LinkId=313188).
 
 **Q: What test tools exist to test for potential application compatibility issues?**
            
-The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](https://go.microsoft.com/fwlink/p/?LinkId=313190) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
+The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](https://go.microsoft.com/fwlink/p/?LinkId=313190) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
 
-**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
            
+**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
            
 It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by:
 
 -   **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
@@ -80,7 +80,7 @@ For more information, see the [Web Applications](https://go.microsoft.com/fwlink
 Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864).
 
 **Q: What is Enterprise Mode?**
            
-Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.
            
+Enterprise Mode is a compatibility mode designed for Enterprises. This mode lets websites render using a modified browser configuration that’s designed to avoid the common compatibility problems associated with web apps written and tested on older versions of IE, like Windows Internet Explorer 7 or Windows Internet Explorer 8.
            
 For more information, see [Turn on Enterprise Mode and use a site list](../ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md).
 
 **Q: What is the Enterprise Mode Site List Manager tool?**
            
@@ -88,18 +88,18 @@ Enterprise Mode Site List Manager tool gives you a way to add websites to your E
 For more information, see all of the topics in [Use the Enterprise Mode Site List Manager](../ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md).
 
 **Q: Are browser plug-ins supported in IE11?**
            
-The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight.
+The immersive version of IE11 provides an add-on–free experience, so browser plugins won't load and dependent content won't be displayed. This doesn't apply to Internet Explorer for the desktop. For more information, see [Browsing Without Plug-ins](https://go.microsoft.com/fwlink/p/?LinkId=242587). However, Internet Explorer for the desktop and IE11 on Windows 7 with SP1 do support browser plugins, including ActiveX controls such as Adobe Flash and Microsoft Silverlight.
 
 **Q: Is Adobe Flash supported on IE11?**
            
-Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.
            
+Adobe Flash is included as a platform feature and is available out of the box for Windows 8.1, running on both IE and Internet Explorer for the desktop. Users can turn this feature on or off using the **Manage Add-ons** dialog box, while administrators can turn this feature on or off using the Group Policy setting, **Turn off Adobe Flash in IE and prevent applications from using IE technology to instantiate Flash objects**.
            
 **Important**
            
-The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in.
+The preinstalled version of Adobe Flash isn't supported on IE11 running on either Windows 7 with SP1 or Windows Server 2008 R2 with SP1. However, you can still download and install the separate Adobe Flash plug-in.
 
-**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**
            
-No. Windows 8.1 doesn't support any of the previous versions of IE.
+**Q: Can I replace IE11 on Windows 8.1 with an earlier version?**
            
+No. Windows 8.1 doesn't support any of the previous versions of IE.
 
 **Q: Are there any new Group Policy settings in IE11?**
            
-IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features:
+IE11 includes all of the previous Group Policy settings you've used to manage and control web browser configuration since Internet Explorer 9. It also includes the following new Group Policy settings, supporting new features:
 
 -   Turn off Page Prediction
 
@@ -123,14 +123,14 @@ Visit the [Springboard Series for Microsoft Browsers](https://go.microsoft.com/f
 
 
 
-**Q: Can I customize settings for IE on Windows 8.1?**
            
+**Q: Can I customize settings for IE on Windows 8.1?**
            
 Settings can be customized in the following ways:
 
 -   IE11 **Settings** charm.
 
 -   IE11-related Group Policy settings.
 
--   IEAK 11 for settings shared by both IE and Internet Explorer for the desktop.
+-   IEAK 11 for settings shared by both IE and Internet Explorer for the desktop.
 
 **Q: Can I make Internet Explorer for the desktop my default browsing experience?**
            
 Group Policy settings can be set to open either IE or Internet Explorer for the desktop as the default browser experience. Individual users can configure their own settings in the **Programs** tab of **Internet Options**. The following table shows the settings and results:
            
@@ -146,6 +146,7 @@ Group Policy settings can be set to open either IE or Internet Explorer for the
 Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
 
 IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
+
 |  |  |  |
 |---------|---------|---------|
 |[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi)     |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi)         |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi)         |
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
index 90b6b07077..da2478e9e8 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
@@ -37,7 +37,7 @@ You can customize and install IEAK 11 on the following supported operating syste
 
 >[!Note]
 >IEAK 11 does not support building custom packages for Windows RT.
-     
+
 
 **What can I customize with IEAK 11?**
 
@@ -53,7 +53,7 @@ Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of
 >IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. To download IEAK 11, see [Internet Explorer Administration Kit (IEAK) information and downloads](../ie11-ieak/ieak-information-and-downloads.md).
 
 **Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
            
-Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:
+Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:
 
 - [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter.
 
@@ -99,6 +99,7 @@ The following table displays which pages are available in IEAK 11, based on the
 Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of the supported 24 languages. You'll select the language for the custom package on the Language Selection page of the customization wizard.
 
 IEAK 11 is available in 24 languages but can build customized Internet Explorer 11 packages in all languages of the supported operating systems. Select a language below and download IEAK 11 from the download center:
+
 |  |  |  |
 |---------|---------|---------|
 |[English](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/en-us/ieak.msi)     |[French](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/fr-fr/ieak.msi)         |[Norwegian (Bokmål)](https://download.microsoft.com/download/A/B/1/AB1954BF-8B20-4F01-808A-FE5EE5269F08/MSI/nb-no/ieak.msi)         |
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 45c8e74ea4..3c1997587f 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -26,13 +26,13 @@ Before you can set up your environment to use automatic detection, you need to t
 ## Automatic detection on DHCP and DNS servers
 Automatic detection works even if the browser wasn't originally set up or installed by the administrator.
 
--   **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
-
            **Note**
            
-Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP options.    
+- **Using DHCP servers:** For local area network (LAN)-based users. This server type lets you specify your global and subnet TCP/IP parameters centrally, defining your users' parameters by using reserved addresses. By doing it this way, a computer can move between subnets, automatically reconfiguring for TCP/IP when it starts.
+  
            Note
            
+  Your DHCP servers must support the DHCPINFORM message, to obtain the DHCP options.    
 
--   **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses. To use this, you have to set up either the host record or the CNAME alias record in the DNS database file.
-
            **Note**
            
-DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
+- **Using DNS servers:** For users on dial-up connections. This server type uses a set of protocols and services on a TCP/IP network, which lets users search for other computers by using hierarchical, user-friendly names (hosts), instead of numeric IP addresses. To use this, you have to set up either the host record or the CNAME alias record in the DNS database file.
+  
            Note
            
+  DHCP has a higher priority than DNS for automatic configuration. If DHCP provides the URL to a .pac, .jvs, .js, or .ins configuration file, the process stops and the DNS lookup doesn't happen.
 
 **To set up automatic detection for DHCP servers**
 
@@ -46,16 +46,16 @@ DHCP has a higher priority than DNS for automatic configuration. If DHCP provide
 
 **To set up automatic detection for DNS servers**
 
-1.  In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
            The syntax is:
            
-` IN A `
            
-`corserv IN A 192.55.200.143`
            
-`nameserver2 IN A 192.55.200.2`
            
-`mailserver1 IN A 192.55.200.51`
-
            **-OR-**
            
-Create a canonical name (CNAME) alias record, named **WPAD**. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
            
-**Note**
            For more info about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651). 
+1. In your DNS database file, the file that’s used to associate your host (computer) names to static IP addresses in a zone, you need to create a host record named, **WPAD**. This record contains entries for all of the hosts that require static mappings, such as workstations, name servers, and mail servers. It also has the IP address to the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
            The syntax is:
            
+   ` IN A `
            
+   `corserv IN A 192.55.200.143`
            
+   `nameserver2 IN A 192.55.200.2`
            
+   `mailserver1 IN A 192.55.200.51`
+   
            -OR-
            
+   Create a canonical name (CNAME) alias record, named WPAD. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
            
+   Note
            For more info about creating a WPAD entry, see Creating a WPAD entry in DNS. 
 
-2.  After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.
+2. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.
 
 **Note**
            
 IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.
diff --git a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
index 963033b456..5b332edf14 100644
--- a/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/browser-ui-ieak11-wizard.md
@@ -19,7 +19,7 @@ The **Browser User Interface** page of the Internet Explorer Customization Wizar
 
 **Note**
            The customizations you make on this page apply only to Internet Explorer for the desktop.
 
- **To use the Browser User Interface page**
+ **To use the Browser User Interface page**
 
 1.  Check the **Customize Title Bars** box so you can add your custom text to the **Title Bar Text** box.
            
 The text shows up in the title bar as **IE provided by** <*your_custom_text*>.
@@ -28,27 +28,27 @@ The text shows up in the title bar as **IE provided by** <*your_custom_text*&
 
 **Note**
            Only Administrators can use this option.
 
-3.  Click **Add** to add new toolbar buttons.
            
-The **Browser Toolbar Button Information** box appears.
+3. Click **Add** to add new toolbar buttons.
            
+   The **Browser Toolbar Button Information** box appears.
 
-4.  In the **Toolbar caption** box, type the text that shows up when an employee hovers over your custom button. We recommend no more than 10 characters.
+4. In the **Toolbar caption** box, type the text that shows up when an employee hovers over your custom button. We recommend no more than 10 characters.
 
-5.  In the **Toolbar action** box, browse to your script or executable file that runs when an employee clicks your custom button.
+5. In the **Toolbar action** box, browse to your script or executable file that runs when an employee clicks your custom button.
 
-6.  In the **Toolbar icon** box, browse to the icon file that represents your button while active. This icon must be 20x20 pixels.
+6. In the **Toolbar icon** box, browse to the icon file that represents your button while active. This icon must be 20x20 pixels.
 
-7.  Check the **This button should be shown on the toolbar by default** box so your custom button shows by default.
            
-This box should be cleared if you want to offer a custom set of buttons, but want your employees to choose whether or not to use them. In this situation, your buttons will show up in the **Customize Toolbars** dialog box, under **Available toolbar buttons**. Your employees can get to this dialog box in IE by clicking **Tools** from the **Command Bar**, clicking **Toolbars**, and then clicking **Customize**.
+7. Check the **This button should be shown on the toolbar by default** box so your custom button shows by default.
            
+   This box should be cleared if you want to offer a custom set of buttons, but want your employees to choose whether or not to use them. In this situation, your buttons will show up in the **Customize Toolbars** dialog box, under **Available toolbar buttons**. Your employees can get to this dialog box in IE by clicking **Tools** from the **Command Bar**, clicking **Toolbars**, and then clicking **Customize**.
 
-8.  Click **OK.**
+8. Click **OK.**
 
-9.  Click **Edit** to change your custom toolbar button or **Remove** to delete the button. The removed button will disappear from your employee’s computer after you apply the updated customization. Only custom toolbar buttons can be removed.
+9. Click **Edit** to change your custom toolbar button or **Remove** to delete the button. The removed button will disappear from your employee’s computer after you apply the updated customization. Only custom toolbar buttons can be removed.
 
 10. Click **Next** to go to the [Search Providers](search-providers-ieak11-wizard.md) page or **Back** to go to the [User Experience](user-experience-ieak11-wizard.md) page.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
index 5a75d7fb4e..4ef7b729f2 100644
--- a/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/connection-settings-ieak11-wizard.md
@@ -27,15 +27,15 @@ The **Connection Settings** page of the Internet Explorer Administration Kit (IE
 
 **To use the Connection Settings page**
 
-1.  Decide if you want to customize your connection settings. You can pick:
+1. Decide if you want to customize your connection settings. You can pick:
 
-    -   **Do not customize Connection Settings.** Pick this option if you don’t want to preset your employee’s connection settings.
+   -   **Do not customize Connection Settings.** Pick this option if you don’t want to preset your employee’s connection settings.
 
-    -   **Import the current Connection Settings from this machine.** Pick this option to import your connection settings from your computer and use them as the preset for your employee’s connection settings.
+   -   **Import the current Connection Settings from this machine.** Pick this option to import your connection settings from your computer and use them as the preset for your employee’s connection settings.
  
- **Note**
            If you want to change any of your settings later, you can click **Modify Settings** to open the **Internet Properties** box, click the **Connection Settings** tab, and make your changes.
+   **Note**
            If you want to change any of your settings later, you can click **Modify Settings** to open the **Internet Properties** box, click the **Connection Settings** tab, and make your changes.
 
-2.  Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers.
+2. Check the **Delete existing Dial-up Connection Settings** box to clear any existing settings on your employee’s computers.
 
-3.  Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page.
+3. Click **Next** to go to the [Automatic Configuration](auto-config-ieak11-wizard.md) page or **Back** to go to the [Connection Manager](connection-mgr-ieak11-wizard.md) page.
 
diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
index b7f442d8e2..ecca772d78 100644
--- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md
@@ -17,7 +17,8 @@ ms.date: 07/27/2017
 # Use the CustomBranding .INS file to create custom branding and setup info
 Provide the URL to your branding cabinet (.cab) file.
 
-|Name       |Value                           | Description                                                  |
-|-----------|--------------------------------|--------------------------------------------------------------|
-|Branding |`` |The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab.|
+
+|   Name   |      Value       |                                                      Description                                                       |
+|----------|------------------|------------------------------------------------------------------------------------------------------------------------|
+| Branding | `` | The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab. |
 
diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
index 6ef3d733a3..20a747a5db 100644
--- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
+++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md
@@ -24,13 +24,13 @@ You can customize Automatic Search so that your employees can type a single word
 
 **To set up Automatic Search**
 
-1.  Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.
            
-For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).
            
-**Important**
            If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. 
+1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.
            
+   For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).
            
+   **Important**
            If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. 
 
-2.  On the **Additional Settings** page of the IEAK 11, click **Internet Settings**, and then click **Advanced Settings**.
+2. On the **Additional Settings** page of the IEAK 11, click **Internet Settings**, and then click **Advanced Settings**.
 
-3.  Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box.
+3. Go to the section labeled **Searching** and type *intranet* into the **Search Provider Keyword** box.
 
 **To redirect to a different site than the one provided by the search results**
 
@@ -93,9 +93,9 @@ end if
 %>
 ```
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
index 258d927770..705f4822e4 100644
--- a/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
+++ b/browsers/internet-explorer/ie11-ieak/hidecustom-ins-file-setting.md
@@ -20,11 +20,11 @@ Info about whether to hide the globally unique identifier (GUID) for each of you
 |Name                  |Value                                                                |Description                                    |
 |------|-------------------------------------------------------------------------------------|-----------------------------------------------|
 |GUID  |
            • **0.** Component isn't hidden.
            • **1.** Component is hidden.
             |Determines whether this is a hidden component. | 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 3bbd0b4a27..2631d361e7 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -17,44 +17,45 @@ ms.date: 10/23/2018
 # Determine the licensing version and features to use in IEAK 11
 In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment.
 
-During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
+During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
 
 -   **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
     >[!IMPORTANT]
-    >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
+    >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
 
 -   **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
 
 ## Available features by version
 
-| Feature | Internal | External |
-| ---------------------------------------- | :---------------------------------------------: | :----------------------------------------------: |
-|Welcome screen                            | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|File locations                            | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Platform selection                        | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Language selection                        | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Package type selection                    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Feature selection                         | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Automatic Version Synchronization (AVS)   | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Custom components                         | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Internal install                          | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
-|User experience                           | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
-|Browser user interface                    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Search providers                          | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Important URLs – Home page and support    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Accelerators                              | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Favorites, Favorites bar, and feeds       | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Browsing options                          | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
-|First Run wizard and Welcome page options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Connection manager                        | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Connection settings                       | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Automatic configuration                   | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
-|Proxy settings                            | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Security and privacy settings             | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
-|Add a root certificate                    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
-|Programs                                  | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
-|Additional settings                       | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
-|Wizard complete                           | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)     |
+|                  Feature                  |                                     Internal                                     |                                       External                                       |
+|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
+|              Welcome screen               | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|              File locations               | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|            Platform selection             | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|            Language selection             | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|          Package type selection           | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|             Feature selection             | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|  Automatic Version Synchronization (AVS)  | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|             Custom components             | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|             Internal install              | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
+|              User experience              | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
+|          Browser user interface           | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|             Search providers              | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|  Important URLs – Home page and support   | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|               Accelerators                | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|    Favorites, Favorites bar, and feeds    | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|             Browsing options              | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
+| First Run wizard and Welcome page options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|            Connection manager             | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|            Connection settings            | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|          Automatic configuration          | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
+|              Proxy settings               | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|       Security and privacy settings       | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
+|          Add a root certificate           | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
+|                 Programs                  | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+|            Additional settings            | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) |
+|              Wizard complete              | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) |   ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png)   |
+
 ---
 
 
diff --git a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
index dbcebe65ca..b9d51e17e5 100644
--- a/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
+++ b/browsers/internet-explorer/ie11-ieak/user-experience-ieak11-wizard.md
@@ -21,38 +21,38 @@ The **User Experience** page of the Internet Explorer Customization Wizard 11 le
 
 **To use the User Experience page**
 
-1.  Choose how your employee should interact with Setup, including:
+1. Choose how your employee should interact with Setup, including:
 
-    -   **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
+   - **Interactive installation**. Lets your employees change installation options while installing your custom package. This experience shows all of the progress and error messages throughout the process.
 
-    -   **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
+   - **Hands-free installation**. Lets you make all of the decisions for your employees. However, they’ll still see all of the progress and error messages throughout the process.
 
-    -   **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
-    
            Both the hands-free and completely silent installation options will:
+   - **Completely silent installation**. Lets you make all of the decisions for your employees and hides all of the progress and error messages. Because this mode is completely silent, if the installation fails, your employees won’t know and they won’t be able to run the installation package again.
+     
            Both the hands-free and completely silent installation options will:
     
-        - Answer prompts so Setup can continue.
+     - Answer prompts so Setup can continue.
     
-        - Accept the license agreement.
+     - Accept the license agreement.
 
-        - Determine that Internet Explorer 11 is installed and not just downloaded.
+     - Determine that Internet Explorer 11 is installed and not just downloaded.
 
-        - Perform your specific installation type.
+     - Perform your specific installation type.
 
-        - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
+     - Install IE in the default location, unless it is already installed. In that case, the new version of the browser is installed in the same location as the previous version.
 
-2.  Choose if your employee’s device will restart at the end of Setup.
+2. Choose if your employee’s device will restart at the end of Setup.
 
-    -   **Default**. Prompts your employees to restart after installing IE.
+   -   **Default**. Prompts your employees to restart after installing IE.
 
-    -   **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
+   -   **No restart**. Doesn’t restart the computer after installing IE. The employee will have to manually restart later.
 
-    -   **Force restart**. Automatically restarts the computer after installing IE.
+   -   **Force restart**. Automatically restarts the computer after installing IE.
 
-3.  Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
+3. Click **Next** to go to the [Browser User Interface](browser-ui-ieak11-wizard.md) page or **Back** to go to the [Internal Install](internal-install-ieak11-wizard.md) page.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index dddf3dbe50..0652ccd8b0 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -4,7 +4,7 @@
       {
         "files": [
           "**/*.md",
-		  "**/**.yml"
+          "**/**.yml"
         ],
         "exclude": [
           "**/obj/**",
@@ -29,27 +29,27 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-		"breadcrumb_path": "/hololens/breadcrumb/toc.json",
-		"ms.technology": "windows",
-		"ms.topic": "article",
-		"ms.author": "jdecker",
-		"ms.date": "04/05/2017",
-		"feedback_system": "GitHub",
-		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-		"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "Win.itpro-hololens",
-			  "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/hololens/breadcrumb/toc.json",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "ms.author": "jdecker",
+      "ms.date": "04/05/2017",
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "Win.itpro-hololens",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [
       null
     ],
     "dest": "devices/hololens",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index 20f745c009..bb56182d56 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -21,7 +21,7 @@ Welcome to the latest Insider Preview builds for HoloLens!  It’s simple to get
 
 ## How do I install the Insider builds? 
  
-On a device running the Windows 10 April 2018 Update, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. 
+On a device running the Windows 10 April 2018 Update, go to Settings -> Update & Security -> Windows Insider Program and select Get started. Link the account you used to register as a Windows Insider. 
 
 Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. 
 
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index f0ad55c2f1..01dcda9e51 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -155,23 +155,23 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 6. Expand **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
 7. In the center pane, click **Browse** to locate and select the kiosk configuration XML file that you created.
 
-  ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
+   ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
 
 8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.   
-8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
-8.  On the **File** menu, select **Save.**
-9.  On the **Export** menu, select **Provisioning package**.
-10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
+10. On the **File** menu, select **Save.**
+11. On the **Export** menu, select **Provisioning package**.
+12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
 
-11. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing.
+13. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing.
 
       -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
 
-12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location.
+14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location.
 
-13. Click **Next**.
+15. Click **Next**.
 
-14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
 
     
 
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 6e658e8ddb..5e85f10bec 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -61,7 +61,7 @@ Use the Windows Configuration Designer tool to create a provisioning package.
 
 2. Click **Provision HoloLens devices**.
 
-  ![ICD start options](images/icd-create-options-1703.png)   
+   ![ICD start options](images/icd-create-options-1703.png)   
 
 3. Name your project and click **Finish**. 
 
@@ -74,12 +74,12 @@ Use the Windows Configuration Designer tool to create a provisioning package.
 
 
 
-
-
-
- 
-
-
+
+
+
+ 
+
+
            ![step one](images/one.png)![set up device](images/set-up-device.png)

            Browse to and select the enterprise license file to upgrade the HoloLens edition.

            You can also toggle **Yes** or **No** to hide parts of the first experience.

            To set up the device without the need to connect to a Wi-Fi network, toggle **Skip Wi-Fi setup** to **On**.

            Select a region and timezone in which the device will be used.             		![Select enterprise licence file and configure OOBE](images/set-up-device-details.png)
            ![step two](images/two.png)  ![set up network](images/set-up-network.png)

            In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.            		![Enter network SSID and type](images/set-up-network-details-desktop.png)
            ![step three](images/three.png)  ![account management](images/account-management.png)

            You can enroll the device in Azure Active Directory, or create a local account on the device

            Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions. 

            To create a local account, select that option and enter a user name and password. 

            **Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.              		![join  Azure AD or create a local  account](images/account-management-details.png)
            ![step four](images/four.png) ![add certificates](images/add-certificates.png)

            To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.            		![add a certificate](images/add-certificates-details.png)
            ![step five](images/five.png) ![Developer Setup](images/developer-setup.png)

            Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)            		![Enable Developer Mode](images/developer-setup-details.png)
            ![step six](images/six.png) ![finish](images/finish.png)

            Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.            		![Protect your package](images/finish-details.png)
            step oneset up device

            Browse to and select the enterprise license file to upgrade the HoloLens edition.

            You can also toggle Yes or No to hide parts of the first experience.

            To set up the device without the need to connect to a Wi-Fi network, toggle Skip Wi-Fi setup to On.

            Select a region and timezone in which the device will be used.             		Select enterprise licence file and configure OOBE
            step two  set up network

            In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.            		Enter network SSID and type
            step three  account management

            You can enroll the device in Azure Active Directory, or create a local account on the device

            Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. 

            To create a local account, select that option and enter a user name and password. 

            Important: (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.              		join  Azure AD or create a local  account
            step four add certificates

            To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.            		add a certificate
            step five Developer Setup

            Toggle Yes or No to enable Developer Mode on the HoloLens. Learn more about Developer Mode.            		Enable Developer Mode
            step six finish

            Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.            		Protect your package
            
 
            
 
 After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md
index 52001e1cc3..c250d1c12c 100644
--- a/devices/hololens/hololens-whats-new.md
+++ b/devices/hololens/hololens-whats-new.md
@@ -35,14 +35,14 @@ Share from Microsoft Edge | Share button is now available on Microsoft Edge wind
 ### For administrators 
 
 
-Feature | Details  
---- | --- 
-[Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**.   
-Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration.  
-PIN sign-in on profile switch from sign-in screen  | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. 
-Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. 
            **Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  
-Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. 
-Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. 
+|                                   Feature                                   |                                                                                                                                                                       Details                                                                                                                                                                        |
+|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|         [Enable post-setup provisioning](hololens-provisioning.md)          |                                                                                                                                   You can now apply a runtime provisioning package at any time using **Settings**.                                                                                                                                   |
+|                    Assigned access with Azure AD groups                     |                                                                                                           You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration.                                                                                                            |
+|              PIN sign-in on profile switch from sign-in screen              |                                                                                                                                                  PIN sign-in is now available for **Other User**.                                                                                                                                                    |
+|             Sign in with Web Credential Provider using password             | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. 
            **Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  |
+| Read device hardware info through MDM so devices can be tracked by serial # |                                                                                        IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions.                                                                                         |
+|                Set HoloLens device name through MDM (rename)                |                                                                                                IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions.                                                                                                |
 
 ### For international customers 
  
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index 9b7ed69845..e3790fbfb5 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -14,7 +14,7 @@ ms.date: 07/27/2018
 
 
 
-
+
            Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.
             Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for Business when you apply the Enterprise license file to the device.
            		![Hololens](images/hololens.png)
            Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10.
             Microsoft HoloLens is available in the Development Edition, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the Commercial Suite, which runs Windows Holographic for Business when you apply the Enterprise license file to the device.
            		Hololens
            
 
            
 
 ## In this section
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 1edb01f238..86d6848826 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -109,7 +109,7 @@ Use these ports on the Surface Hub for Guest Mode.
 
 
 
- 
+ 
 
 ### Port locations
 
@@ -224,7 +224,7 @@ Your choice of video cable will be determined by what is available from your sou
 
 
 
- 
+ 
 
 Source audio is provided by DisplayPort and HDMI cables. If you must use VGA, Surface Hub has an audio input port that uses a 3.5 mm plug. Surface Hub also uses a USB cable that provides Touchback and Inkback from the Surface Hub to compatible Windows 10 devices. The USB cable can be used with any video input that is already connected with a cable.
 
@@ -275,20 +275,20 @@ Check directly with graphics card vendors for the latest drivers.
 
 
 
            NVIDIA
            
-
            [http://nvidia.com/Download/index.aspx](http://nvidia.com/Download/index.aspx)
            
+
            http://nvidia.com/Download/index.aspx
            
 
 
 
            AMD
            
-
            [http://support.amd.com/en-us/download](http://support.amd.com/en-us/download)
            
+
            http://support.amd.com/en-us/download
            
 
 
 
            Intel
            
-
            [https://downloadcenter.intel.com/](https://downloadcenter.intel.com/)
            
+
            https://downloadcenter.intel.com/
            
 
 
 
 
- 
+ 
 
 ### Ports
 
@@ -347,7 +347,7 @@ Replacement PC ports on 55" Surface Hub
 
 
 
- 
+ 
 
 Replacement PC ports on 84" Surface Hub
 
@@ -404,7 +404,7 @@ Replacement PC ports on 84" Surface Hub
 
 
 
- 
+ 
 
 ### Replacement PC setup instructions
 
@@ -439,9 +439,9 @@ You can switch the Surface Hub to use the internal PC.
 
 3.  Turn on the Surface Hub using the power switch next to the power cable.
 
- 
+ 
 ## Video Out
- 
+ 
 The Surface Hub includes a Video Out port for mirroring visual content from the Surface Hub to another display.
 
 ### Ports
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index f38240fe4d..6c133e978d 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -245,7 +245,7 @@ You can use the Exchange Admin Center to create a device account:
 >[!NOTE]
 >If you want to create and assign a policy to the account you created, and are using Exchange 2010, look up the corresponding information regarding policy creation and policy assignment when using the EMC (Exchange management console).
 
- 
+ 
 
 1.  Go to the Exchange Admin Center.
 
@@ -373,11 +373,11 @@ If you aren't sure what value to use for the `RegistrarPool` parameter in your e
     Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool*
     ```
     
-3.  To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
+3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet:
 
-    ```PowerShell
-    Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
-    ```
+   ```PowerShell
+   Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress
+   ```
 
     
 
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index 9feee3c192..c5b96ab0fe 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -1,43 +1,50 @@
 {
   "build": {
-    "content":
-      [
-        {
-          "files": ["**/**.md", "**/**.yml"],
-          "exclude": ["**/obj/**"]
-        }
-      ],
+    "content": [
+      {
+        "files": [
+          "**/**.md",
+          "**/**.yml"
+        ],
+        "exclude": [
+          "**/obj/**"
+        ]
+      }
+    ],
     "resource": [
-        {
-          "files": ["**/images/**"],
-          "exclude": ["**/obj/**"]
+      {
+        "files": [
+          "**/images/**"
+        ],
+        "exclude": [
+          "**/obj/**"
+        ]
+      }
+    ],
+    "globalMetadata": {
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
+      "ROBOTS": "INDEX, FOLLOW",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "ms.mktglfcycl": "manage",
+      "author": "jdeckerms",
+      "ms.sitesec": "library",
+      "ms.author": "jdecker",
+      "ms.date": "05/23/2017",
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "Win.surface-hub",
+          "folder_relative_path_in_docset": "./"
         }
-    ],
-	"globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-	    "breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
-		"ROBOTS": "INDEX, FOLLOW",
-		"ms.technology": "windows",
-		"ms.topic": "article",
-		"ms.mktglfcycl": "manage",
-		"author": "jdeckerms",
-		"ms.sitesec": "library",
-		"ms.author": "jdecker",
-		"ms.date": "05/23/2017",
-		"feedback_system": "GitHub",
-		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-		"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "Win.surface-hub",
-			  "folder_relative_path_in_docset": "./"
-			}
-		}
+      }
     },
-    "externalReference": [
-    ],
+    "externalReference": [],
     "template": "op.html",
     "dest": "devices/surface-hub",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 6ac1859c6c..375ee1686d 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -40,7 +40,7 @@ Each of these sections also contains information about paths you might take when
 >[!NOTE]
 >You should have the separate keyboard that came with your Surface Hub set up and ready before beginning. See the Surface Hub Setup Guide for details.
 
- 
+ 
 
 ## Hi there page
 
@@ -50,7 +50,7 @@ This is the first screen you'll see when you power up the Surface Hub for the fi
 >[!NOTE]
 >This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing.
 
- Select a language and the initial setup options are displayed.
+ Select a language and the initial setup options are displayed.
 
 ![Image showing ICD options checklist.](images/setuplocale.png)
 
@@ -68,7 +68,7 @@ If the default values shown are correct, then you can click **Next** to go on. O
 >[!NOTE]
 > Once the settings on this page are entered, you can't come back to this screen unless you reset the device (see [Device reset](device-reset-surface-hub.md)). Make sure that the settings are properly configured before proceeding.
 
- 
+ 
 
 When the settings are accepted, the device will check for a wired network connection. If the connection is fine, it will display the [Set up for you page](#set-up-for-you). If there is a problem with the wired connection, the device will display the [Network setup page](#network-setup).
 
@@ -90,7 +90,7 @@ This screen is shown only if the device fails to detect a wired network. If you
     >[!NOTE]
     >If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including system updates and email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)).
 
-     
+     
 
 -   You can plug in a network cable while this screen is visible. The device will detect it, and will add **Next** to the screen. Click **Next** to continue with making the wired connection.
 
@@ -125,7 +125,7 @@ This page will be shown when the device detects a wired connection with limited
 -   You can skip connecting to a network by selecting **Skip this step**. You'll be taken to the [Set up for you page](#set-up-for-you).
     **Note**  If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)).
 
-     
+     
 
 -   You can select **Enter proxy settings** which will allow you to specify how to use the network proxy. You'll be taken to the next screen.
 
@@ -151,7 +151,7 @@ You can skip connecting to a network by selecting **Skip this step**. You'll be
 >[!NOTE]
 >If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)).
 
- 
+ 
 
 ## Set up for you page
 
@@ -185,12 +185,12 @@ On this page, the Surface Hub will ask for credentials for the device account th
 
 Use either a **user principal name (UPN)** or a **domain\\user name** as the account identifier in the first entry field. Use the format that matches your environment, and enter the password.
 
-| Environment  | Required format for device account|
-| ------------ | ----------------------------------|
-| Device account is hosted only online.  | username@domain.com|
-| Device account is hosted only on-prem.  | DOMAIN\username|
-| Device account is hosted online and on-prem (hybrid).  |  DOMAIN\username|
 
+|                      Environment                      | Required format for device account |
+|-------------------------------------------------------|------------------------------------|
+|         Device account is hosted only online.         |        username@domain.com         |
+|        Device account is hosted only on-prem.         |          DOMAIN\username           |
+| Device account is hosted online and on-prem (hybrid). |          DOMAIN\username           |
 
 Click **Skip setting up a device account** to skip setting up a device account. However, if you don't set up a device account, the device will not be fully integrated into your infrastructure. For example, people won't be able to:
 
@@ -319,7 +319,7 @@ Because every Surface Hub can be used by any number of authenticated employees,
 >[!NOTE]
 >The purpose of this page is primarily to determine who can configure the device from the device’s UI; that is, who can actually visit a device, log in, open up the Settings app, and make changes to the Settings.
 
- 
+ 
 
 ![Image showing Set up admins for this device page.](images/setupsetupadmins.png)
 
@@ -357,7 +357,7 @@ This is what happens when you choose an option.
 >[!NOTE]
 >After you finish this process, you won't be able to change the device's admin option unless you reset the device.
 
- 
+ 
 
 ### Use Microsoft Azure Active Directory
 
@@ -416,7 +416,7 @@ If the join is successful, you'll see the **Enter a security group** page. When
 >[!NOTE]
 >If you domain join the Surface Hub, you can't unjoin the device without resetting it.
 
- 
+ 
 
 ### Use a local admin
 
@@ -442,7 +442,7 @@ This page will attempt to create a new admin account using the credentials that
 >[!IMPORTANT]
 >Before you do the updates, make sure you read [Save your BitLocker key](save-bitlocker-key-surface-hub.md) in order to make sure you have a backup of the key.
 
- 
+ 
 
 In order to get the latest features and fixes, you should update your Surface Hub as soon as you finish all of the preceding first-run steps.
 
@@ -451,9 +451,9 @@ In order to get the latest features and fixes, you should update your Surface Hu
 3.  If updates are available, they will be downloaded. Once downloading is complete, click the **Update now** button to install the updates.
 4.  Follow the onscreen prompts after the updates are installed. You may need to restart the device.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index b94c860539..ab66d2931a 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -184,20 +184,20 @@ The following table lists the Office 365 plans and Skype for Business options.
 
     Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device.
     
-    -   Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
+   - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app.
     
-    -   Click on **Users and Groups** and then **Add users, reset passwords, and more**.
+   - Click on **Users and Groups** and then **Add users, reset passwords, and more**.
     
-    -   Click the Surface Hub account, and then click the pen icon to edit the account information.
+   - Click the Surface Hub account, and then click the pen icon to edit the account information.
     
-    -   Click **Licenses**.
+   - Click **Licenses**.
     
-    -   In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub.
+   - In **Assign licenses**, select Skype for Business (Plan 1) or Skype for Business (Plan 2), depending on your licensing and Enterprise Voice requirements. You'll have to use a Plan 2 license if you want to use Enterprise Voice on your Surface Hub.
     
-    -   Click **Save**.
+   - Click **Save**.
 
-    >[!NOTE]
-    >You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
+     >[!NOTE]
+     >You can also use the Windows Azure Active Directory Module for Windows Powershell to run the cmdlets needed to assign one of these licenses, but that's not covered here.
 
 For validation, you should be able to use any Skype for Business client (PC, Android, etc.) to sign in to this account.
 
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index 82f19b1a90..87ed316360 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -13,17 +13,17 @@ ms.localizationpriority: medium
 
 # Microsoft Surface Hub admin guide
 
->[Looking for the Surface Hub admin guide for Windows 10, version 1607?](https://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf)
-
->[Looking for the user's guide for Surface Hub?](https://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf)
+> [Looking for the Surface Hub admin guide for Windows 10, version 1607?](https://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf)
+> 
+> [Looking for the user's guide for Surface Hub?](https://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf)
 
 
-
            Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.![image of a Surface Hub](images/surfacehub.png) 
            
- 
+
            Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.image of a Surface Hub 
            
+
 
 ## Surface Hub setup process
 
-In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
+In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need:
 
 1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md)
 2. [Gather the information listed in the Setup worksheet](setup-worksheet-surface-hub.md)
@@ -34,22 +34,20 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
 
 ## In this section
 
-| Topic | Description |
-| --- | --- |
-| [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) | Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update). |
-| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. |
-| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. |
-| [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. |
-| [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. |
-| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) |
-| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security.  | PowerShell scripts to help set up and manage your Surface Hub. |
-| [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. |
-| [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
-| [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. |
-| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents. |
-| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. |
-
-
+|                                                           Topic                                                           |                                                                                                                                       Description                                                                                                                                       |
+|---------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                  [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)                  |                                                                        Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update).                                                                         |
+| [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) |                                                                                       This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise.                                                                                        |
+|             [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)             | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. |
+|                                [Set up Microsoft Surface Hub](set-up-your-surface-hub.md)                                 |                                                                                       Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.                                                                                        |
+|                                   [Manage Microsoft Surface Hub](manage-surface-hub.md)                                   |                                                                                                          How to manage your Surface Hub after finishing the first-run program.                                                                                                          |
+|                      [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)                       |                                                                                                                                                                                                                                                                                         |
+|                   [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)                    |                                       This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security.                                        |
+|                         [Top support solutions for Surface Hub](support-solutions-surface-hub.md)                         |                                                                                             These are the top Microsoft Support solutions for common issues experienced using Surface Hub.                                                                                              |
+|                             [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)                             |                                                                                                    Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.                                                                                                    |
+|                            [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)                            |                                                                                                                          Learn how to resolve Miracast issues.                                                                                                                          |
+|                        [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)                        |                                                                                                               This topic provides links to useful Surface Hub documents.                                                                                                                |
+|                              [Change history for Surface Hub](change-history-surface-hub.md)                              |                                                                                                    This topic lists new and updated topics in the Surface Hub documentation library.                                                                                                    |
 
 ## Additional resources
 
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index ad894a91c1..a7c90874f6 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -58,30 +58,32 @@ You can configure the Surface Hub settings in the following table using MDM. The
 
 For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323). 
 
-| Setting          | Node in the SurfaceHub CSP         | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML\*? |
-| ---- | --- | --- | --- | --- |
-| Maintenance hours | MaintenanceHoursSimple/Hours/StartTime 
             MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes |
-| Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
-| Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
-| Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID 
             MOMAgent/WorkspaceKey | Yes | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Device account, including password rotation | DeviceAccount/*``* 
             See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Set default volume | Properties/DefaultVolume | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Set screen timeout | Properties/ScreenTimeout | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Set session timeout | Properties/SessionTimeout | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Set sleep timeout | Properties/SleepTimeout | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes 
              | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes 
             [Use a custom policy.](#example-intune)  | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes 
             [Use a custom policy.](#example-intune)  | Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+
+|                                     Setting                                      |                                                    Node in the SurfaceHub CSP                                                    |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|----------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+|                                Maintenance hours                                 |                        MaintenanceHoursSimple/Hours/StartTime 
             MaintenanceHoursSimple/Hours/Duration                         |                       Yes                        |                       Yes                       |             Yes             |
+|              Automatically turn on the screen using motion sensors               |                                                 InBoxApps/Welcome/AutoWakeScreen                                                 |                       Yes                        |                       Yes                       |             Yes             |
+|                      Require a pin for wireless projection                       |                                             InBoxApps/WirelessProjection/PINRequired                                             |                       Yes                        |                       Yes                       |             Yes             |
+|                            Enable wireless projection                            |                                               InBoxApps/WirelessProjection/Enabled                                               |                       Yes                        | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                 Miracast channel to use for wireless projection                  |                                               InBoxApps/WirelessProjection/Channel                                               |                       Yes                        | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|              Connect to your Operations Management Suite workspace               |                                         MOMAgent/WorkspaceID 
             MOMAgent/WorkspaceKey                                          |                       Yes                        | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                         Welcome screen background image                          |                                             InBoxApps/Welcome/CurrentBackgroundPath                                              |                       Yes                        | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|               Meeting information displayed on the welcome screen                |                                               InBoxApps/Welcome/MeetingInfoOption                                                |                       Yes                        | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                      Friendly name for wireless projection                       |                                                     Properties/FriendlyName                                                      | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                   Device account, including password rotation                    | DeviceAccount/*``* 
             See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). |                        No                        |                       No                        |             Yes             |
+|                               Specify Skype domain                               |                                              InBoxApps/SkypeForBusiness/DomainName                                               |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|               Auto launch Connect App when projection is initiated               |                                                   InBoxApps/Connect/AutoLaunch                                                   |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                                Set default volume                                |                                                     Properties/DefaultVolume                                                     |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                                Set screen timeout                                |                                                     Properties/ScreenTimeout                                                     |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                               Set session timeout                                |                                                    Properties/SessionTimeout                                                     |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                                Set sleep timeout                                 |                                                     Properties/SleepTimeout                                                      |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                   Allow session to resume after screen is idle                   |                                                  Properties/AllowSessionResume                                                   |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|             Allow device account to be used for proxy authentication             |                                                  Properties/AllowAutoProxyAuth                                                   |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+| Disable auto-populating the sign-in dialog with invitees from scheduled meetings |                                               Properties/DisableSignInSuggestions                                                |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|              Disable "My meetings and files" feature in Start menu               |                                              Properties/DoNotShowMyMeetingsAndFiles                                              |                    Yes 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                     Set the LanProfile for 802.1x Wired Auth                     |                                                         Dot3/LanProfile                                                          | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                    Set the EapUserData for 802.1x Wired Auth                     |                                                         Dot3/EapUserData                                                         | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 ### Supported Windows 10 settings
@@ -91,66 +93,73 @@ In addition to Surface Hub-specific settings, there are numerous settings common
 The following tables include info on Windows 10 settings that have been validated with Surface Hub. There is a table with settings for these areas: security, browser, Windows Updates, Windows Defender, remote reboot, certificates, and logs. Each table identifies if the setting is supported with Microsoft Intune, System Center Configuration Manager, or SyncML.
 
 #### Security settings
-| Setting  | Details  | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML\*? |
-| --- | --- | --- |---- | --- | --- |
-| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. 
              |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``* 
             See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. 
              |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. 
              |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. 
             . |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. 
              |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+
+|      Setting       |                                            Details                                             |                                                                          CSP reference                                                                           |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+|  Allow Bluetooth   |                      Keep this enabled to support Bluetooth peripherals.                       |                   [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth)                   |                    Yes. 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. |                     Bluetooth/*``* 
             See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx)                      |                    Yes. 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|    Allow camera    |                           Keep this enabled for Skype for Business.                            |                            [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera)                            |                    Yes. 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|   Allow location   |                        Keep this enabled to support apps such as Maps.                         |                          [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation)                          |                   Yes. 
             .                    | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|  Allow telemetry   |                    Keep this enabled to help Microsoft improve Surface Hub.                    |                         [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry)                         |                    Yes. 
                                 | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|  Allow USB Drives  |                     Keep this enabled to support USB drives on Surface Hub                     | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. 
 
 #### Browser settings
 
-| Setting  | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML\*? |
-| --- | --- | --- |---- | --- | --- |
-| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes 
             [Use a custom policy.](#example-intune) |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+|                          Setting                          |                                                                        Details                                                                        |                                                                             CSP reference                                                                              |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+|                         Homepages                         |                                               Use to configure the default homepages in Microsoft Edge.                                               |                                [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)                                | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                       Allow cookies                       |                    Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session.                     |                             [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies)                             | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                   Allow developer tools                   |                                                   Use to stop users from using F12 Developer Tools.                                                   |                      [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools)                      | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                    Allow Do Not Track                     |                                                          Use to enable Do Not Track headers.                                                          |                          [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack)                          | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                       Allow pop-ups                       |                                                         Use to block pop-up browser windows.                                                          |                              [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups)                              | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                 Allow search suggestions                  |                                                  Use to block search suggestions in the address bar.                                                  |       [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar)       | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|                     Allow SmartScreen                     |                                                       Keep this enabled to turn on SmartScreen.                                                       |                         [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen)                         | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+| Prevent ignoring SmartScreen Filter warnings for websites |     For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites.     |         [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride)         | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|  Prevent ignoring SmartScreen Filter warnings for files   | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Update settings
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML*? |
-| --- | --- | --- |---- | --- | --- |
-| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) |  Yes 
             [Use a custom policy.](#example-intune)  | Yes.
             [Use a custom setting.](#example-sccm) | Yes|
-| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``* 
             See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+|                      Setting                      |                                                                                                           Details                                                                                                            |                                                                    CSP reference                                                                    |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+| Use Current Branch or Current Branch for Business |                                                       Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md).                                                       |            [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel)             | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|               Defer feature updates               |                                                                                                          See above.                                                                                                          | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|               Defer quality updates               |                                                                                                          See above.                                                                                                          | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays)  | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|               Pause feature updates               |                                                                                                          See above.                                                                                                          |             [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates)              | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|               Pause quality updates               |                                                                                                          See above.                                                                                                          |             [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates)              | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|           Configure device to use WSUS            |                                            Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md).                                             |                [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl)                 | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|               Delivery optimization               | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. |         DeliveryOptimization/*``* 
             See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx)          | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Defender settings
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML\*? |
-| --- | --- | --- |---- | --- | --- |
-| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``* 
             See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
+|      Setting      |                                              Details                                               |                                                     CSP reference                                                      |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+| Defender policies |            Use to configure various Defender settings, including a scheduled scan time.            | Defender/*``* 
             See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+|  Defender status  | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. |                   [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx)                    |                       No.                        |                       No.                       |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Remote reboot
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML\*? |
-| --- | --- | --- |---- | --- | --- |
-| Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow 
             See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes |
-| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single 
             See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
-| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent 
             See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) |  Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+|                       Setting                        |                                                          Details                                                          |                                                             CSP reference                                                             |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+|            Reboot the device immediately             | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). |        ./Vendor/MSFT/Reboot/RebootNow 
             See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx)        |                       Yes                        |                       No                        |             Yes             |
+|    Reboot the device at a scheduled date and time    |                                                        See above.                                                         |     ./Vendor/MSFT/Reboot/Schedule/Single 
             See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx)     | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+| Reboot the device daily at a scheduled date and time |                                                        See above.                                                         | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent 
             See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Install certificates
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML\*? |
-| --- | --- | --- |---- | --- | --- |
-| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. |  [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. 
             See [Configure Intune certificate profiles](https://docs.microsoft.com/intune/deploy-use/configure-intune-certificate-profiles). | Yes. 
             See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/create-certificate-profiles). | Yes |
+|             Setting             |                           Details                            |                                           CSP reference                                            |                                                         Supported with
            Intune?                                                          |                                                                  Supported with
            Configuration Manager?                                                                  | Supported with
            SyncML\*? |
+|---------------------------------|--------------------------------------------------------------|----------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|
+| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes. 
             See [Configure Intune certificate profiles](https://docs.microsoft.com/intune/deploy-use/configure-intune-certificate-profiles). | Yes. 
             See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/create-certificate-profiles). |             Yes             |
+
 
@@ -158,32 +167,36 @@ The following tables include info on Windows 10 settings that have been validate
 
 #### Collect logs
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML*? |
-| --- | --- | --- |---- | --- | --- |
-| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes |
+|     Setting      |                      Details                       |                                     CSP reference                                      | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML\*? |
+|------------------|----------------------------------------------------|----------------------------------------------------------------------------------------|---------------------------|------------------------------------------|-----------------------------|
+| Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) |            No             |                    No                    |             Yes             |
+
 
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Set network quality of service (QoS) policy
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML*? |
-| --- | --- | --- |--- | --- | ---- |
-| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+|        Setting         |                                                            Details                                                             |                                                    CSP reference                                                     |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Set network proxy
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML*? |
-| --- | ---- | --- |---- | --- | --- |
-| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+|      Setting      |                               Details                               |                                                CSP reference                                                 |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Configure Start menu
 
-| Setting | Details | CSP reference | Supported with
            Intune? | Supported with
            Configuration Manager? | Supported with
            SyncML*? |
-| --- | ---- | --- |---- | --- | --- |
-| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes 
             [Use a custom policy.](#example-intune)  |  Yes.
             [Use a custom setting.](#example-sccm) | Yes |
+|       Setting        |                                                                       Details                                                                        |                                                        CSP reference                                                         |            Supported with
            Intune?             |    Supported with
            Configuration Manager?     | Supported with
            SyncML\*? |
+|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------|
+| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes 
             [Use a custom policy.](#example-intune) | Yes.
             [Use a custom setting.](#example-sccm) |             Yes             |
+
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 ### Generate OMA URIs for settings 
@@ -258,9 +271,9 @@ For more information, see [Create configuration items for Windows 8.1 and Window
 
 
 
- 
-
- 
+
+
+
 
 
 
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 7d9e789c50..5bea64a216 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -20,94 +20,94 @@ This topic explains how you add a device account for your Microsoft Surface Hub
 
 If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premises-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, see [On-premises deployment for Surface Hub in a multi-forest environment](on-premises-deployment-surface-hub-multi-forest.md).
 
-1.  Start a remote PowerShell session from a PC and connect to Exchange.
+1. Start a remote PowerShell session from a PC and connect to Exchange.
 
-    Be sure you have the right permissions set to run the associated cmdlets.
+   Be sure you have the right permissions set to run the associated cmdlets.
 
-    Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server.
-
-    ```PowerShell
-    Set-ExecutionPolicy Unrestricted
-    $org='contoso.microsoft.com'
-    $cred=Get-Credential $admin@$org
-    $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
-    $sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
-    Import-PSSession $sessExchange
-    Import-PSSession $sessLync
-    ```
-
-2.  After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub.
-
-    If you're changing an existing resource mailbox:
-
-    ```PowerShell
-    Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
-    ```
-
-    If you’re creating a new resource mailbox:
-
-    ```PowerShell
-    New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
-    ```
-
-3.  After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
-
-    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
-
-    If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
-
-    ```PowerShell
-    $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
-    ```
-
-    Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
-
-    ```PowerShell
-    Set-Mailbox $acctUpn -Type Regular
-    Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy
-    Set-Mailbox $acctUpn -Type Room
-    Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
-    ```
-
-4.  Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
-
-    ```PowerShell
-    Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
-    ```
-
-5.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
-
-    ```PowerShell
-    Set-AdUser $acctUpn -PasswordNeverExpires $true
-    ```
-
-6.  Enable the account in Active Directory so it will authenticate to the Surface Hub.
-
-    ```PowerShell
-    Set-AdUser $acctUpn -Enabled $true
-    ```
-
-7.  Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool:
-
-    ```PowerShell
-    Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com"
-     -DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com
-     -Identity HUB01
-    ```
-
-    You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
-
-8.  OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it:
+   Note here that `$strExchangeServer` is the fully qualified domain name (FQDN) of your Exchange server, and `$strLyncFQDN` is the FQDN of your Skype for Business server.
 
    ```PowerShell
-    Set-CsMeetingRoom  -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI "tel:+14255550555;ext=50555"  -EnterpriseVoiceEnabled $true
-    ```
+   Set-ExecutionPolicy Unrestricted
+   $org='contoso.microsoft.com'
+   $cred=Get-Credential $admin@$org
+   $sessExchange = New-PSSession -ConfigurationName microsoft.exchange -Credential $cred -AllowRedirection -Authentication Kerberos -ConnectionUri "http://$strExchangeServer/powershell" -WarningAction SilentlyContinue
+   $sessLync = New-PSSession -Credential $cred -ConnectionURI "https://$strLyncFQDN/OcsPowershell" -AllowRedirection -WarningAction SilentlyContinue
+   Import-PSSession $sessExchange
+   Import-PSSession $sessLync
+   ```
 
-    Again, you need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same.
+2. After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub.
+
+   If you're changing an existing resource mailbox:
+
+   ```PowerShell
+   Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
+   ```
+
+   If you’re creating a new resource mailbox:
+
+   ```PowerShell
+   New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
+   ```
+
+3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+
+   Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+
+   If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+
+   ```PowerShell
+   $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false
+   ```
+
+   Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
+
+   ```PowerShell
+   Set-Mailbox $acctUpn -Type Regular
+   Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy
+   Set-Mailbox $acctUpn -Type Room
+   Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+   ```
+
+4. Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
+
+   ```PowerShell
+   Set-CalendarProcessing -Identity $acctUpn -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+   Set-CalendarProcessing -Identity $acctUpn -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+   ```
+
+5. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
+
+   ```PowerShell
+   Set-AdUser $acctUpn -PasswordNeverExpires $true
+   ```
+
+6. Enable the account in Active Directory so it will authenticate to the Surface Hub.
+
+   ```PowerShell
+   Set-AdUser $acctUpn -Enabled $true
+   ```
+
+7. Enable the device account with Skype for Business by enabling your Surface Hub AD account on a Skype for Business Server pool:
+
+   ```PowerShell
+   Enable-CsMeetingRoom -SipAddress "sip:HUB01@contoso.com"
+    -DomainController DC-ND-001.contoso.com -RegistrarPool LYNCPool15.contoso.com
+    -Identity HUB01
+   ```
+
+   You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
+
+8. OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it:
+
+   ```PowerShell
+   Set-CsMeetingRoom  -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI "tel:+14255550555;ext=50555"  -EnterpriseVoiceEnabled $true
+   ```
+
+   Again, you need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same.
     
 
- ## Disable anonymous email and IM
+ ## Disable anonymous email and IM
 
 
 
@@ -143,7 +143,7 @@ To change the policy entry:
 ```
 $policyEntry =  New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true
 $clientPolicy | Set-CsClientPolicy -PolicyEntry @{Replace = $policyEntry}
-```	
+``` 
 	
 To remove the policy entry:
 
@@ -152,7 +152,7 @@ $policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -va
 $clientPolicy | Set-CsClientPolicy -PolicyEntry @{Remove = $policyEntry}
 ```
 
- 
+ 
 
 
 
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index f6fac6968a..df1bf821b4 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -21,129 +21,129 @@ This topic has instructions for adding a device account for your Microsoft Surfa
 
 If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. 
 
-1.  Start a remote PowerShell session on a PC and connect to Exchange.
+1. Start a remote PowerShell session on a PC and connect to Exchange.
 
-    Be sure you have the right permissions set to run the associated cmdlets.
+   Be sure you have the right permissions set to run the associated cmdlets.
 
-    ```PowerShell
-    Set-ExecutionPolicy RemoteSigned
-    $org='contoso.microsoft.com'
-    $cred=Get-Credential admin@$org
-    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
-    Import-PSSession $sess
-    ```
+   ```PowerShell
+   Set-ExecutionPolicy RemoteSigned
+   $org='contoso.microsoft.com'
+   $cred=Get-Credential admin@$org
+   $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
+   Import-PSSession $sess
+   ```
 
-2.  After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub.
+2. After establishing a session, you’ll either create a new mailbox and enable it as a RoomMailboxAccount, or change the settings for an existing room mailbox. This will allow the account to authenticate into the Surface Hub.
 
-    If you're changing an existing resource mailbox:
+   If you're changing an existing resource mailbox:
 
-    ```PowerShell
-    Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
-    ```
+   ```PowerShell
+   Set-Mailbox -Identity 'HUB01' -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
+   ```
 
-    If you’re creating a new resource mailbox:
+   If you’re creating a new resource mailbox:
 
-    ```PowerShell
-    New-Mailbox -MicrosoftOnlineServicesID HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
-    ```
+   ```PowerShell
+   New-Mailbox -MicrosoftOnlineServicesID HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
+   ```
 
-3.  After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
 
-    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+   Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to False. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
 
-    If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
+   If you haven’t created a compatible policy yet, use the following cmdlet—this one creates a policy called "Surface Hubs". Once it’s created, you can apply the same policy to other device accounts.
 
-    ```PowerShell
-    $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false -AllowNonProvisionableDevices $True
-    ```
+   ```PowerShell
+   $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false -AllowNonProvisionableDevices $True
+   ```
 
-    Once you have a compatible policy, then you will need to apply the policy to the device account.
+   Once you have a compatible policy, then you will need to apply the policy to the device account.
 
-    ```PowerShell
-    Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
-    ```
+   ```PowerShell
+   Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id
+   ```
 
-4.  Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
+4. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
 
-    ```PowerShell
-    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
-    Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
-    ```
+   ```PowerShell
+   Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false
+   Set-CalendarProcessing -Identity 'HUB01@contoso.com' -AddAdditionalResponse $true -AdditionalResponse "This is a Surface Hub room!"
+   ```
 
-5.  Connect to Azure AD.
+5. Connect to Azure AD.
     
-    You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
+   You first need to install Azure AD module for PowerShell version 2. In an elevated powershell prompt run the following command :
     
-    ```PowerShell
-    Install-Module -Name AzureAD
-    ```
-    You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
+   ```PowerShell
+   Install-Module -Name AzureAD
+   ```
+   You need to connect to Azure AD to apply some account settings. You can run this cmdlet to connect.
 
-    ```PowerShell
-    Import-Module AzureAD
-    Connect-AzureAD -Credential $cred
-    ```
+   ```PowerShell
+   Import-Module AzureAD
+   Connect-AzureAD -Credential $cred
+   ```
 
-6.  If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
+6. If you decide to have the password not expire, you can set that with PowerShell cmdlets too. See [Password management](password-management-for-surface-hub-device-accounts.md) for more information.
 
-    ```PowerShell
-    Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration"
-    ```
+   ```PowerShell
+   Set-AzureADUser -ObjectId "HUB01@contoso.com" -PasswordPolicies "DisablePasswordExpiration"
+   ```
 
-7.  Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
+7. Surface Hub requires a license for Skype for Business functionality. In order to enable Skype for Business, your environment will need to meet the [prerequisites for Skype for Business online](hybrid-deployment-surface-hub-device-accounts.md#sfb-online).
    
-    Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
+   Next, you can use `Get-AzureADSubscribedSku` to retrieve a list of available SKUs for your O365 tenant.
 
-    Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
+   Once you list out the SKUs, you'll need to assign the SkuId you want to the `$License.SkuId` variable.
 
-    ```PowerShell
-    Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
+   ```PowerShell
+   Set-AzureADUser -ObjectId "HUB01@contoso.com" -UsageLocation "US"
 	
-	Get-AzureADSubscribedSku | Select Sku*,*Units
-	$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
-    $License.SkuId = SkuId You selected 
+   Get-AzureADSubscribedSku | Select Sku*,*Units
+   $License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
+   $License.SkuId = SkuId You selected 
 	
-	$AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
-    $AssignedLicenses.AddLicenses = $License
-    $AssignedLicenses.RemoveLicenses = @()
+   $AssignedLicenses = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
+   $AssignedLicenses.AddLicenses = $License
+   $AssignedLicenses.RemoveLicenses = @()
 	
-    Set-AzureADUserLicense -ObjectId "HUB01@contoso.com"  -AssignedLicenses $AssignedLicenses
-    ```
+   Set-AzureADUserLicense -ObjectId "HUB01@contoso.com"  -AssignedLicenses $AssignedLicenses
+   ```
 
-8.  Enable the device account with Skype for Business.
-	If the Skype for Business PowerShell module is not installed, [download the Skype for Business Online Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366). 
+8. Enable the device account with Skype for Business.
+   If the Skype for Business PowerShell module is not installed, [download the Skype for Business Online Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366). 
 
-    -   Start by creating a remote PowerShell session from a PC.
+   - Start by creating a remote PowerShell session from a PC.
 
-        ```PowerShell
-        Import-Module SkypeOnlineConnector  
-        $cssess=New-CsOnlineSession -Credential $cred  
-        Import-PSSession $cssess -AllowClobber
-        ```
+     ```PowerShell
+     Import-Module SkypeOnlineConnector  
+     $cssess=New-CsOnlineSession -Credential $cred  
+     Import-PSSession $cssess -AllowClobber
+     ```
 
-   - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*):
+   - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, alice@contoso.com):
 
-        ```PowerShell
-        (Get-CsTenant).TenantPoolExtension
-        ```
-        OR by setting a variable
+       ```PowerShell
+       (Get-CsTenant).TenantPoolExtension
+       ```
+       OR by setting a variable
         
-        ```PowerShell
-		$strRegistrarPool = (Get-CsTenant).TenantPoolExtension
-		$strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1)
-        ```
+       ```PowerShell
+       $strRegistrarPool = (Get-CsTenant).TenantPoolExtension
+       $strRegistrarPool = $strRegistrarPool[0].Substring($strRegistrarPool[0].IndexOf(':') + 1)
+       ```
         
-    - Enable the Surface Hub account with the following cmdlet:
+   - Enable the Surface Hub account with the following cmdlet:
       
-        ```PowerShell
-        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
-        ```
+       ```PowerShell
+       Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress
+       ```
         
-        OR using the $strRegistarPool variable from above
+       OR using the $strRegistarPool variable from above
         
-        ```PowerShell
-        Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
-        ```
+       ```PowerShell
+       Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress
+       ```
 
 For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account.
 
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index d820afddf1..f9377b503f 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -102,15 +102,15 @@ When you go through the first-run program for your Surface Hub, there's some inf
 
 
 
-
            [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
            
+
            Create and test a device account
            
 
            This topic introduces how to create and test the device account that Surface Hub uses to communicate with and Skype.
            
 
 
-
            [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md)
            
+
            Create provisioning packages
            
 
            For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning.
            
 
 
-
            [Admin group management](admin-group-management-for-surface-hub.md)
            
+
            Admin group management
            
 
            Every Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings.
            
 
            The Settings app requires local administrator credentials to open the app.
            
 
@@ -123,9 +123,9 @@ When you go through the first-run program for your Surface Hub, there's some inf
 - [Blog post: Surface Hub in a Multi-Domain Environment](https://blogs.technet.microsoft.com/y0av/2017/11/08/11/)
 - [Blog post: Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
index e28faaef88..2f47ffd5f8 100644
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md
@@ -72,11 +72,11 @@ After you [install Windows Configuration Designer](https://technet.microsoft.com
 ### Create the provisioning package 
 
 1. Open Windows Configuration Designer:
-    - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, 
+   - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, 
     
-    or
+     or
     
-    - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+   - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
 
 2. Click **Provision Surface Hub devices**.
 
@@ -85,13 +85,13 @@ After you [install Windows Configuration Designer](https://technet.microsoft.com
 ### Configure settings
 
 
- 
-
-
-
-
-
-
+ 
+
+
+
+
+
+
            ![step one](images/one.png) ![add certificates](images/add-certificates.png)

            To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.            		![add a certificate](images/add-certificates-details.png)
            ![step two](images/two.png)  ![configure proxy settings](images/proxy.png)

            Toggle **Yes** or **No** for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select **No** if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting **Yes** and **Automatically detect settings**. 

            If you toggle **Yes**, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server).              		![configure proxy settings](images/proxy-details.png)
            ![step three](images/three.png)  ![device admins](images/set-up-device-admins.png)

            You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.

            To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.

            Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

            To create a local administrator account, select that option and enter a user name and password. 

            **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.              		![join Active Directory, Azure AD, or create a local admin account](images/set-up-device-admins-details.png)
            ![step four](images/four.png) ![enroll in device management](images/enroll-mdm.png)

            Toggle **Yes** or **No** for enrollment in MDM. 

            If you toggle **Yes**, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. [Learn more about managing Surface Hub with MDM.](manage-settings-with-mdm-for-surface-hub.md)            		![enroll in mobile device management](images/enroll-mdm-details.png)
            ![step five](images/five.png) ![add applications](images/add-applications.png)

            You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps). 

            **Important:** Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail.             		![add an application](images/add-applications-details.png)
            ![step six](images/six.png)  ![Add configuration file](images/add-config-file.png)

            You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See [Sample configuration file](#sample-configuration-file) for an example.

            **Important:** The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.              		![Add a Surface Hub configuration file](images/add-config-file-details.png)
              ![finish](images/finish.png)

            You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.            		![Protect your package](images/finish-details.png)
            step one add certificates

            To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.            		add a certificate
            step two  configure proxy settings

            Toggle Yes or No for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select No if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting Yes and Automatically detect settings. 

            If you toggle Yes, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server).              		configure proxy settings
            step three  device admins

            You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.

            To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.

            Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

            To create a local administrator account, select that option and enter a user name and password. 

            Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.              		join Active Directory, Azure AD, or create a local admin account
            step four enroll in device management

            Toggle Yes or No for enrollment in MDM. 

            If you toggle Yes, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. Learn more about managing Surface Hub with MDM.            		enroll in mobile device management
            step five add applications

            You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see Provision PCs with apps. 

            Important: Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail.             		add an application
            step six  Add configuration file

            You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See Sample configuration file for an example.

            Important: The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703.              		Add a Surface Hub configuration file
              finish

            You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.            		Protect your package
            
 
            
 
 After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
@@ -141,11 +141,11 @@ After you [install Windows Configuration Designer](https://technet.microsoft.com
 ### Create the provisioning package (advanced)
 
 1. Open Windows Configuration Designer:
-    - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, 
+   - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, 
     
-    or
+     or
     
-    - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
+   - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**.
 
 2. Click **Advanced provisioning**.
    
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 05235f557c..d329156bb0 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -37,21 +37,21 @@ Before you turn on your Microsoft Surface Hub for the first time, make sure you'
 
 
 
-
            [Setup worksheet](setup-worksheet-surface-hub.md)
            
-
            When you've finished pre-setup and are ready to start first-time setup for your Surface Hub, make sure you have all the information listed in this section.
            
+
            Setup worksheet
            
+
            When you've finished pre-setup and are ready to start first-time setup for your Surface Hub, make sure you have all the information listed in this section.
            
 
 
-
            [First-run program](first-run-program-surface-hub.md)
            
-
            The term "first run" refers to the series of steps you'll go through the first time you power up your Surface Hub, and means the same thing as "out-of-box experience" (OOBE). This section will walk you through the process.
            
+
            First-run program
            
+
            The term "first run" refers to the series of steps you'll go through the first time you power up your Surface Hub, and means the same thing as "out-of-box experience" (OOBE). This section will walk you through the process.
            
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md
index 9fb7200640..53922be017 100644
--- a/devices/surface-hub/skype-hybrid-voice.md
+++ b/devices/surface-hub/skype-hybrid-voice.md
@@ -22,63 +22,63 @@ If you deployed Skype for Business Cloud PBX with one of the hybrid voice option
 >[!WARNING]
 >If you create an account before configuration of Hybrid voice (you run Enable-CSMeetingRoom command), you will not be able to configure required hybrid voice parameters. In order to configure hybrid voice parameters for a previously configured account or to reconfigure a phone number, delete the E5 or E3  + Cloud PBX add-on license, and then follow the steps below, starting at step 3.
 
-1. Create a new user account for Surface Hub. This example uses **surfacehub2@adatum.com**. The account can be created in local Active Directory and synchronized to the cloud, or created directly in the cloud. 
+1. Create a new user account for Surface Hub. This example uses surfacehub2@adatum.com. The account can be created in local Active Directory and synchronized to the cloud, or created directly in the cloud. 
 
     ![new object user](images/new-user-hybrid-voice.png)
 
-2.	Select **Password Never Expires**. This is important for a Surface Hub device.
+2. Select **Password Never Expires**. This is important for a Surface Hub device.
 
-    ![Password never expires](images/new-user-password-hybrid-voice.png)
+   ![Password never expires](images/new-user-password-hybrid-voice.png)
 
-3.	In Office 365, add **E5** license or **E3 and Cloud PBX** add-on to the user account created for the room. This is required for Hybrid Voice to work.
+3. In Office 365, add **E5** license or **E3 and Cloud PBX** add-on to the user account created for the room. This is required for Hybrid Voice to work.
 
-    ![Add product license](images/product-license-hybrid-voice.png)
+   ![Add product license](images/product-license-hybrid-voice.png)
 
-4.	Wait approximately 15 minutes until the user account for the room appears in Skype for Business Online.
+4. Wait approximately 15 minutes until the user account for the room appears in Skype for Business Online.
 
-5.	After the user account for room is created in Skype for Business Online, enable it for Hybrid Voice in Skype for Business Remote PowerShell by running the following cmdlet:
+5. After the user account for room is created in Skype for Business Online, enable it for Hybrid Voice in Skype for Business Remote PowerShell by running the following cmdlet:
 
-    ```
-    Set-csuser surfacehub2@adatum.com EnterpriseVoiceEnabled $true -HostedVoiceMail $true -onpremlineuri tel:+15005000102
-    ```
+   ```
+   Set-csuser surfacehub2@adatum.com EnterpriseVoiceEnabled $true -HostedVoiceMail $true -onpremlineuri tel:+15005000102
+   ```
     
-6.	Validate Hybrid Voice call flow by placing test calls from the Surface Hub.
+6. Validate Hybrid Voice call flow by placing test calls from the Surface Hub.
 
-7.	Start a remote PowerShell session on a PC and connect to Exchange by running the following cmdlets.
+7. Start a remote PowerShell session on a PC and connect to Exchange by running the following cmdlets.
 
-    ```
-    Set-ExecutionPolicy Unrestricted
-    $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
-    $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
-    Import-PSSession $sess
-    ```
+   ```
+   Set-ExecutionPolicy Unrestricted
+   $cred=Get-Credential -Message "Please use your Office 365 admin credentials"
+   $sess= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/ps1-liveid/ -Credential $cred -Authentication Basic -AllowRedirection
+   Import-PSSession $sess
+   ```
     
-8.	After establishing a session, modify the user account for the room to enable it as a **RoomMailboxAccount** by running the following cmdlets. This allows the account to authenticate with Surface Hub.
+8. After establishing a session, modify the user account for the room to enable it as a **RoomMailboxAccount** by running the following cmdlets. This allows the account to authenticate with Surface Hub.
 
-    ```
-    Set-Mailbox surfacehub2@adatum.com -Type Room
-    Set-Mailbox surfacehub2@adatum.com -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
-    ```
+   ```
+   Set-Mailbox surfacehub2@adatum.com -Type Room
+   Set-Mailbox surfacehub2@adatum.com -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String  -AsPlainText -Force)
+   ```
     
-9.	After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
+9. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy.
 
-    Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
+   Surface Hubs are only compatible with device accounts that have an ActiveSync policy where the **PasswordEnabled** property is set to **False**. If this isn’t set properly, then Exchange services on the Surface Hub (mail, calendar, and joining meetings), will not be enabled.
     
-    If you haven’t created a compatible policy yet, use the following cmdlet (this one creates a policy called "Surface Hubs"). After it’s created, you can apply the same policy to other device accounts.
+   If you haven’t created a compatible policy yet, use the following cmdlet (this one creates a policy called "Surface Hubs"). After it’s created, you can apply the same policy to other device accounts.
 
-    ```
-    $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false
-    ```
+   ```
+   $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false
+   ```
     
-    After you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. Run the following cmdlets to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox (you may need to re-enable the account and set the password again).
+   After you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. Run the following cmdlets to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox (you may need to re-enable the account and set the password again).
     
-    ```
-    Set-Mailbox surfacehub2@adatum.com -Type Regular
-    Set-CASMailbox surfacehub2@adatum.com -ActiveSyncMailboxPolicy $easPolicy.id
-    Set-Mailbox surfacehub2@adatum.com -Type Room
-    $credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password"
-    Set-Mailbox surfacehub2@adatum.com -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
-    ```
+   ```
+   Set-Mailbox surfacehub2@adatum.com -Type Regular
+   Set-CASMailbox surfacehub2@adatum.com -ActiveSyncMailboxPolicy $easPolicy.id
+   Set-Mailbox surfacehub2@adatum.com -Type Room
+   $credNewAccount = Get-Credential -Message "Please provide the Surface Hub username and password"
+   Set-Mailbox surfacehub2@adatum.com -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+   ```
     
 10.	Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties can be set in [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md). The following cmdlets provide an example of setting Exchange properties.
 
diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md
index e1f93840dd..f1f6a52a05 100644
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@@ -78,7 +78,9 @@ Install Surface Hub Recovery Tool on the host PC.
 5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows.  The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue.  For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md).
 
 
-    ![Connect SSD](images/shrt-drive.png)
+~~~
+![Connect SSD](images/shrt-drive.png)
+~~~
 
 6. When the drive is recognized, click **Start** to begin the re-imaging process. On the warning that all data on the drive will be erased, click **OK**.
 
@@ -94,7 +96,7 @@ Install Surface Hub Recovery Tool on the host PC.
 
 Issue | Notes
 --- | ---
-The tool fails to image the SSD	| Make sure you are using a factory-supplied SSD and one of the tested cables.
+The tool fails to image the SSD | Make sure you are using a factory-supplied SSD and one of the tested cables.
 The reimaging process appears halted/frozen | It is safe to close and restart the Surface Hub Recovery Tool with no ill effect to the SSD.
 The drive isn’t recognized by the tool | Verify that the Surface Hub SSD is enumerated as a Lite-On drive, "LITEON L CH-128V2S USB Device".  If the drive is recognized as another named device, your current cable isn’t compatible. Try another cable or one of the tested cable listed above.
 Error: -2147024809 | Open Disk Manager and remove the partitions on the Surface Hub drive.  Disconnect and reconnect the drive to the host machine. Restart the imaging tool again.
diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md
index ec536e5930..15d07e2f5c 100644
--- a/devices/surface-hub/surface-hub-site-readiness-guide.md
+++ b/devices/surface-hub/surface-hub-site-readiness-guide.md
@@ -131,7 +131,7 @@ For details on Touchback and Inkback, see the user guide at http://www.microsoft
 
 ## See also
 
-[Watch the video (opens in a pop-up media player)][http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
+[Watch the video (opens in a pop-up media player)][)  
 
 
 
diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md
index a7e0be3da4..9ddfa628e6 100644
--- a/devices/surface-hub/surface-hub-start-menu.md
+++ b/devices/surface-hub/surface-hub-start-menu.md
@@ -102,7 +102,6 @@ There are a few key differences between Start menu customization for Surface Hub
     
   
 
-
 ```
 
 
@@ -179,7 +178,6 @@ This example shows a link to a website and a link to a .pdf file.
     
   
 
-
 ```
 
 >[!NOTE]
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index fc4edb1e19..65b4f6f1ca 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -25,7 +25,7 @@ There are a few scenarios where you need to specify the domain name of your Skyp
 2. Click **Surface Hub**, and then click **Calling & Audio**. 
 3. Under **Skype for Business configuration**, click **Configure domain name**. 
 4. Type the domain name for your Skype for Business server, and then click **Ok**. 
-> [!TIP]
-> You can type multiple domain names, separated by commas. 
             For example: lync.com, outlook.com, lync.glbdns.microsoft.com
+   > [!TIP]
+   > You can type multiple domain names, separated by commas. 
             For example: lync.com, outlook.com, lync.glbdns.microsoft.com
 
     ![Add Skype for Business FQDN to Settings](images/system-settings-add-fqdn.png)
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index 9aaa1b9f54..f8c792f932 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -33,7 +33,7 @@ To connect to a room control system control panel, you don't need to configure a
 | Parity | none |
 | Flow control | none |
 | Line feed | every carriage return |
- 
+ 
 
 ## Wiring diagram
 
@@ -55,7 +55,7 @@ The following command modifiers are available. Commands terminate with a new lin
 | - | Decrease a value |
 | = | Set a discrete value |
 | ? | Queries for a current value |
- 
+ 
 
 ## Power
 
@@ -112,7 +112,7 @@ Changes to volume levels can be sent by a room control system, or other system.
 | Volume- |  SMC sends the volume down command.

            PC service notifies SMC of new volume level. |  Volume = 50 |
 
 
- 
+ 
 
 ## Mute for audio
 
@@ -123,7 +123,7 @@ Audio can be muted.
 | AudioMute+ |  SMC sends the audio mute command.

            PC service notifies SMC that audio is muted. |  none |
 
 
- 
+ 
 
 ## Video source
 
@@ -137,7 +137,7 @@ Several display sources can be used.
 | 3 |  VGA |
 
 
- 
+ 
 
 Changes to display source can be sent by a room control system, or other system.
 
@@ -160,7 +160,7 @@ Errors are returned following the format in this table.
 | Error: Command not available when off '<input>'. |  When the Surface Hub is off, commands other than Power return this error. For example, "Volume+" would be invalid and return " Error: Command not available when off 'Volume'". |
 
 
- 
+ 
 
 ## Related topics
 
@@ -169,9 +169,9 @@ Errors are returned following the format in this table.
 
 [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 5a351cb4f6..9448059c5b 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -14,7 +14,7 @@ ms.reviewer:
 manager: dansimp
 ---
 
-#Deploy Surface app with Microsoft Store for Business and Education
+# Deploy Surface app with Microsoft Store for Business and Education
 
 **Applies to**
 * Surface Pro 4
@@ -38,11 +38,11 @@ The Surface app is a lightweight Microsoft Store app that provides control of ma
 
 If your organization is preparing images that will be deployed to your Surface devices, you may want to include the Surface app (formerly called the Surface Hub) in your imaging and deployment process instead of requiring users of each individual device to download and install the app from the Microsoft Store or your Microsoft Store for Business. 
 
-##Surface app overview
+## Surface app overview
 
 The Surface app is available as a free download from the [Microsoft Store](https://www.microsoft.com/store/apps/Surface/9WZDNCRFJB8P). Users can download and install it from the Microsoft Store, but if your organization uses Microsoft Store for Business instead, you will need to add it to your store’s inventory and possibly include the app as part of your Windows deployment process. These processes are discussed throughout this article. For more information about Microsoft Store for Business, see [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/) in the Windows TechCenter. 
 
-##Add Surface app to a Microsoft Store for Business account 
+## Add Surface app to a Microsoft Store for Business account 
 
 Before users can install or deploy an app from a company’s Microsoft Store for Business account, the desired app(s) must first be made available and licensed to the users of a business. 
 
@@ -72,14 +72,14 @@ Before users can install or deploy an app from a company’s Microsoft Store for
     *Figure 3. Offline-licensed app acknowledgement*
     * Click **OK**.
 
-##Download Surface app from a Microsoft Store for Business account
+## Download Surface app from a Microsoft Store for Business account
 After you add an app to the Microsoft Store for Business account in Offline mode, you can download and add the app as an AppxBundle to a deployment share.
 1. Log on to the Microsoft Store for Business account at https://businessstore.microsoft.com.
 2. Click **Manage->Apps & software**. A list of all of your company’s apps is displayed, including the Surface app you added in the [Add Surface app to a Microsoft Store for Business account](#add-surface-app-to-a-microsoft-store-for-business-account) section of this article.
 3. Under **Actions**, click the ellipsis (**…**), and then click **Download for offline use** for the Surface app.
 4. Select the desired **Platform** and **Architecture** options from the available selections for the selected app, as shown in Figure 4.
 
-    ![Example of the AppxBundle package](images\deploysurfapp-fig4-downloadappxbundle.png "Example of the AppxBundle package")
+    ![Example of the AppxBundle package](images/deploysurfapp-fig4-downloadappxbundle.png "Example of the AppxBundle package")
 
     *Figure 4. Download the AppxBundle package for an app*
 5. Click **Download**. The AppxBundle package will be downloaded. Make sure you note the path of the downloaded file because you’ll need that later in this article.
@@ -91,7 +91,7 @@ After you add an app to the Microsoft Store for Business account in Offline mode
 
 Figure 5 shows the required frameworks for the Surface app.
 
-![Required frameworks for the Surface app](images\deploysurfapp-fig5-requiredframework.png "Required frameworks for the Surface app")
+![Required frameworks for the Surface app](images/deploysurfapp-fig5-requiredframework.png "Required frameworks for the Surface app")
 
 *Figure 5. Required frameworks for the Surface app*
 
@@ -105,7 +105,7 @@ To download the required frameworks for the Surface app, follow these steps:
 >[!NOTE]
 >Only the 64-bit (x64) version of each framework is required for Surface devices. Surface devices are native 64-bit UEFI devices and are not compatible with 32-bit (x86) versions of Windows that would require 32-bit frameworks. 
 
-##Install Surface app on your computer with PowerShell
+## Install Surface app on your computer with PowerShell
 The following procedure provisions the Surface app onto your computer and makes it available for any user accounts created on the computer afterwards.
 1.	Using the procedure described in the [How to download Surface app from a Microsoft Store for Business account](#download-surface-app-from-a-microsoft-store-for-business-account) section of this article, download the Surface app AppxBundle and license file. 
 2.	Begin an elevated PowerShell session.
@@ -129,26 +129,26 @@ The following procedure provisions the Surface app onto your computer and makes
 
 Before the Surface app is functional on the computer where it has been provisioned, you must also provision the frameworks described earlier in this article. To provision these frameworks, use the following procedure in the elevated PowerShell session you used to provision the Surface app.
 
-5.	In the elevated PowerShell session, copy and paste the following command:
-```
-    Add-AppxProvisionedPackage –Online –SkipLicense –PackagePath \Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx
-```
-6.	In the elevated PowerShell session, copy and paste the following command:
-    ```
-    Add-AppxProvisionedPackage –Online –SkipLicense –PackagePath \Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx
-    ```
+5. In the elevated PowerShell session, copy and paste the following command:
+   ```
+   Add-AppxProvisionedPackage –Online –SkipLicense –PackagePath \Microsoft.VCLibs.140.00_14.0.23816.0_x64__8wekyb3d8bbwe.Appx
+   ```
+6. In the elevated PowerShell session, copy and paste the following command:
+   ```
+   Add-AppxProvisionedPackage –Online –SkipLicense –PackagePath \Microsoft.NET.Native.Runtime.1.1_1.1.23406.0_x64__8wekyb3d8bbwe.Appx
+   ```
 
-##Install Surface app with MDT
+## Install Surface app with MDT
 The following procedure uses MDT to automate installation of the Surface app at the time of deployment. The application is provisioned automatically by MDT during deployment and thus you can use this process with existing images. This is the recommended process to deploy the Surface app as part of a Windows deployment to Surface devices because it does not reduce the cross platform compatibility of the Windows image.
-1.	Using the procedure described [earlier in this article](#download-surface-app-from-a-microsoft-store-for-business-account), download the Surface app AppxBundle and license file. 
-2.	Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
-3.	On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:
+1. Using the procedure described [earlier in this article](#download-surface-app-from-a-microsoft-store-for-business-account), download the Surface app AppxBundle and license file. 
+2. Using the New Application Wizard in the MDT Deployment Workbench, import the downloaded files as a new **Application with source files**.
+3. On the **Command Details** page of the New Application Wizard, specify the default **Working Directory** and for the **Command** specify the file name of the AppxBundle, as follows:
 
-    * Command:
-    ```
-    Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle
-    ```
-    * Working Directory: %DEPLOYROOT%\Applications\SurfaceApp
+   * Command:
+     ```
+     Microsoft.SurfaceHub_10.0.342.0_neutral_~_8wekyb3d8bbwe.AppxBundle
+     ```
+   * Working Directory: %DEPLOYROOT%\Applications\SurfaceApp
 
 For the Surface app to function on the target computer, it will also require the frameworks described earlier in this article. Use the following procedure to import the frameworks required for the Surface app into MDT and to configure them as dependencies.
 1.	Using the procedure described earlier in this article, download the framework files. Store each framework in a separate folder.
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index d52ff723c2..e749f22972 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -18,10 +18,10 @@ manager: dansimp
 
 **Applies to**
 - Surface Studio
-* Surface Pro 4
-* Surface Book
-* Surface 3
-* Windows 10
+- Surface Pro 4
+- Surface Book
+- Surface 3
+- Windows 10
 
 This article walks you through the recommended process to deploy Windows 10 to Surface devices with Microsoft deployment technologies. The process described in this article yields a complete Windows 10 environment including updated firmware and drivers for your Surface device along with applications like Microsoft Office 365 and the Surface app. When the process is complete, the Surface device will be ready for use by the end user. You can customize this process to include your own applications and configuration to meet the needs of your organization. You can also follow the guidance provided in this article to integrate deployment to Surface devices into existing deployment strategies.
 
@@ -121,13 +121,13 @@ To boot from the network with either your reference virtual machines or your Sur
 
 Windows Deployment Services (WDS) is a Windows Server role. To add the WDS role to a Windows Server 2012 R2 environment, use the Add Roles and Features Wizard, as shown in Figure 1. Start the Add Roles and Features Wizard from the **Manage** button of **Server Manager**. Install both the Deployment Server and Transport Server role services.
 
-![Install the Windows Deployment Services role](images\surface-deploymdt-fig1.png "Install the Windows Deployment Services role")
+![Install the Windows Deployment Services role](images/surface-deploymdt-fig1.png "Install the Windows Deployment Services role")
 
 *Figure 1. Install the Windows Deployment Services server role*
 
 After the WDS role is installed, you need to configure WDS. You can begin the configuration process from the WDS node of Server Manager by right-clicking your server’s name and then clicking **Windows Deployment Services Management Console**. In the **Windows Deployment Services** window, expand the **Servers** node to find your server, right-click your server, and then click **Configure** in the menu to start the Windows Deployment Services Configuration Wizard, as shown in Figure 2.
 
-![Configure PXE response for Windows Deployment Services](images\surface-deploymdt-fig2.png "Configure PXE response for Windows Deployment Services")
+![Configure PXE response for Windows Deployment Services](images/surface-deploymdt-fig2.png "Configure PXE response for Windows Deployment Services")
 
 *Figure 2. Configure PXE response for Windows Deployment Services*
 
@@ -148,7 +148,7 @@ To install Windows ADK, run the Adksetup.exe file that you downloaded from [Down
 
 When you get to the **Select the features you want to install** page, you only need to select the **Deployment Tools** and **Windows Preinstallation Environment (Windows PE)** check boxes to deploy Windows 10 using MDT, as shown in Figure 3. 
 
-![Required options for deployment with MDT](images\surface-deploymdt-fig3.png "Required options for deployment with MDT")
+![Required options for deployment with MDT](images/surface-deploymdt-fig3.png "Required options for deployment with MDT")
 
 *Figure 3. Only Deployment Tools and Windows PE options are required for deployment with MDT*
 
@@ -178,24 +178,24 @@ To create the deployment share, follow these steps:
 
 1. Open the Deployment Workbench from your Start menu or Start screen, as shown in Figure 5.
 
-   ![The MDT Deployment Workbench](images\surface-deploymdt-fig5.png "The MDT Deployment Workbench")
+   ![The MDT Deployment Workbench](images/surface-deploymdt-fig5.png "The MDT Deployment Workbench")
 
    *Figure 5. The MDT Deployment Workbench*
 
 2. Right-click the **Deployment Shares** folder, and then click **New Deployment Share** to start the New Deployment Share Wizard, as shown in Figure 6.
 
-   ![Summary page of the New Deployment Share Wizard](images\surface-deploymdt-fig6.png "Summary page of the New Deployment Share Wizard")
+   ![Summary page of the New Deployment Share Wizard](images/surface-deploymdt-fig6.png "Summary page of the New Deployment Share Wizard")
 
    *Figure 6. The Summary page of the New Deployment Share Wizard*
 
 3. Create a new deployment share with New Deployment Share Wizard with the following steps:
 
-  * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**.
+   * **Path** – Specify a local folder where the deployment share will reside, and then click **Next**.
 
       >[!NOTE]
       >Like the WDS remote installation folder, it is recommended that you put this folder on an NTFS volume that is not your system volume.
 
-  * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
+   * **Share** – Specify a name for the network share under which the local folder specified on the **Path** page will be shared, and then click **Next**.
 
       >[!NOTE]
       >The share name cannot contain spaces.
@@ -203,11 +203,11 @@ To create the deployment share, follow these steps:
       >[!NOTE]
       >You can use a Dollar Sign (**$**) to hide your network share so that it will not be displayed when users browse the available network shares on the server in File Explorer.
 
-  * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
-  * **Options** – You can accept the default options on this page. Click **Next**.
-  * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the deployment share.
-  * **Progress** – While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process.
-  * **Confirmation** – When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard.
+   * **Descriptive Name** – Enter a descriptive name for the network share (this descriptive name can contain spaces), and then click **Next**. The descriptive name will be the name of the folder as it appears in the Deployment Workbench.
+   * **Options** – You can accept the default options on this page. Click **Next**.
+   * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the deployment share.
+   * **Progress** – While the deployment share is being created, a progress bar is displayed on this page to indicate the status of the deployment share creation process.
+   * **Confirmation** – When the deployment share creation process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Deployment Share Wizard.
 
 4. When the New Deployment Share Wizard is complete, you can expand the Deployment Shares folder to find your newly created deployment share.
 5. You can expand your deployment share, where you will find several folders for the resources, scripts, and components of your MDT deployment environment are stored.
@@ -230,30 +230,30 @@ To import Windows 10 installation files, follow these steps:
 
 1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench, and then click **New Folder** to open the **New Folder** page, as shown in Figure 7.
 
-   ![Create a new folder on the New Folder page](images\surface-deploymdt-fig7.png "Create a new folder on the New Folder page")
+   ![Create a new folder on the New Folder page](images/surface-deploymdt-fig7.png "Create a new folder on the New Folder page")
    
    *Figure 7. Create a new folder on the New Folder page*
 
 2. On the **New Folder** page a series of steps is displayed, as follows:
-  * **General Settings** – Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**.
-  * **Summary** – Review the specified configuration of the new folder on this page, and then click **Next**.
-  * **Progress** – A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly.
-  * **Confirmation** – When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page.
+   * **General Settings** – Enter a name for the folder in the **Folder Name** field (for example, Windows 10 Enterprise), add any comments you want in the **Comments** field, and then click **Next**.
+   * **Summary** – Review the specified configuration of the new folder on this page, and then click **Next**.
+   * **Progress** – A progress bar will be displayed on this page while the folder is created. This page will likely pass very quickly.
+   * **Confirmation** – When the new folder has been created, a **Confirmation** page displays the success of the operation. Click **Finish** to close the **New Folder** page.
 3. Expand the Operating Systems folder to see the newly created folder.
 4. Right-click the newly created folder, and then click **Import Operating System** to launch the Import Operating System Wizard, as shown in Figure 8.
 
-   ![Import source files with the Import Operating System Wizard](images\surface-deploymdt-fig8.png "Import source files with the Import Operating System Wizard")
+   ![Import source files with the Import Operating System Wizard](images/surface-deploymdt-fig8.png "Import source files with the Import Operating System Wizard")
 
    *Figure 8. Import source files with the Import Operating System Wizard*
 
 5. The Import Operating System Wizard walks you through the import of your operating system files, as follows:
-  * **OS Type** – Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**.
-  * **Source** – Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**.
-  * **Destination** – Enter a name for the new folder that will be created to hold the installation files, and then click **Next**.
-  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
-  * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
-  * **Confirmation** – When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard.
-6.	Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10.
+   * **OS Type** – Click **Full Set of Source Files** to specify that you are importing the Windows source files from installation media, and then click **Next**.
+   * **Source** – Click **Browse**, move to and select the folder or drive where your installation files are found, and then click **Next**.
+   * **Destination** – Enter a name for the new folder that will be created to hold the installation files, and then click **Next**.
+   * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+   * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
+   * **Confirmation** – When the operating system import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Operating System Wizard.
+6. Expand the folder you created in Step 1 to see the entry for your newly imported installation files for Windows 10.
 
 Now that you’ve imported the installation files from the installation media, you have the files that MDT needs to create the reference image and you are ready to instruct MDT how to create the reference image to your specifications.
 
@@ -268,35 +268,35 @@ To create the reference image task sequence, follow these steps:
 
 1. Right-click the **Task Sequences** folder under your deployment share in the Deployment Workbench, and then click **New Task Sequence** to start the New Task Sequence Wizard, as shown in Figure 9.
 
-   ![Create new task sequence to deploy and update a Windows 10 reference environment](images\surface-deploymdt-fig9.png "Create new task sequence to deploy and update a Windows 10 reference environment")
+   ![Create new task sequence to deploy and update a Windows 10 reference environment](images/surface-deploymdt-fig9.png "Create new task sequence to deploy and update a Windows 10 reference environment")
 
    *Figure 9. Create a new task sequence to deploy and update a Windows 10 reference environment*
 
 2. The New Task Sequence Wizard presents a series of steps, as follows:
-  * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
-  >[!NOTE]
-  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
-  * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
-  * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
-  * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
-  * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
-  * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
-  >[!NOTE]
-  >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
-  * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
-  * **Progress** – While the task sequence is created, a progress bar is displayed on this page.
-  * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
-2. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
-3. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10.
+   * **General Settings** – Enter an identifier for the reference image task sequence in the **Task Sequence ID** field, a name for the reference image task sequence in the **Task Sequence Name** field, and any comments for the reference image task sequence in the **Task Sequence Comments** field, and then click **Next**.
+     >[!NOTE]
+     >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+   * **Select Template** – Select **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
+   * **Select OS** – Navigate to and select the Windows 10 image you imported with the Windows 10 installation files, and then click **Next**.
+   * **Specify Product Key** – Click **Do Not Specify a Product Key at This Time**, and then click **Next**.
+   * **OS Settings** – Enter a name, organization, and home page URL in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
+   * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
+     >[!NOTE]
+     >During creation of a reference image, any specified Administrator password will be automatically removed when the image is prepared for capture with Sysprep. During reference image creation, a password is not necessary, but is recommended to remain in line with best practices for production deployment environments.
+   * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
+   * **Progress** – While the task sequence is created, a progress bar is displayed on this page.
+   * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
+3. Select the **Task Sequences** folder, right-click the new task sequence you created, and then click **Properties**.
+4. Select the **Task Sequence** tab to view the steps that are included in the Standard Client Task Sequence template, as shown in Figure 10.
 
-   ![Enable Windows Update in the reference image task sequence](images\surface-deploymdt-fig10.png "Enable Windows Update in the reference image task sequence")
+   ![Enable Windows Update in the reference image task sequence](images/surface-deploymdt-fig10.png "Enable Windows Update in the reference image task sequence")
 
    *Figure 10. Enable Windows Update in the reference image task sequence*
 
-4. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder.
-5. Click the **Options** tab, and then clear the **Disable This Step** check box.
-6. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
-7. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window.
+5. Select the **Windows Update (Pre-Application Installation)** option, located under the **State Restore** folder.
+6. Click the **Options** tab, and then clear the **Disable This Step** check box.
+7. Repeat Step 4 and Step 5 for the **Windows Update (Post-Application Installation)** option.
+8. Click **OK** to apply changes to the task sequence, and then close the task sequence properties window.
 
 ### Generate and import MDT boot media
 
@@ -306,25 +306,25 @@ To update the MDT boot media, follow these steps:
 
 1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard, as shown in Figure 11.
 
-   ![Generate boot images with the Update Deployment Share Wizard](images\surface-deploymdt-fig11.png "Generate boot images with the Update Deployment Share Wizard")
+   ![Generate boot images with the Update Deployment Share Wizard](images/surface-deploymdt-fig11.png "Generate boot images with the Update Deployment Share Wizard")
 
    *Figure 11. Generate boot images with the Update Deployment Share Wizard*
 
 2. Use the Update Deployment Share Wizard to create boot images with the following process:
-  * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**.
-  >[!NOTE]
-  >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
-  * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images.
-  * **Progress** – While the boot images are being generated, a progress bar is displayed on this page.
-  * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
+   * **Options** – Click **Completely Regenerate the Boot Images**, and then click **Next**.
+     >[!NOTE]
+     >Because this is the first time the newly created deployment share has been updated, new boot images will be generated regardless of which option you select on the **Options** page.
+   * **Summary** – Review the specified options on this page before you click **Next** to begin generation of boot images.
+   * **Progress** – While the boot images are being generated, a progress bar is displayed on this page.
+   * **Confirmation** – When the boot images have been generated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
 3. Confirm that boot images have been generated by navigating to the deployment share in File Explorer and opening the Boot folder. The following files should be displayed, as shown in Figure 12:
-  * **LiteTouchPE_x86.iso**
-  * **LiteTouchPE_x86.wim**
-  * **LiteTouchPE_x64.iso**
-  * **LiteTouchPE_x64.wim**
+   * **LiteTouchPE_x86.iso**
+   * **LiteTouchPE_x86.wim**
+   * **LiteTouchPE_x64.iso**
+   * **LiteTouchPE_x64.wim**
 
 
-   ![Boot images in the Boot folder after Update Deployment Share Wizard completes](images\surface-deploymdt-fig12.png "Boot images in the Boot folder after Update Deployment Share Wizard completes")
+   ![Boot images in the Boot folder after Update Deployment Share Wizard completes](images/surface-deploymdt-fig12.png "Boot images in the Boot folder after Update Deployment Share Wizard completes")
 
    *Figure 12. Boot images displayed in the Boot folder after completion of the Update Deployment Share Wizard*
 
@@ -334,21 +334,21 @@ To import the MDT boot media into WDS for PXE boot, follow these steps:
 2. Expand **Servers** and your deployment server.
 3. Click the **Boot Images** folder, as shown in Figure 13.
 
-   ![Start the Add Image Wizard from the Boot Images folder](images\surface-deploymdt-fig13.png "Start the Add Image Wizard from the Boot Images folder")
+   ![Start the Add Image Wizard from the Boot Images folder](images/surface-deploymdt-fig13.png "Start the Add Image Wizard from the Boot Images folder")
 
    *Figure 13. Start the Add Image Wizard from the Boot Images folder*
 
 4. Right-click the **Boot Images** folder, and then click **Add Boot Image** to open the Add Image Wizard, as shown in Figure 14.
 
-   ![Import the LiteTouchPE_x86.wim MDT boot image](images\surface-deploymdt-fig14.png "Import the LiteTouchPE_x86.wim MDT boot image")
+   ![Import the LiteTouchPE_x86.wim MDT boot image](images/surface-deploymdt-fig14.png "Import the LiteTouchPE_x86.wim MDT boot image")
 
    *Figure 14. Import the LiteTouchPE_x86.wim MDT boot image*
 
 5. The Add Image Wizard displays a series of steps, as follows:
-  * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**.
-  * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
-  * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
-  * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
+   * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, click **Open**, and then click **Next**.
+   * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
+   * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
+   * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
 
 >[!NOTE]
 >Only the 32-bit boot image, LiteTouchPE_x86.wim, is required to boot from BIOS devices, including Generation 1 Hyper-V virtual machines like the reference virtual machine.
@@ -379,7 +379,7 @@ Perform the reference image deployment and capture using the following steps:
 
 1. Start your virtual machine and press the F12 key when prompted to boot to the WDS server via PXE, as shown in Figure 15.
 
-   ![Start network boot by pressing the F12 key](images\surface-deploymdt-fig15.png "Start network boot by pressing the F12 key")
+   ![Start network boot by pressing the F12 key](images/surface-deploymdt-fig15.png "Start network boot by pressing the F12 key")
 
    *Figure 15. Start network boot by pressing the F12 key*
 
@@ -387,18 +387,18 @@ Perform the reference image deployment and capture using the following steps:
 3. Enter your MDT username and password, a user with rights to access the MDT deployment share over the network and with rights to write to the Captures folder in the deployment share.
 4. After your credentials are validated, the Windows Deployment Wizard will start and process the boot and deployment share rules.
 5. The Windows Deployment Wizard displays a series of steps, as follows:
-  * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**.
-  * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured.
-  * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**.
-  * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**.
-  * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
-  * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
+   * **Task Sequence** – Select the task sequence you created for reference image creation (it should be the only task sequence available), and then click **Next**.
+   * **Computer Details** – Leave the default computer name, workgroup name, and the **Join a Workgroup** option selected, and then click **Next**. The computer name and workgroup will be reset when the image is prepared by Sysprep and captured.
+   * **Move Data and Settings** – Leave the default option of **Do Not Move User Data and Settings** selected, and then click **Next**.
+   * **User Data (Restore)** – Leave the default option of **Do Not Restore User Data and Settings** selected, and then click **Next**.
+   * **Locale and Time** – Leave the default options for language and time settings selected. The locale and time settings will be specified during deployment of the image to other devices. Click **Next**.
+   * **Capture Image** – Click the **Capture an Image of this Reference Computer** option, as shown in Figure 16. In the **Location** field, keep the default location of the Captures folder. You can keep or change the name of the image file in the **File Name** field. When you are finished, click **Next**.
   
-  ![Capture an image of the reference machine](images\surface-deploymdt-fig16.png "Capture an image of the reference machine")
+   ![Capture an image of the reference machine](images/surface-deploymdt-fig16.png "Capture an image of the reference machine")
     
-  *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
+   *Figure 16. Use the Capture Image page to capture an image of the reference machine after deployment*
 
-  * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
+   * **Ready** – You can review your selections by expanding **Details** on the **Ready** page. Click **Begin** when you are ready to perform the deployment and capture of your reference image.
 
 6. Your reference task sequence will run with the specified options.
 
@@ -427,14 +427,14 @@ To import the reference image for deployment, use the following steps:
 
 1. Right-click the **Operating Systems** folder under your deployment share in the Deployment Workbench or the folder you created in when you imported Windows 10 installation files, and then click **Import Operating System** to start the Import Operating System Wizard. 
 2. Import the custom image with the Import Operating System Wizard by using the following steps:
-  * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**.
-  * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**. 
-  * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**.
-  * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**.
-  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
-  * **Progress** – While the image is imported, a progress bar is displayed on this page.
-  * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
-3.	Expand the folder in which you imported the image to verify that the import completed successfully.
+   * **OS Type** – Select Custom Image File to specify that you are importing the Windows source files from installation media, and then click **Next**.
+   * **Image** – Click **Browse**, and then navigate to and select the image file in the **Captures** folder in your deployment share. Select the **Move the Files to the Deployment Share Instead of Copying Them** checkbox if desired. Click **Next**. 
+   * **Setup** – Click **Setup Files are not Neededf**, and then click **Next**.
+   * **Destination** – Enter a name for the new folder that will be created to hold the image file, and then click **Next**.
+   * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+   * **Progress** – While the image is imported, a progress bar is displayed on this page.
+   * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Operating System Wizard.
+3. Expand the folder in which you imported the image to verify that the import completed successfully.
 
 >[!NOTE]
 >You can import the reference image into the same deployment share that you used to create your reference image, or you could import the reference image into a new deployment share for deployment to your Surface devices. If you chose to create a new deployment share for deployment of your reference image, remember that you still need to import a full set of installation files from installation media.
@@ -458,24 +458,24 @@ To import the Surface drivers (in this example, Surface Pro 4) into MDT, follow
      * Microsoft Corporation
        * Surface Pro 4
 
-   ![Recommended folder structure for drivers](images\surface-deploymdt-fig17.png "Recommended folder structure for drivers")
+   ![Recommended folder structure for drivers](images/surface-deploymdt-fig17.png "Recommended folder structure for drivers")
 
    *Figure 17. The recommended folder structure for drivers*
 
 4. Right-click the **Surface Pro 4** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 18.
 
-   ![Progress page during drivers import](images\surface-deploymdt-fig18.png "Progress page during drivers import")
+   ![Progress page during drivers import](images/surface-deploymdt-fig18.png "Progress page during drivers import")
 
    *Figure 18. The Progress page during drivers import*
 
 5. The Import Driver Wizard displays a series of steps, as follows:
-  * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1.
-  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
-  * **Progress** – While the drivers are imported, a progress bar is displayed on this page.
-  * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
-6.	Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19.
+   * **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 4 firmware and drivers in Step 1.
+   * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+   * **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+   * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
+6. Click the **Surface Pro 4** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 19.
 
-   ![Drivers for Surface Pro 4 imported and organized in the MDT deployment share](images\surface-deploymdt-fig19.png "Drivers for Surface Pro 4 imported and organized in the MDT deployment share")
+   ![Drivers for Surface Pro 4 imported and organized in the MDT deployment share](images/surface-deploymdt-fig19.png "Drivers for Surface Pro 4 imported and organized in the MDT deployment share")
 
    *Figure 19. Drivers for Surface Pro 4 imported and organized in the MDT deployment share*
 
@@ -493,7 +493,7 @@ After you have downloaded the source files for your version of Office Click-to-R
 
 1. Right-click the existing **Configuration.xml** file, and then click **Edit**.
 2. This action opens the file in Notepad. Replace the existing text with the following:
-  ```
+   ```
     
      
       
@@ -501,7 +501,7 @@ After you have downloaded the source files for your version of Office Click-to-R
       
     
     
-```
+   ```
 
 3. Save the file.
 
@@ -514,22 +514,22 @@ Now that the installation and configuration files are prepared, the application
 1. Open the Deployment Workbench. 
 2. Expand the deployment share, right-click the **Applications** folder, and then click **New Application** to start the New Application Wizard, as shown in Figure 20.
 
-   ![Enter the command and directory for Office 2016 Click-to-Run](images\surface-deploymdt-fig20.png "Enter the command and directory for Office 2016 Click-to-Run")
+   ![Enter the command and directory for Office 2016 Click-to-Run](images/surface-deploymdt-fig20.png "Enter the command and directory for Office 2016 Click-to-Run")
 
    *Figure 20. Enter the command and directory for Office 2016 Click-to-Run*
 
 3. The New Application Wizard walks you through importing the Office 2016 Click-to-Run files, as follows:
-  * **Application Type** – Click **Application with Source Files**, and then click **Next**.
-  * **Details** – Enter a name for the application (for example, Office 2016 Click-to-Run) in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
-  * **Source** – Click **Browse** to navigate to and select the folder where you downloaded the Office installation files with the Office Deployment Tool, and then click **Next**.
-  * **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
-  * **Command Details** – Enter the Office Deployment Tool installation command line:
+   * **Application Type** – Click **Application with Source Files**, and then click **Next**.
+   * **Details** – Enter a name for the application (for example, Office 2016 Click-to-Run) in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
+   * **Source** – Click **Browse** to navigate to and select the folder where you downloaded the Office installation files with the Office Deployment Tool, and then click **Next**.
+   * **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
+   * **Command Details** – Enter the Office Deployment Tool installation command line:
 
      `Setup.exe /configure configuration.xml`
 
-  * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
-  * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
-  * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
+   * **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+   * **Progress** – While the installation files are imported, a progress bar is displayed on this page.
+   * **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
 
 4. You should now see the **Office 2016 Click-to-Run** item under the **Applications** folder in the Deployment Workbench.
 
@@ -551,17 +551,17 @@ The next step in the process is to create the deployment task sequence. This tas
 To create the deployment task sequence, follow these steps:
 1. In the Deployment Workbench, under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
 2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
-  * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**.
-  >[!NOTE]
-  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
-  * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
-  * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**.
-  * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
-  * **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
-  * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
-  * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
-  * **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
-  * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
+   * **General Settings** – Enter an identifier for the deployment task sequence in the **Task Sequence ID** field, a name for the deployment task sequence in the **Task Sequence Name** field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, then click **Next**.
+     >[!NOTE]
+     >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+   * **Select Template** – Click **Standard Client Task Sequence** from the drop-down menu, and then click **Next**.
+   * **Select OS** – Navigate to and select the reference image that you imported, and then click **Next**.
+   * **Specify Product Key** – Select the product key entry that fits your organization's licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
+   * **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
+   * **Admin Password** – Click **Use the Specified Local Administrator Password**, enter a password in the provided field, and then click **Next**.
+   * **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
+   * **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
+   * **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete the New Task Sequence Wizard.
 
 After the task sequence is created it can be modified for increased automation, such as the installation of applications without user interaction, the selection of drivers, and the installation of Windows updates.
 
@@ -573,7 +573,7 @@ After the task sequence is created it can be modified for increased automation,
 6. Between the two **Windows Update** steps is the **Install Applications** step. Click the **Install Applications** step, and then click **Add**.
 7. Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 21.
 
-   ![A new Install Application step in the deployment task sequence](images\surface-deploymdt-fig21.png "A new Install Application step in the deployment task sequence")
+   ![A new Install Application step in the deployment task sequence](images/surface-deploymdt-fig21.png "A new Install Application step in the deployment task sequence")
 
    *Figure 21. A new Install Application step in the deployment task sequence*
 
@@ -584,22 +584,22 @@ After the task sequence is created it can be modified for increased automation,
 12.	Expand the **Preinstall** folder, and then click the **Enable BitLocker (Offline)** step.
 13.	Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
 14. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 22), configure the following options:
-  * **Name** – Set DriverGroup001
-  * **Task Sequence Variable** – DriverGroup001
-  * **Value** – Windows 10 x64\%Make%\%Model%
+    * **Name** – Set DriverGroup001
+    * **Task Sequence Variable** – DriverGroup001
+    * **Value** – Windows 10 x64\%Make%\%Model%
 
-   ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
+    ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images/surface-deploymdt-fig22.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
 
-   *Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence*
+    *Figure 22. Configure a new Set Task Sequence Variable step in the deployment task sequence*
 
 15.	Select the **Inject Drivers** step, the next step in the task sequence.
 16.	On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 23), configure the following options:
-  * In the **Choose a selection profile** drop-down menu, select **Nothing**.
-  * Click the **Install all drivers from the selection profile** button.
+    * In the **Choose a selection profile** drop-down menu, select **Nothing**.
+    * Click the **Install all drivers from the selection profile** button.
 
-   ![Configure deployment task sequence not to choose the drivers to inject into Windows](images\surface-deploymdt-fig23.png "Configure deployment task sequence not to choose the drivers to inject into Windows")
+    ![Configure deployment task sequence not to choose the drivers to inject into Windows](images/surface-deploymdt-fig23.png "Configure deployment task sequence not to choose the drivers to inject into Windows")
 
-   *Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows*
+    *Figure 23. Configure the deployment task sequence not to choose the drivers to inject into Windows*
 
 17.	Click **OK** to apply changes to the task sequence and close the task sequence properties window.
 
@@ -617,20 +617,20 @@ To automate the boot media rules, follow these steps:
 2. Click the **Rules** tab, and then click **Edit Bootstrap.ini** to open Bootstrap.ini in Notepad.
 3. Replace the text of the Bootstrap.ini file with the following text:
 
-  ```
-  [Settings]
-  Priority=Model,Default
+   ```
+   [Settings]
+   Priority=Model,Default
 
-  [Surface Pro 4]
-  DeployRoot=\\STNDeployServer\DeploymentShare$
-  UserDomain=STNDeployServer
-  UserID=MDTUser
-  UserPassword=P@ssw0rd
-  SkipBDDWelcome=YES
+   [Surface Pro 4]
+   DeployRoot=\\STNDeployServer\DeploymentShare$
+   UserDomain=STNDeployServer
+   UserID=MDTUser
+   UserPassword=P@ssw0rd
+   SkipBDDWelcome=YES
 
-  [Surface Pro 4]
-  DeployRoot=\\STNDeployServer\DeploymentShare$
-  ```
+   [Surface Pro 4]
+   DeployRoot=\\STNDeployServer\DeploymentShare$
+   ```
 
 4. Press Ctrl+S to save Bootstrap.ini, and then close Notepad.
 
@@ -650,7 +650,7 @@ Rules used in the text shown in Step 3 include:
 
 The bulk of the rules used to automate the MDT deployment process are stored in the deployment share rules, or the Customsettings.ini file. In this file you can answer and hide all of the prompts from the Windows Deployment Wizard, which yields a deployment experience that mostly consists of a progress bar that displays the automated actions occurring on the device. The deployment share rules are shown directly in the **Rules** tab of the deployment share properties, as shown in Figure 24.
 
-![Deployment share rules configured for automation of the Windows Deployment Wizard](images\surface-deploymdt-fig24.png "Deployment share rules configured for automation of the Windows Deployment Wizard")
+![Deployment share rules configured for automation of the Windows Deployment Wizard](images/surface-deploymdt-fig24.png "Deployment share rules configured for automation of the Windows Deployment Wizard")
 
 *Figure 24. Deployment share rules configured for automation of the Windows Deployment Wizard*
 
@@ -740,10 +740,10 @@ To update the MDT boot media, follow these steps:
 
 1. Right-click the deployment share in the Deployment Workbench, and then click **Update Deployment Share** to start the Update Deployment Share Wizard.
 2. The Update Deployment Share Wizard displays a series of steps, as follows:
-  * **Options** – Choose between the **Completely Regenerate the Boot Images** or **Optimize the Boot Image Updating Process** options. Completely regenerating the boot images will take more time, but produces boot media that is not fragmented and does not contain out of date components. Optimizing the boot image updating process will proceed more quickly, but may result in longer load times when booting via PXE. Click **Next**.
-  * **Summary** – Review the specified options on this page before you click **Next** to begin the update of boot images.
-  * **Progress** – While the boot images are being updated a progress bar is displayed on this page.
-  * **Confirmation** – When the boot images have been updated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
+   * **Options** – Choose between the **Completely Regenerate the Boot Images** or **Optimize the Boot Image Updating Process** options. Completely regenerating the boot images will take more time, but produces boot media that is not fragmented and does not contain out of date components. Optimizing the boot image updating process will proceed more quickly, but may result in longer load times when booting via PXE. Click **Next**.
+   * **Summary** – Review the specified options on this page before you click **Next** to begin the update of boot images.
+   * **Progress** – While the boot images are being updated a progress bar is displayed on this page.
+   * **Confirmation** – When the boot images have been updated, the success of the process is displayed on this page. Click **Finish** to complete the Update Deployment Share Wizard.
 
 To import the updated MDT boot media into WDS for PXE boot, follow these steps:
 
@@ -752,17 +752,17 @@ To import the updated MDT boot media into WDS for PXE boot, follow these steps:
 3. Click the **Boot Images** folder.
 4. Right-click the existing MDT boot image, and then click **Replace Image** to open the Replace Boot Image Wizard.
 5. Replace the previously imported MDT boot image with the updated version by using these steps in the Replace Boot Image Wizard:
-  * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, and then click **Open**. Click **Next**.
-  * **Available Images** – Only one image should be listed and selected **LiteTouch Windows PE (x86)**, click **Next**.
-  * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
-  * **Summary** – Review your selections for importing a boot image into WDS, and then click **Next**.
-  * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Replace Boot Image Wizard.
+   * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, click **LiteTouchPE_x86.wim**, and then click **Open**. Click **Next**.
+   * **Available Images** – Only one image should be listed and selected **LiteTouch Windows PE (x86)**, click **Next**.
+   * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
+   * **Summary** – Review your selections for importing a boot image into WDS, and then click **Next**.
+   * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Replace Boot Image Wizard.
 6. Right-click the **Boot Images** folder, and then click **Add Image** to open the Add Image Wizard.
 7. Add the new 64-bit boot image for 64-bit UEFI device compatibility with the Add Image Wizard , as follows:
-  * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, select **LiteTouchPE_x64.wim**, and then click **Open**. Click **Next**.
-  * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
-  * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
-  * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
+   * **Image File** – Click **Browse** and navigate to the **Boot** folder in your deployment share, select **LiteTouchPE_x64.wim**, and then click **Open**. Click **Next**.
+   * **Image Metadata** – Enter a name and description for the MDT boot media, or click **Next** to accept the default options.
+   * **Summary** – Review your selections to import a boot image into WDS, and then click **Next**.
+   * **Task Progress** – A progress bar is displayed as the selected image file is copied into the WDS remote installation folder. Click **Finish** when the task is complete to close the Add Image Wizard.
 
 >[!NOTE]
 >Although it is a best practice to replace and update the boot images in WDS whenever the MDT deployment share is updated, for deployment to Surface devices the 32-bit boot image, LiteTouchPE_x86.wim, is not required. Only the 64-bit boot image is required for 64-bit UEFI devices.
@@ -774,7 +774,7 @@ With all of the automation provided by the deployment share rules and task seque
 >[!NOTE]
 >For the deployment to require only a single touch, the Surface devices must be connected to a keyboard, connected to the network with a Microsoft Surface USB Ethernet Adapter or Surface Dock, and configured with PXE boot as the first boot option, as shown in Figure 25.
 
-![Set boot priority for PXE boot](images\surface-deploymdt-fig25.png "Set boot priority for PXE boot")
+![Set boot priority for PXE boot](images/surface-deploymdt-fig25.png "Set boot priority for PXE boot")
 
 *Figure 25. Setting boot priority for PXE boot*
 
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 41fee61550..207b2119b7 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -1,40 +1,47 @@
 {
   "build": {
-    "content":
-      [
-        {
-          "files": ["**/**.md", "**/**.yml"],
-          "exclude": ["**/obj/**"]
-        }
-      ],
+    "content": [
+      {
+        "files": [
+          "**/**.md",
+          "**/**.yml"
+        ],
+        "exclude": [
+          "**/obj/**"
+        ]
+      }
+    ],
     "resource": [
-        {
-          "files": ["**/images/**"],
-          "exclude": ["**/obj/**"]
-        }
+      {
+        "files": [
+          "**/images/**"
+        ],
+        "exclude": [
+          "**/obj/**"
+        ]
+      }
     ],
     "globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-		"breadcrumb_path": "/surface/breadcrumb/toc.json",
-        "ROBOTS": "INDEX, FOLLOW",
-		"ms.technology": "windows",
-		"ms.topic": "article",
-		"ms.author": "jdecker",
-		"ms.date": "05/09/2017",
-		"feedback_system": "GitHub",
-		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-		"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "Win.surface",
-			  "folder_relative_path_in_docset": "./"	
-			}
-		}
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/surface/breadcrumb/toc.json",
+      "ROBOTS": "INDEX, FOLLOW",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "ms.author": "jdecker",
+      "ms.date": "05/09/2017",
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "Win.surface",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
     },
-    "externalReference": [
-    ],
+    "externalReference": [],
     "template": "op.html",
     "dest": "devices/surface",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
index e2b4142c11..3d04792b01 100644
--- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md
+++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
@@ -37,13 +37,13 @@ To create a Surface UEFI configuration package, follow these steps:
 2. Click **Start**.
 3. Click **Configuration Package**, as shown in Figure 1.
 
-   ![Create a package for SEMM enrollment](images\surface-ent-mgmt-fig1-uefi-configurator.png "Create a package for SEMM enrollment")
+   ![Create a package for SEMM enrollment](images/surface-ent-mgmt-fig1-uefi-configurator.png "Create a package for SEMM enrollment")
 
    *Figure 1. Select Configuration Package to create a package for SEMM enrollment and configuration*
 
 4. Click **Certificate Protection** to add your exported certificate file with private key (.pfx), as shown in Figure 2. Browse to the location of your certificate file, select the file, and then click **OK**.
 
-   ![Add the SEM certificate and Surface UEFI password to configuration package](images\surface-ent-mgmt-fig2-securepackage.png "Add the SEM certificate and Surface UEFI password to configuration package")
+   ![Add the SEM certificate and Surface UEFI password to configuration package](images/surface-ent-mgmt-fig2-securepackage.png "Add the SEM certificate and Surface UEFI password to configuration package")
 
    *Figure 2. Add the SEMM certificate and Surface UEFI password to a Surface UEFI configuration package*
 
@@ -52,23 +52,23 @@ To create a Surface UEFI configuration package, follow these steps:
 7. When you are prompted, enter and confirm your chosen password for Surface UEFI, and then click **OK**. If you want to clear an existing Surface UEFI password, leave the password field blank.
 8. If you do not want the Surface UEFI package to apply to a particular device, on the **Choose which Surface type you want to target** page, click the slider beneath the corresponding Surface Book or Surface Pro 4 image so that it is in the **Off** position. (As shown in Figure 3.)
 
-   ![Choose devices for package compatibility](images\surface-semm-enroll-fig3.png "Choose devices for package compatibility")
+   ![Choose devices for package compatibility](images/surface-semm-enroll-fig3.png "Choose devices for package compatibility")
 
    *Figure 3. Choose the devices for package compatibility*
 
 9. Click **Next**.
 10. If you want to deactivate a component on managed Surface devices, on the **Choose which components you want to activate or deactivate** page, click the slider next to any device or group of devices you want to deactivate so that the slider is in the **Off** position. (Shown in Figure 4.) The default configuration for each device is **On**. Click the **Reset** button if you want to return all sliders to the default position.
 
-   ![Disable or enable Surface components](images\surface-ent-mgmt-fig3-enabledisable.png "Disable or enable Surface components")
+    ![Disable or enable Surface components](images/surface-ent-mgmt-fig3-enabledisable.png "Disable or enable Surface components")
 
-   *Figure 4. Disable or enable individual Surface components*
+    *Figure 4. Disable or enable individual Surface components*
 
 11.	Click **Next**.
 12.	To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
 
-   ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-ent-mgmt-fig4-advancedsettings.png "Control advanced Surface UEFI settings and Surface UEFI pages")
+    ![Control advanced Surface UEFI settings and Surface UEFI pages](images/surface-ent-mgmt-fig4-advancedsettings.png "Control advanced Surface UEFI settings and Surface UEFI pages")
 
-   *Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM*
+    *Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM*
 
 13.	In the **Save As** dialog box, specify a name for the Surface UEFI configuration package, browse to the location where you would like to save the file, and then click **Save**.
 14.	When the package is created and saved, the **Successful** page is displayed.
@@ -76,7 +76,7 @@ To create a Surface UEFI configuration package, follow these steps:
 >[!NOTE]
 >Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
 
-![Display of certificate thumbprint characters](images\surface-ent-mgmt-fig5-success.png "Display of certificate thumbprint characters")
+![Display of certificate thumbprint characters](images/surface-ent-mgmt-fig5-success.png "Display of certificate thumbprint characters")
 
 *Figure 6. The last two characters of the certificate thumbprint are displayed on the Successful page*
 
@@ -88,7 +88,7 @@ Now that you have created your Surface UEFI configuration package, you can enrol
 ## Enroll a Surface device in SEMM
 When the Surface UEFI configuration package is executed, the SEMM certificate and Surface UEFI configuration files are staged in the firmware storage of the Surface device. When the Surface device reboots, Surface UEFI processes these files and begins the process of applying the Surface UEFI configuration or enrolling the Surface device in SEMM, as shown in Figure 7.
 
-![SEMM process for configuration of Surface UEFI or enrollment](images\surface-semm-enroll-fig7.png "SEMM process for configuration of Surface UEFI or enrollment")
+![SEMM process for configuration of Surface UEFI or enrollment](images/surface-semm-enroll-fig7.png "SEMM process for configuration of Surface UEFI or enrollment")
 
 *Figure 7. The SEMM process for configuration of Surface UEFI or enrollment of a Surface device*
 
@@ -100,12 +100,12 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo
 2. Select the **I accept the terms in the License Agreement** check box to accept the End User License Agreement (EULA), and then click **Install** to begin the installation process.
 3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so.
 4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows:
-  * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
-  * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
+   * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
+   * Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
 
-  ![SEMM enrollment requires last two characters of certificate thumbprint](images\surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint")
+   ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint")
   
-  *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
+   *Figure 8. Enrollment in SEMM requires the last two characters of the certificate thumbprint*
 
    * Surface UEFI will store the SEMM certificate in firmware and apply the configuration settings that are specified in the Surface UEFI configuration file.
    
@@ -113,17 +113,17 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo
 
 You can verify that a Surface device has been successfully enrolled in SEMM by looking for **Microsoft Surface Configuration Package** in **Programs and Features** (as shown in Figure 9), or in the events stored in the **Microsoft Surface UEFI Configurator** log, found under **Applications and Services Logs** in Event Viewer (as shown in Figure 10).
 
-![Verify enrollment of Surface device in SEMM in Programs and Features](images\surface-semm-enroll-fig9.png "Verify enrollment of Surface device in SEMM in Programs and Features")
+![Verify enrollment of Surface device in SEMM in Programs and Features](images/surface-semm-enroll-fig9.png "Verify enrollment of Surface device in SEMM in Programs and Features")
 
 *Figure 9. Verify the enrollment of a Surface device in SEMM in Programs and Features*
 
-![Verify enrollment of Surface device in SEMM in Event Viewer](images\surface-semm-enroll-fig10.png "Verify enrollment of Surface device in SEMM in Event Viewer")
+![Verify enrollment of Surface device in SEMM in Event Viewer](images/surface-semm-enroll-fig10.png "Verify enrollment of Surface device in SEMM in Event Viewer")
 
 *Figure 10. Verify the enrollment of a Surface device in SEMM in Event Viewer*
 
 You can also verify that the device is enrolled in SEMM in Surface UEFI – while the device is enrolled, Surface UEFI will contain the **Enterprise management** page (as shown in Figure 11).
 
-![Surface UEFI Enterprise management page](images\surface-semm-enroll-fig11.png "Surface UEFI Enterprise management page")
+![Surface UEFI Enterprise management page](images/surface-semm-enroll-fig11.png "Surface UEFI Enterprise management page")
 
 *Figure 11. The Surface UEFI Enterprise management page*
 
@@ -138,6 +138,6 @@ If you have secured Surface UEFI with a password, users without the password who
 
 If you have not secured Surface UEFI with a password or a user enters the password correctly, settings that are configured with SEMM will be dimmed (unavailable) and the text Some settings are managed by your organization will be displayed at the top of the page, as shown in Figure 12.
 
-![Settings managed by SEMM disabled in Surface UEFI](images\surface-semm-enroll-fig12.png "Settings managed by SEMM disabled in Surface UEFI")
+![Settings managed by SEMM disabled in Surface UEFI](images/surface-semm-enroll-fig12.png "Settings managed by SEMM disabled in Surface UEFI")
 
 *Figure 12. Settings managed by SEMM will be disabled in Surface UEFI*
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index c43ff23e7d..d25c33688f 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -15,7 +15,7 @@ ms.reviewer:
 manager: dansimp
 ---
 
-#Manage Surface UEFI settings
+# Manage Surface UEFI settings
 
 Current and future generations of Surface devices, including Surface Pro 4, Surface Book, and Surface Studio, use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. 
 
@@ -24,7 +24,7 @@ Current and future generations of Surface devices, including Surface Pro 4, Surf
 
 You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot. 
 
-##PC information 
+## PC information 
 
 On the **PC information** page, detailed information about your Surface device is provided: 
 
@@ -52,7 +52,7 @@ You will also find detailed information about the firmware of your Surface devic
 
 You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) for your device. 
 
-##Security 
+## Security 
 
 On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): 
 
@@ -82,7 +82,7 @@ You can also enable or disable the Trusted Platform Module (TPM) device on the *
 
 *Figure 4. Configure Surface UEFI security settings*
 
-##Devices 
+## Devices 
 
 On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include: 
 
@@ -106,7 +106,7 @@ Each device is listed with a slider button that you can move to **On** (enabled)
 
 *Figure 5. Enable and disable specific devices*
 
-##Boot configuration 
+## Boot configuration 
 
 On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices: 
 
@@ -128,7 +128,7 @@ For the specified boot order to take effect, you must set the **Enable Alternate
 
 You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.  
 
-##About 
+## About 
 
 The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7. 
 
@@ -136,7 +136,7 @@ The **About** page displays regulatory information, such as compliance with FCC
 
 *Figure 7. Regulatory information displayed on the About page*
 
-##Exit 
+## Exit 
 
 Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. 
 
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 2329f1180e..3688553be3 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -76,77 +76,77 @@ To create a Microsoft Surface Data Eraser USB stick, first install the Microsoft
 
 After the creation tool is installed, follow these steps to create a Microsoft Surface Data Eraser USB stick. Before you begin these steps, ensure that you have a USB 3.0 stick that is 4 GB or larger connected to the computer.
 
-1.  Start Microsoft Surface Data Eraser from the Start menu or Start screen.
+1. Start Microsoft Surface Data Eraser from the Start menu or Start screen.
 
-2.  Click **Build** to begin the Microsoft Surface Data Eraser USB creation process.
+2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process.
 
-3.  Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
+3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
 
-    ![Start the Microsoft Surface Data Eraser tool](images/dataeraser-start-tool.png "Start the Microsoft Surface Data Eraser tool")
+   ![Start the Microsoft Surface Data Eraser tool](images/dataeraser-start-tool.png "Start the Microsoft Surface Data Eraser tool")
 
-    *Figure 1. Start the Microsoft Surface Data Eraser tool*
+   *Figure 1. Start the Microsoft Surface Data Eraser tool*
 
-4.  Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
+4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
 
-  >[!NOTE]
-  >If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
-  
-    ![USB thumb drive selection](images/dataeraser-usb-selection.png "USB thumb drive selection")
+   >[!NOTE]
+   >If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
+  
+   ![USB thumb drive selection](images/dataeraser-usb-selection.png "USB thumb drive selection")
 
-    *Figure 2. USB thumb drive selection*
+   *Figure 2. USB thumb drive selection*
 
-5.  After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
+5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
 
-6.  When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
+6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
 
-    ![Surface Data Eraser USB creation process](images/dataeraser-complete-process.png "Surface Data Eraser USB creation process")
+   ![Surface Data Eraser USB creation process](images/dataeraser-complete-process.png "Surface Data Eraser USB creation process")
 
-    *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
+   *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
 
-7.  Click **X** to close Microsoft Surface Data Eraser.
+7. Click **X** to close Microsoft Surface Data Eraser.
 
 ## How to use a Microsoft Surface Data Eraser USB stick
 
 
 After you create a Microsoft Surface Data Eraser USB stick, you can boot a supported Surface device from the USB stick by following this procedure:
 
-1.  Insert the bootable Microsoft Surface Data Eraser USB stick into the supported Surface device.
+1. Insert the bootable Microsoft Surface Data Eraser USB stick into the supported Surface device.
 
-2.  Boot your Surface device from the Microsoft Surface Data Eraser USB stick. To boot your device from the USB stick follow these steps:
+2. Boot your Surface device from the Microsoft Surface Data Eraser USB stick. To boot your device from the USB stick follow these steps:
 
-    a. Turn off your Surface device.
+   a. Turn off your Surface device.
 
-    b. Press and hold the **Volume Down** button.
+   b. Press and hold the **Volume Down** button.
 
-    c. Press and release the **Power** button.
+   c. Press and release the **Power** button.
 
-    d. Release the **Volume Down** button.
+   d. Release the **Volume Down** button.
     
-    >[!NOTE]
-    >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
+   >[!NOTE]
+   >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
 
-3.  When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
+3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
 
-    ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick")
+   ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick")
 
-    *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
+   *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
 
-4.  Read the software license terms, and then close the Notepad file.
+4. Read the software license terms, and then close the Notepad file.
 
-5.  Accept or decline the software license terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
+5. Accept or decline the software license terms by typing **Accept** or **Decline**. You must accept the license terms to continue.
 
-6.  The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device and displays the details of the native storage device. To continue, press **Y** (this action runs Microsoft Surface Data Eraser and removes all data from the storage device) or press **N** (this action shuts down the device without removing data).
+6. The Microsoft Surface Data Eraser script detects the storage devices that are present in your Surface device and displays the details of the native storage device. To continue, press **Y** (this action runs Microsoft Surface Data Eraser and removes all data from the storage device) or press **N** (this action shuts down the device without removing data).
 
-  >[!NOTE]
-  >The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device without removing the Windows operating system, you can use the **Reset your PC** function. However, this does not prevent your data from being recovered with forensic or data recovery capabilities. See [Recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options) for more information.
+   >[!NOTE]
+   >The Microsoft Surface Data Eraser tool will delete all data, including Windows operating system files required to boot the device, in a secure and unrecoverable way. To boot a Surface device that has been wiped with Microsoft Surface Data Eraser, you will first need to reinstall the Windows operating system. To remove data from a Surface device without removing the Windows operating system, you can use the **Reset your PC** function. However, this does not prevent your data from being recovered with forensic or data recovery capabilities. See [Recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options) for more information.
 
-  ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
+   ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
   
-  *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
+   *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
 
-7.  If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
+7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
 
-8.  Click the **Yes** button to continue erasing data on the Surface device.
+8. Click the **Yes** button to continue erasing data on the Surface device.
 
 >[!NOTE]
 >When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder.
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 0a29da23dd..7ce3009574 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -47,94 +47,94 @@ The tool installs in the SDA program group, as shown in Figure 2.
 >[!NOTE]
 >At this point, the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
 
- 
+
 
 ## Create a deployment share
 
 
-The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
+The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
 
 >[!NOTE]
->SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
+>SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
 
- 
 
-1.  Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen.
 
-2.  On the **Welcome** page, click **Next** to continue.
+1. Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen.
 
-3.  On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
+2. On the **Welcome** page, click **Next** to continue.
 
-  >[!NOTE]
-  >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
-  > * Deployment tools
-  >  * User State Migration Tool (USMT)
-  >  * Windows Preinstallation Environment (WinPE)

            
+3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
 
-  >[!NOTE]
-  >As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
+   > [!NOTE]
+   > As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
+   > * Deployment tools
+   >   * User State Migration Tool (USMT)
+   >   * Windows Preinstallation Environment (WinPE)

            
+   > 
+   > [!NOTE]
+   > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
 
-4.  On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
+4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
 
-5.  On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue:
+5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue:
 
-    -   **Configure Deployment Share for Windows 10**
+   -   **Configure Deployment Share for Windows 10**
 
-        -   **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3.
+       -   **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3.
 
-        -   **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
+       -   **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
 
-    -   **Windows 10 Deployment Services**
+   -   **Windows 10 Deployment Services**
 
-        -   Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
+       -   Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
 
-    -   **Windows 10 Source Files**
+   -   **Windows 10 Source Files**
 
-        -   **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**.
+       -   **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**.
 
-    ![Specify Windows 10 deployment share options](images/sdasteps-fig3.png "Specify Windows 10 deployment share options")
+   ![Specify Windows 10 deployment share options](images/sdasteps-fig3.png "Specify Windows 10 deployment share options")
 
-    *Figure 3. Specify Windows 10 deployment share options*
+   *Figure 3. Specify Windows 10 deployment share options*
 
-6.  On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
+6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
 
-    ![Firmware tool selection](images/sdasteps-fig4-select.png "Firmware tool selection")
+   ![Firmware tool selection](images/sdasteps-fig4-select.png "Firmware tool selection")
 
-    *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers*
+   *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers*
 
-    >[!NOTE]
-    >You cannot select both Surface 3 and Surface 3 LTE models at the same time.
+   >[!NOTE]
+   >You cannot select both Surface 3 and Surface 3 LTE models at the same time.
 
-7.  On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
+7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
 
-    -   Download of Windows ADK
+   -   Download of Windows ADK
 
-    -   Installation of Windows ADK
+   -   Installation of Windows ADK
 
-    -   Download of MDT
+   -   Download of MDT
 
-    -   Installation of MDT
+   -   Installation of MDT
 
-    -   Download of Surface apps and drivers
+   -   Download of Surface apps and drivers
 
-    -   Creation of the deployment share
+   -   Creation of the deployment share
 
-    -   Import of Windows installation files into the deployment share
+   -   Import of Windows installation files into the deployment share
 
-    -   Import of the apps and drivers into the deployment share
+   -   Import of the apps and drivers into the deployment share
 
-    -   Creation of rules and task sequences for Windows deployment
+   -   Creation of rules and task sequences for Windows deployment
 
-    ![The installatin progress window](images/sdasteps-fig5-installwindow.png "The installatin progress window")
+   ![The installatin progress window](images/sdasteps-fig5-installwindow.png "The installatin progress window")
 
-    *Figure 5. The Installation Progress window*
->[!NOTE]
->The following error message may be hit while Installing the latest ADK or MDT: "An exception occurred during a WebClient request.". This is due to incompatibility between SDA and BITS. Here is the workaround for this:
+   *Figure 5. The Installation Progress window*
+   >[!NOTE]
+   >The following error message may be hit while Installing the latest ADK or MDT: "An exception occurred during a WebClient request.". This is due to incompatibility between SDA and BITS. Here is the workaround for this:
 
- ```
-In the following two PowerShell scripts:
-%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1
-%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1
+   ```
+   In the following two PowerShell scripts:
+   %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1
+   %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1
 
 Edit the $BITSTransfer variable in the input parameters to $False as shown below:
 
@@ -147,7 +147,7 @@ Param(
         [string]$BITSTransfer = $False
     )
  ```
- 
+
 8.  When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
 
 ### Optional: Create a deployment share without an Internet connection
@@ -170,7 +170,7 @@ If you are unable to connect to the Internet with your deployment server, or if
 >[!NOTE]
 >The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
 
- 
+
 
 ### Optional: Prepare offline USB media
 
@@ -179,7 +179,7 @@ You can use USB media to perform an SDA deployment if your Surface device is una
 >[!NOTE]
 >The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended.
 
- 
+
 
 Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7:
 
@@ -211,7 +211,7 @@ Before you can create bootable media files within the MDT Deployment Workbench o
     >[!NOTE]
     >You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
 
-     
+
 
 After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps:
 
@@ -264,7 +264,6 @@ After you have prepared the USB drive for boot, the next step is to generate off
 18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file.
 
 19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file:
-
     ```
     UserID=
     UserDomain=
@@ -356,7 +355,7 @@ To perform a deployment from the SDA deployment share, follow this process on th
 
 ### Boot the Surface device from the network
 
-To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import boot media into the local Windows Deployment Service** check box was selected on the page for the version of Windows you intend to deploy.
+To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import boot media into the local Windows Deployment Service** check box was selected on the page for the version of Windows you intend to deploy.
 
 To boot the Surface device from the network, you must also use a Microsoft Surface Ethernet Adapter or the Ethernet port on a Microsoft Surface Dock. Third-party Ethernet adapters are not supported for network boot (PXE boot). A keyboard is also required. Both the Microsoft Surface Type Cover and keyboards connected via USB to the device or dock are supported.
 
@@ -366,7 +365,7 @@ To instruct your Surface device to boot from the network, start with the device
 
 2.  Press **Enter** when prompted by the dialog on the screen. This prompt indicates that your device has found the WDS PXE server over the network.
 
-3.  If you have configured more than one deployment share on this device, you will be prompted to select between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows 8.1 deployment share, you will be prompted to choose between these two options.
+3.  If you have configured more than one deployment share on this device, you will be prompted to select between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows 8.1 deployment share, you will be prompted to choose between these two options.
 
 4.  Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14.
 
@@ -416,9 +415,9 @@ To run the Deploy Microsoft Surface task sequence:
 
 8.  When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.
 
- 
-
- 
+
+
+
 
 
 
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
index 587338a7ff..a6099038b0 100644
--- a/devices/surface/support-solutions-surface.md
+++ b/devices/surface/support-solutions-surface.md
@@ -28,7 +28,7 @@ These are the top Microsoft Support solutions for common issues experienced when
 - [Cracked screen and physical damage](https://www.microsoft.com/surface/support/warranty-service-and-recovery/surface-is-damaged)
 
 
-##Device cover or keyboard issues
+## Device cover or keyboard issues
 
 - [Troubleshoot your Surface Type Cover or keyboard](https://www.microsoft.com/surface/support/hardware-and-drivers/troubleshoot-surface-keyboards)
 - [Troubleshoot problems with Surface Keyboard, Surface Ergonomic Keyboard, and Microsoft Modern Keyboard with Fingerprint ID](https://www.microsoft.com/surface/support/touch-mouse-and-search/surface-keyboard-troubleshooting)
@@ -56,10 +56,10 @@ These are the top Microsoft Support solutions for common issues experienced when
 
 
 
- 
+ 
 
 
- 
+ 
 
 
 
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
index d729fecdd7..6531857a06 100644
--- a/devices/surface/unenroll-surface-devices-from-semm.md
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -29,7 +29,7 @@ The Surface UEFI reset package is the primary method you use to unenroll a Surfa
 
 Reset packages are created specifically for an individual Surface device. To begin the process of creating a reset package, you will need the serial number of the device you want to unenroll, as well as the SEMM certificate used to enroll the device. You can find the serial number of your Surface device on the **PC information** page of Surface UEFI, as shown in Figure 1. This page is displayed even if Surface UEFI is password protected and the incorrect password is entered.
 
-![Serial number of Surface device is displayed](images\surface-semm-unenroll-fig1.png "Serial number of Surface device is displayed")
+![Serial number of Surface device is displayed](images/surface-semm-unenroll-fig1.png "Serial number of Surface device is displayed")
 
 *Figure 1. The serial number of the Surface device is displayed on the Surface UEFI PC information page*
 
@@ -42,20 +42,20 @@ To create a Surface UEFI reset package, follow these steps:
 2. Click **Start**.
 3. Click **Reset Package**, as shown in Figure 2.
 
-   ![Select Reset Package to create a package to unenroll Surface device from SEMM](images\surface-semm-unenroll-fig2.png "Select Reset Package to create a package to unenroll Surface device from SEMM")
+   ![Select Reset Package to create a package to unenroll Surface device from SEMM](images/surface-semm-unenroll-fig2.png "Select Reset Package to create a package to unenroll Surface device from SEMM")
 
    *Figure 2. Click Reset Package to create a package to unenroll a Surface device from SEMM*
 
 4. Click **Certificate Protection** to add your SEMM certificate file with private key (.pfx), as shown in Figure 3. Browse to the location of your certificate file, select the file, and then click **OK**.
 
-   ![Add the SEMM certificate to Surface UEFI reset package](images\surface-semm-unenroll-fig3.png "Add the SEMM certificate to Surface UEFI reset package")
+   ![Add the SEMM certificate to Surface UEFI reset package](images/surface-semm-unenroll-fig3.png "Add the SEMM certificate to Surface UEFI reset package")
 
    *Figure 3. Add the SEMM certificate to a Surface UEFI reset package*
 
 5. Click **Next**.
 6. Type the serial number of the device you want to unenroll from SEMM (as shown in Figure 4), and then click **Build** to generate the Surface UEFI reset package.
 
-   ![Create a Surface UEFI reset package with serial number of Surface device](images\surface-semm-unenroll-fig4.png "Create a Surface UEFI reset package with serial number of Surface device")
+   ![Create a Surface UEFI reset package with serial number of Surface device](images/surface-semm-unenroll-fig4.png "Create a Surface UEFI reset package with serial number of Surface device")
 
    *Figure 4. Use the serial number of your Surface device to create a Surface UEFI reset package*
 
@@ -64,7 +64,7 @@ To create a Surface UEFI reset package, follow these steps:
 
 Run the Surface UEFI reset package Windows Installer (.msi) file on the Surface device to unenroll the device from SEMM. The reset package will require a reboot to perform the unenroll operation. After the device has been unenrolled, you can verify the successful removal by ensuring that the **Microsoft Surface Configuration Package** item in **Programs and Features** (shown in Figure 5) is no longer present.
 
-![Screen that shows device is enrolled in SEMM](images\surface-semm-unenroll-fig5.png "Screen that shows device is enrolled in SEMM")
+![Screen that shows device is enrolled in SEMM](images/surface-semm-unenroll-fig5.png "Screen that shows device is enrolled in SEMM")
 
 *Figure 5. The presence of the Microsoft Surface Configuration Package item in Programs and Features indicates that the device is enrolled in SEMM*
 
@@ -80,7 +80,7 @@ To initiate a Recovery Request, follow these steps:
 2. Type the Surface UEFI password if you are prompted to do so.
 3. Click the **Enterprise management** page, as shown in Figure 6.
 
-   ![Enterprise Management page](images\surface-semm-unenroll-fig6.png "Enterprise Management page")
+   ![Enterprise Management page](images/surface-semm-unenroll-fig6.png "Enterprise Management page")
 
    *Figure 6. The Enterprise management page is displayed in Surface UEFI on devices enrolled in SEMM*
 
@@ -90,17 +90,17 @@ To initiate a Recovery Request, follow these steps:
    >A Recovery Request expires two hours after it is created. If a Recovery Request is not completed in this time, you will have to restart the Recovery Request process.
 6. Select **SEMM Certificate** from the list of certificates displayed on the **Choose a SEMM reset key** page (shown in Figure 7), and then click or press **Next**.
 
-   ![Select SEMM certificate for your Recovery Request](images\surface-semm-unenroll-fig7.png "Select SEMM certificate for your Recovery Request")
+   ![Select SEMM certificate for your Recovery Request](images/surface-semm-unenroll-fig7.png "Select SEMM certificate for your Recovery Request")
 
    *Figure 7. Choose SEMM Certificate for your Recovery Request (Reset Request)*
 
 7. On the **Enter SEMM reset verification code** page you can click the **QR Code** or **Text** buttons to display your Recovery Request (Reset Request) as shown in Figure 8, or the **USB** button to save your Recovery Request (Reset Request) as a file to a USB drive, as shown in Figure 9.
 
-   ![Recovery Request displayed as a QR Code](images\surface-semm-unenroll-fig8.png "Recovery Request displayed as a QR Code")
+   ![Recovery Request displayed as a QR Code](images/surface-semm-unenroll-fig8.png "Recovery Request displayed as a QR Code")
 
    *Figure 8. A Recovery Request (Reset Request) displayed as a QR Code*
 
-   ![Save a recovery request to a USB drive](images\surface-semm-unenroll-fig9.png "Save a recovery request to a USB drive")
+   ![Save a recovery request to a USB drive](images/surface-semm-unenroll-fig9.png "Save a recovery request to a USB drive")
 
    *Figure 9. Save a Recovery Request (Reset Request) to a USB drive*
 
@@ -114,43 +114,43 @@ To initiate a Recovery Request, follow these steps:
 9. Click **Start**.
 10. Click **Recovery Request**, as shown in Figure 10.
 
-   ![Start process to approve a Recovery Request](images\surface-semm-unenroll-fig10.png "Start process to approve a Recovery Request")
+    ![Start process to approve a Recovery Request](images/surface-semm-unenroll-fig10.png "Start process to approve a Recovery Request")
 
-   *Figure 10. Click Recovery Request to begin the process to approve a Recovery Request*
+    *Figure 10. Click Recovery Request to begin the process to approve a Recovery Request*
 
 11.	Click **Certificate Protection** to authenticate the Recovery Request with the SEMM certificate.
 12.	Browse to and select your SEMM certificate file, and then click **OK**.
 13.	When you are prompted to enter the certificate password as shown in Figure 11, type and confirm the password for the certificate file, and then click **OK**.
 
-   ![Type password for SEMM certificate](images\surface-semm-unenroll-fig11.png "Type password for SEMM certificate")
+    ![Type password for SEMM certificate](images/surface-semm-unenroll-fig11.png "Type password for SEMM certificate")
 
-   *Figure 11. Type the password for the SEMM certificate*
+    *Figure 11. Type the password for the SEMM certificate*
 
 14. Click **Next**.
 15. Enter the Recovery Request (Reset Request), and then click **Generate** to create a reset verification code (as shown in Figure 12).
 
-   ![Enter the recovery request](images\surface-semm-unenroll-fig12.png "Enter the recovery request")
+    ![Enter the recovery request](images/surface-semm-unenroll-fig12.png "Enter the recovery request")
 
-   *Figure 12. Enter the Recovery Request (Reset Request)*
+    *Figure 12. Enter the Recovery Request (Reset Request)*
 
-   * If you displayed the Recovery Request (Reset Request) as text on the Surface device being reset, use the keyboard to type the Recovery Request (Reset Request)  in the provided field.
-   * If you displayed the Recovery Request (Reset Request) as a QR Code and then used a messaging or email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and paste the code into the provided field.
-   * If you saved the Recovery Request (Reset Request) as a file to a USB drive, click the **Import** button, browse to and select the Recovery Request (Reset Request) file, and then click **OK**.
+    * If you displayed the Recovery Request (Reset Request) as text on the Surface device being reset, use the keyboard to type the Recovery Request (Reset Request)  in the provided field.
+    * If you displayed the Recovery Request (Reset Request) as a QR Code and then used a messaging or email application to send the code to the computer with Microsoft Surface UEFI Configurator, copy and paste the code into the provided field.
+    * If you saved the Recovery Request (Reset Request) as a file to a USB drive, click the **Import** button, browse to and select the Recovery Request (Reset Request) file, and then click **OK**.
 
 16.	The reset verification code is displayed in Microsoft Surface UEFI Configurator, as shown in Figure 13.
 
-   ![Display of the reset verification code](images\surface-semm-unenroll-fig13.png "Display of the reset verification code")
+    ![Display of the reset verification code](images/surface-semm-unenroll-fig13.png "Display of the reset verification code")
 
-   *Figure 13. The reset verification code displayed in Microsoft Surface UEFI Configurator*
+    *Figure 13. The reset verification code displayed in Microsoft Surface UEFI Configurator*
 
-   * Click the **Share** button to send the reset verification code by email.
+    * Click the **Share** button to send the reset verification code by email.
 
 17.	Enter the reset verification code in the provided field on the Surface device (shown in Figure 8), and then click or press **Verify** to reset the device and unenroll the device from SEMM.
 18.	Click or press **Restart now** on the **SEMM reset successful** page to complete the unenrollment from SEMM, as shown in Figure 14.
 
-   ![Example display of successful unenrollment from SEMM](images\surface-semm-unenroll-fig14.png "Example display of successful unenrollment from SEMM")
+    ![Example display of successful unenrollment from SEMM](images/surface-semm-unenroll-fig14.png "Example display of successful unenrollment from SEMM")
 
-   *Figure 14. Successful unenrollment from SEMM*
+    *Figure 14. Successful unenrollment from SEMM*
 
 19.	Click **End** in Microsoft Surface UEFI Configurator to complete the Recovery Request (Reset Request) process and close Microsoft Surface UEFI Configurator.
 
diff --git a/devices/surface/update.md b/devices/surface/update.md
index c18804e78b..0a3a4b4a5d 100644
--- a/devices/surface/update.md
+++ b/devices/surface/update.md
@@ -25,7 +25,7 @@ Find out how to download and manage the latest firmware and driver updates for y
 | [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.| 
 | [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.|
 | [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|
- 
+ 
 
 ## Related topics
 
@@ -33,9 +33,9 @@ Find out how to download and manage the latest firmware and driver updates for y
 
 [Surface for IT pros blog](http://blogs.technet.com/b/surface/)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index 35f35c3e68..72f123de7f 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -72,28 +72,28 @@ In the import process example shown in the [Deploy Windows 10 to Surface devices
 2. Extract the contents of the Surface Pro 3 firmware and driver pack archive file to a temporary folder. Keep the driver files separate from other drivers or files.
 3. Open the Deployment Workbench and expand the Deployment Shares node and your deployment share. 
 4. If you have not already created a folder structure by operating system version, you should do so next. Under the **Windows 10 x64** folder, create a new folder for Surface Pro 3 drivers named **Surface Pro 3**. Your Out-of-Box Drivers folder should resemble the following structure:
-  * WinPE x86
-  * WinPE x64
-  * Windows 10 x64
-    * Microsoft Corporation
-      * Surface Pro 4
-      * Surface Pro 3
+   * WinPE x86
+   * WinPE x64
+   * Windows 10 x64
+     * Microsoft Corporation
+       * Surface Pro 4
+       * Surface Pro 3
 5. Right-click the **Surface Pro 3** folder, and then click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
 
-  ![Import Surface Pro 3 drivers for Windows 10](images\surface-upgrademdt-fig1.png "Import Surface Pro 3 drivers for Windows 10")
+   ![Import Surface Pro 3 drivers for Windows 10](images/surface-upgrademdt-fig1.png "Import Surface Pro 3 drivers for Windows 10")
 
-  *Figure 1. Import Surface Pro 3 drivers for Windows 10*
+   *Figure 1. Import Surface Pro 3 drivers for Windows 10*
 
 6. The Import Driver Wizard displays a series of steps, as follows:
-  - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1.
-  - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
-  - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
-  - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard.
+   - **Specify Directory** – Click **Browse** and navigate to the folder where you extracted the Surface Pro 3 firmware and drivers in Step 1.
+   - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+   - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+   - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete Import Drivers Wizard.
 7. Select the **Surface Pro 3** folder and verify that the folder now contains the drivers that were imported, as shown in Figure 2.
 
-  ![Drivers for Surface Pro 3 imported and organized in the MDT deployment share](images\surface-upgrademdt-fig2.png "Drivers for Surface Pro 3 imported and organized in the MDT deployment share")
+   ![Drivers for Surface Pro 3 imported and organized in the MDT deployment share](images/surface-upgrademdt-fig2.png "Drivers for Surface Pro 3 imported and organized in the MDT deployment share")
 
-  *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share*
+   *Figure 2. Drivers for Surface Pro 3 imported and organized in the MDT deployment share*
 
 ### Import applications
 
@@ -109,17 +109,17 @@ Create the upgrade task sequence with the following process:
 
 1. In the Deployment Workbench under your Deployment Share, right-click the **Task Sequences** folder, and then click **New Task Sequence** to start the New Task Sequence Wizard.
 2. Use these steps to create the deployment task sequence with the New Task Sequence Wizard:
-  - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
-  >[!NOTE]
-  >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
-  - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
-  - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**.
-  - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
-  - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
-  - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**.
-  - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
-  - **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
-  - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard.
+   - **General Settings** – Enter an identifier for the deployment task sequence in the Task Sequence ID field, a name for the deployment task sequence in the Task Sequence Name field, and any comments for the deployment task sequence in the **Task Sequence Comments** field, and then click **Next**.
+     >[!NOTE]
+     >The **Task Sequence ID** field cannot contain spaces and can be a maximum of 16 characters.
+   - **Select Template** – Select **Standard Client Upgrade Task Sequence** from the drop-down menu, and then click **Next**.
+   - **Select OS** – Navigate to and select the Windows image that you imported, and then click **Next**.
+   - **Specify Product Key** – Select the product key entry that fits your organization’s licensing system. The **Do Not Specify a Product Key at This Time** option can be used for systems that will be activated via Key Management Services (KMS) or Active Directory Based Activation (ADBA). A product key can be specified specifically if your organization uses Multiple Activation Keys (MAK). Click **Next**.
+   - **OS Settings** – Enter a name and organization for registration of Windows, and a home page URL for users when they browse the Internet in the **Full Name**, **Organization**, and **Internet Explorer Home Page** fields, and then click **Next**.
+   - **Admin Password** – Select **Use the Specified Local Administrator Password** and enter a password in the provided fields, and then click **Next**.
+   - **Summary** – Review the specified configuration on this page before you click **Next** to begin creation of the task sequence.
+   - **Progress** – While the task sequence is being created, a progress bar is displayed on this page.
+   - **Confirmation** – When the task sequence creation completes, the success of the process is displayed on this page. Click **Finish** to complete New Task Sequence Wizard.
 
 After the task sequence is created, you can modify some additional settings to provide additional automation of the task sequence and require less interaction during deployment. Follow these steps to modify the task sequence:
 
@@ -131,9 +131,9 @@ After the task sequence is created, you can modify some additional settings to p
 6. Between the two Windows Update steps is an **Install Applications** step. Select that step and then click **Add**.
 7. Hover the mouse over **General** under the **Add** menu, and then choose **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
 
-  ![A new Install Application step in the deployment task sequence](images\surface-upgrademdt-fig3.png "A new Install Application step in the deployment task sequence")
+   ![A new Install Application step in the deployment task sequence](images/surface-upgrademdt-fig3.png "A new Install Application step in the deployment task sequence")
   
-  *Figure 3. A new Install Application step in the deployment task sequence*
+   *Figure 3. A new Install Application step in the deployment task sequence*
   
 8. On the **Properties** tab of the new **Install Application** step, enter **Install Surface App** in the **Name** field.
 9. Select **Install a Single Application**, and then click **Browse** to view available applications that have been imported into the deployment share.
@@ -142,22 +142,22 @@ After the task sequence is created, you can modify some additional settings to p
 12. Open the **Add** menu again and choose **Set Task Sequence Variable** from under the **General** menu.
 13. On the **Properties** tab of the new **Set Task Sequence Variable** step (as shown in Figure 4) configure the following options:
 
-  - **Name** – Set DriverGroup001
-  - **Task Sequence Variable** – DriverGroup001
-  - **Value** – Windows 10 x64\%Make%\%Model%
+    - **Name** – Set DriverGroup001
+    - **Task Sequence Variable** – DriverGroup001
+    - **Value** – Windows 10 x64\%Make%\%Model%
 
-  ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images\surface-upgrademdt-fig4.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
+    ![Configure a new Set Task Sequence Variable step in the deployment task sequence](images/surface-upgrademdt-fig4.png "Configure a new Set Task Sequence Variable step in the deployment task sequence")
   
-  *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence*
+    *Figure 4. Configure a new Set Task Sequence Variable step in the deployment task sequence*
   
 14. Select the **Inject Drivers** step, the next step in the task sequence.
 15. On the **Properties** tab of the **Inject Drivers** step (as shown in Figure 5) configure the following options:
-  * In the **Choose a selection profile** drop-down menu, select **Nothing**.
-  * Click the **Install all drivers from the selection profile** button.
+    * In the **Choose a selection profile** drop-down menu, select **Nothing**.
+    * Click the **Install all drivers from the selection profile** button.
   
-  ![Configure the deployment task sequence to not install drivers](images\surface-upgrademdt-fig5.png "Configure the deployment task sequence to not install drivers")
+    ![Configure the deployment task sequence to not install drivers](images/surface-upgrademdt-fig5.png "Configure the deployment task sequence to not install drivers")
   
-  *Figure 5. Configure the deployment task sequence to not install drivers*
+    *Figure 5. Configure the deployment task sequence to not install drivers*
 
 16. Click **OK** to apply changes to the task sequence and close the task sequence properties window.
 
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index 8050e4754a..af796bd2c4 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -33,10 +33,10 @@ Before you begin the process outlined in this article, it is expected that you a
 * [System Center Configuration Manager application deployment](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications)
 * Certificate management
 
->[!Note]
->You will also need access to the certificate that you intend to use to secure SEMM. For details about the requirements for this certificate, see [Surface Enterprise Management Mode certificate requirements](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode#surface-enterprise-management-mode-certificate-requirements).
-
->It is very important that this certificate be kept in a safe location and properly backed up. If this certificate becomes lost or unusable, it is not possible to reset Surface UEFI, change managed Surface UEFI settings, or remove SEMM from an enrolled Surface device.
+> [!Note]
+> You will also need access to the certificate that you intend to use to secure SEMM. For details about the requirements for this certificate, see [Surface Enterprise Management Mode certificate requirements](https://technet.microsoft.com/itpro/surface/surface-enterprise-management-mode#surface-enterprise-management-mode-certificate-requirements).
+> 
+> It is very important that this certificate be kept in a safe location and properly backed up. If this certificate becomes lost or unusable, it is not possible to reset Surface UEFI, change managed Surface UEFI settings, or remove SEMM from an enrolled Surface device.
 
 #### Download Microsoft Surface UEFI Manager
 
@@ -395,7 +395,7 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app
 
           - Click **Microsoft Surface UEFI Manager** from the list of **Available Applications** and the MSI deployment type, and then click **OK** to close the **Specify Required Application** window.
           
-        *	Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Click **OK** to close the **Add Dependency** window.
+         *   Keep the **Auto Install** check box selected if you want Microsoft Surface UEFI Manager installed automatically on devices when you attempt to enable SEMM with the Configuration Manager scripts. Click **OK** to close the **Add Dependency** window.
 
      * Click **Next** to proceed.
      
@@ -405,11 +405,11 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app
      
      * **Completion** – Confirmation of the deployment type creation is displayed when the process is complete. Click **Close** to finish the Create Deployment Type Wizard.
 
-   * **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Click **Next** to create the application.
+   - **Summary** – The information that you entered throughout the Create Application Wizard is displayed. Click **Next** to create the application.
 
-   * **Progress** – A progress bar and status as the application is added to the Software Library is displayed on this page.
+   - **Progress** – A progress bar and status as the application is added to the Software Library is displayed on this page.
 
-   * **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
+   - **Completion** – Confirmation of the successful application creation is displayed when the application creation process is complete. Click **Close** to finish the Create Application Wizard.
 
 After the script application is available in the Software Library of Configuration Manager, you can distribute and deploy SEMM using the scripts you prepared to devices or collections. If you have configured the Microsoft Surface UEFI Manager assemblies as a dependency that will be automatically installed, you can deploy SEMM in a single step. If you have not configured the assemblies as a dependency, they must be installed on the devices you intend to manage before you enable SEMM.
 
@@ -419,11 +419,11 @@ Alternatively, you can configure the application installation to reboot automati
 
 Removal of SEMM from a device deployed with Configuration Manager using these scripts is as easy as uninstalling the application with Configuration Manager. This action starts the ResetSEMM.ps1 script and properly unenrolls the device with the same certificate file that was used during the deployment of SEMM.
 
->[!NOTE]
->Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate.
-
->We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
-
->When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken.
-
->For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken.
+> [!NOTE]
+> Microsoft Surface recommends that you create reset packages only when you need to unenroll a device. These reset packages are typically valid for only one device, identified by its serial number. You can, however, create a universal reset package that would work for any device enrolled in SEMM with this certificate.
+> 
+> We strongly recommend that you protect your universal reset package as carefully as the certificate you used to enroll devices in SEMM. Please remember that – just like the certificate itself – this universal reset package can be used to unenroll any of your organization’s Surface devices from SEMM.
+> 
+> When you install a reset package, the Lowest Supported Value (LSV) is reset to a value of 1. You can reenroll a device by using an existing configuration package – the device will prompt for the certificate thumbprint before ownership is taken.
+> 
+> For this reason, the reenrollment of a device in SEMM would require a new package to be created and installed on that device. Because this action is a new enrollment and not a change in configuration on a device already enrolled in SEMM, the device will prompt for the certificate thumbprint before ownership is taken.
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
index f70ebba810..de79c73b49 100644
--- a/devices/surface/using-the-sda-deployment-share.md
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -84,16 +84,16 @@ To import drivers for a peripheral device:
 
 6. Click **Import Drivers** to start the Import Drivers Wizard, as shown in Figure 1.
 
-  ![Provide the location of your driver files](images\using-sda-driverfiles-fig1.png "Provide the location of your driver files")
+   ![Provide the location of your driver files](images/using-sda-driverfiles-fig1.png "Provide the location of your driver files")
   
-  *Figure 1. Provide the location of your driver files*
+   *Figure 1. Provide the location of your driver files*
 
 7. The Import Drivers Wizard presents a series of steps:
 
-  - **Specify Directory** – Click **Browse** and navigate to the folder where you stored the drivers in Step 1.
-  - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
-  - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
-  - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
+   - **Specify Directory** – Click **Browse** and navigate to the folder where you stored the drivers in Step 1.
+   - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+   - **Progress** – While the drivers are imported, a progress bar is displayed on this page.
+   - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the Import Drivers Wizard.
 
 8. Repeat Steps 5-7 for each Surface model on which you would like to include this driver.
 
@@ -110,44 +110,44 @@ As with drivers, the SDA deployment share can be pre-configured with apps like t
 
 In the previous example for including drivers for a POS system, you would also need to include POS software for processing transactions and recording the input from the barcode scanner and credit card reader. To import an application and prepare it for installation on your Surface devices during Windows deployment:
 
-1.	Download the application installation files or locate the installation media for your application.
+1. Download the application installation files or locate the installation media for your application.
 
-2.	Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center.
+2. Determine the command line instruction for silent installation, usually provided by the developer of the application. For Windows Installer files (.msi), see [Standard Installer Command-Line Options](https://msdn.microsoft.com/library/windows/desktop/aa372024) in the Windows Dev Center.
 
-3.	Open the MDT Deployment Workbench.
+3. Open the MDT Deployment Workbench.
 
-4.	Expand the **Deployment Shares** node and expand the SDA deployment share.
+4. Expand the **Deployment Shares** node and expand the SDA deployment share.
 
-5.	Expand the **Applications** folder.
+5. Expand the **Applications** folder.
 
-6.	Click **New Application** to start the New Application Wizard, as shown in Figure 2.
+6. Click **New Application** to start the New Application Wizard, as shown in Figure 2.
 
-  ![Provide the command to install your application](images\using-sda-installcommand-fig2.png "Provide the command to install your application")
+   ![Provide the command to install your application](images/using-sda-installcommand-fig2.png "Provide the command to install your application")
   
-  *Figure 2: Provide the command to install your application*
+   *Figure 2: Provide the command to install your application*
 
-7.	Follow the steps of the New Application Wizard:
+7. Follow the steps of the New Application Wizard:
 
-  - **Application Type** – Click **Application with Source Files**, and then click **Next**.
-  - **Details** – Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
-  - **Source** – Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**.
-  - **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
-  - **Command Details** – Enter the silent command-line instruction, for example `setup.msi /quiet /norestart`
-  - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
-  - **Progress** – While the installation files are imported, a progress bar is displayed on this page.
-  - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
+   - **Application Type** – Click **Application with Source Files**, and then click **Next**.
+   - **Details** – Enter a name for the application in the **Application Name** field. Enter publisher, version, and language information in the **Publisher**, **Version**, and **Language** fields if desired. Click **Next**.
+   - **Source** – Click **Browse** to navigate to and select the folder with the application installation files procured in Step 1, and then click **Next**.
+   - **Destination** – Enter a name for the folder where the application files will be stored in the **Specify the Name of the Directory that Should Be Created** field or click **Next** to accept the default name.
+   - **Command Details** – Enter the silent command-line instruction, for example `setup.msi /quiet /norestart`
+   - **Summary** – Review the specified configuration on this page before you click **Next** to begin the import process.
+   - **Progress** – While the installation files are imported, a progress bar is displayed on this page.
+   - **Confirmation** – When the import process completes, the success of the process is displayed on this page. Click **Finish** to complete the New Application Wizard.
 
-8.	Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**.
+8. Click the **Task Sequences** folder, right-click **1 - Deploy Microsoft Surface**, and then click **Properties**.
 
-9.	Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
+9. Click the **Task Sequence** tab to view the steps that are included in the new task sequence.
 
 10.	Select the **Windows Update (Pre-Application Installation)** step, and then click **Add**.
 
 11.	Hover the mouse over **General** under the **Add** menu, and then click **Install Application**. This will add a new step after the selected step for the installation of a specific application as shown in Figure 3.
 
-  ![A new Install Application step for Sample POS App](images\using-sda-newinstall-fig3.png "A new Install Application step for Sample POS App")
+    ![A new Install Application step for Sample POS App](images/using-sda-newinstall-fig3.png "A new Install Application step for Sample POS App")
   
-  *Figure 3. A new Install Application step for Sample POS App*
+    *Figure 3. A new Install Application step for Sample POS App*
 
 12.	On the **Properties** tab of the new **Install Application** step, enter **Install - Sample POS App** in the **Name** field, where *Sample POS App* is the name of your app.
 
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index ad031f997d..ddc39aa7c2 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -48,10 +48,10 @@ To enable WOL support on Surface devices, a specific driver for the Surface Ethe
 
 You can run this Microsoft Windows Installer (.msi) file on a Surface device to install the Surface WOL driver, or you can distribute it to Surface devices with an application deployment solution, such as System Center Configuration Manager. To include the Surface WOL driver during deployment, you can install the .msi file as an application during the deployment process. You can also extract the Surface WOL driver files to include them in the deployment process. For example, you can include them in your Microsoft Deployment Toolkit (MDT) deployment share. You can read more about Surface deployment with MDT in [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/surface/deploy-windows-10-to-surface-devices-with-mdt).
 
->[!NOTE]
->During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script.
-
->**HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests** 
+> [!NOTE]
+> During the installation of SurfaceWOL.msi, the following registry key is set to a value of 1, which allows easy identification of systems where the WOL driver has been installed. If you chose to extract and install these drivers separately during deployment, this registry key will not be configured and must be configured manually or with a script.
+> 
+> **HKLM\SYSTEM\CurrentControlSet\Control\Power AllowSystemRequiredPowerRequests** 
 
 To extract the contents of SurfaceWOL.msi, use the MSIExec administrative installation option (**/a**), as shown in the following example, to extract the contents to the C:\WOL\ folder:
 
diff --git a/education/docfx.json b/education/docfx.json
index aed16babee..5e87a91352 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -1,40 +1,47 @@
 {
   "build": {
-    "content":
-      [
-        {
-          "files": ["**/**.md", "**/**.yml"],
-          "exclude": ["**/obj/**"]
-        }
-      ],
+    "content": [
+      {
+        "files": [
+          "**/**.md",
+          "**/**.yml"
+        ],
+        "exclude": [
+          "**/obj/**"
+        ]
+      }
+    ],
     "resource": [
-        {
-          "files": ["**/images/**"],
-          "exclude": ["**/obj/**"]
-        }
+      {
+        "files": [
+          "**/images/**"
+        ],
+        "exclude": [
+          "**/obj/**"
+        ]
+      }
     ],
     "globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-        "ROBOTS": "INDEX, FOLLOW",
-		"ms.author": "celested",
-		"audience": "windows-education",
-		"ms.topic": "article",
-		"breadcrumb_path": "/education/breadcrumb/toc.json",
-        "ms.date": "05/09/2017",
-		"feedback_system": "GitHub",
-		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-		"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-        "_op_documentIdPathDepotMapping": {
-          "./": {
-            "depot_name": "Win.education",
-	    "folder_relative_path_in_docset": "./"
-          }
-       }
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "ROBOTS": "INDEX, FOLLOW",
+      "ms.author": "celested",
+      "audience": "windows-education",
+      "ms.topic": "article",
+      "breadcrumb_path": "/education/breadcrumb/toc.json",
+      "ms.date": "05/09/2017",
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "Win.education",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
     },
-    "externalReference": [
-    ],
+    "externalReference": [],
     "template": "op.html",
     "dest": "education",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md
index 900de8b4e8..d6010ad62c 100644
--- a/education/get-started/configure-microsoft-store-for-education.md
+++ b/education/get-started/configure-microsoft-store-for-education.md
@@ -18,8 +18,8 @@ manager: dansimp
 # Configure Microsoft Store for Education
 
 > [!div class="step-by-step"]
-[<< Use School Data Sync to import student data](use-school-data-sync.md)
-[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
+> [<< Use School Data Sync to import student data](use-school-data-sync.md)
+> [Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
 
 You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
 
@@ -34,30 +34,30 @@ You can watch the descriptive audio version here: [Microsoft Education: Configur
 1. Sign in to Microsoft Store for Education.
 2. Accept the Microsoft Store for Business and Education Services Agreement. 
 
-  This will take you to the Microsoft Store for Education portal.
+   This will take you to the Microsoft Store for Education portal.
 
-  **Figure 1** - Microsoft Store for Education portal
+   **Figure 1** - Microsoft Store for Education portal
 
-  ![Microsoft Store for Education portal](images/msfe_store_portal.png)
+   ![Microsoft Store for Education portal](images/msfe_store_portal.png)
 
 3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
 4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
 
-  **Figure 2** - Select management tools from the list of Store settings options
+   **Figure 2** - Select management tools from the list of Store settings options
 
-  ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
+   ![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
 
-4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
+5. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
 
-  **Figure 3** - Activate Intune for Education as the management tool
+   **Figure 3** - Activate Intune for Education as the management tool
 
-  ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
+   ![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png) 
 
 Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
 
 > [!div class="step-by-step"]
-[<< Use School Data Sync to import student data](use-school-data-sync.md)
-[Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
+> [<< Use School Data Sync to import student data](use-school-data-sync.md)
+> [Use Intune for Education to manage groups, apps, and settings >>](use-intune-for-education.md)
 
 
 ## Related topic
diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md
index d9dff5f1c1..350f3be922 100644
--- a/education/get-started/enable-microsoft-teams.md
+++ b/education/get-started/enable-microsoft-teams.md
@@ -28,21 +28,21 @@ To get started, IT administrators need to use the Office 365 Admin Center to ena
 3. Go to **Settings > Services & add-ins**.
 4. On the **Services & add-ins** page, select **Microsoft Teams**.
 
-  **Figure 1** - Select Microsoft Teams from the list of services & add-ins
+   **Figure 1** - Select Microsoft Teams from the list of services & add-ins
 
-  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+   ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
 
 5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
 
-  **Figure 2** - Select the license that you want to configure
+   **Figure 2** - Select the license that you want to configure
 
-  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+   ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
 
 6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
 
-  **Figure 3** - Turn on Microsoft Teams for your organization
+   **Figure 3** - Turn on Microsoft Teams for your organization
 
-  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+   ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
 
 7. Click **Save**.
 
@@ -50,8 +50,8 @@ You can find more info about how to control which users in your school can use M
 
 
 > [!div class="step-by-step"]
-[<< Use School Data Sync to import student data](use-school-data-sync.md)
-[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+> [<< Use School Data Sync to import student data](use-school-data-sync.md)
+> [Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
 
 
 ## Related topic
diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md
index 602b74a3cd..64361b412b 100644
--- a/education/get-started/finish-setup-and-other-tasks.md
+++ b/education/get-started/finish-setup-and-other-tasks.md
@@ -18,7 +18,7 @@ manager: dansimp
 # Finish Windows 10 device setup and other tasks
 
 > [!div class="step-by-step"]
-[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+> [<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
 
 Once you've set up your Windows 10 education device, it's worth checking to verify the following:
 
@@ -39,12 +39,12 @@ Verify that the device is set up correctly and boots without any issues.
 1. Confirm that the Start menu contains a simple configuration.
 2. Confirm that the Store and built-in apps are installed and working. The apps pushed down from Intune for Education will appear under **Recently added**. 
 
-  > [!NOTE]  
-  > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
+   > [!NOTE]  
+   > It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
 
-  **Figure 1** - Sample list of apps for a user
+   **Figure 1** - Sample list of apps for a user
 
-  ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
+   ![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
 
 ## Verify the device is Azure AD joined
 Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
@@ -54,17 +54,17 @@ Let's now verify that the device is joined to your organization's Azure AD and s
 2. Select **Groups** and select **All Devices**.
 3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
 
-  **Figure 2** - List of all managed devices
+   **Figure 2** - List of all managed devices
 
-  ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
+   ![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
 
 4. On the Windows 10 education device, click **Start** and go to **Settings**. 
 5. Select **Accounts > Access work or school**.
 6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
 
-  **Figure 3** - Confirm that the Windows 10 device is joined to Azure AD
+   **Figure 3** - Confirm that the Windows 10 device is joined to Azure AD
 
-  ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
+   ![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
 
 **That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. 
 
@@ -91,13 +91,13 @@ If you need to make changes or updates to any of the apps or settings for the gr
 2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
 3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
 
-  **Figure 4** - See the list of available settings in Intune for Education
+   **Figure 4** - See the list of available settings in Intune for Education
 
-  ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
+   ![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
 
 4. Keep the default settings or configure the settings according to your school's policies. 
 
-  For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
+   For example, you can configure the diagnostic data sent to Microsoft in **Basic device settings > Send diagnostic data**. 
 
 5. Click **Save** or **Discard changes**.
 
@@ -113,9 +113,9 @@ Follow the steps in this section to enable a single person to add many devices t
 2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, https://portal.azure.com.
 3. Select **Azure Active Directory > Users and groups > Device settings**.
 
-  **Figure 5** - Device settings in the new Azure portal
+   **Figure 5** - Device settings in the new Azure portal
 
-  ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
+   ![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
 
 4. Find the setting **Maximum number of devices per user** and change the value to **Unlimited**.
 5. Click **Save** to update device settings.
@@ -126,13 +126,13 @@ When students move from using one device to another, they may need to have their
 Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
 
 1. Sign in to the Office 365 admin center.
-3. Go to the new Azure portal, https://portal.azure.com.
+2. Go to the new Azure portal, https://portal.azure.com.
 3. Select **Azure Active Directory > Users and groups > Device settings**.
 4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
 
-  **Figure 6** - Enable settings to roam with users
+   **Figure 6** - Enable settings to roam with users
 
-  ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
+   ![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
 
 5. Click **Save** to update device settings.
 
@@ -151,21 +151,21 @@ To get started, IT administrators need to use the Office 365 Admin Center to ena
 3. Go to **Settings > Services & add-ins**.
 4. On the **Services & add-ins** page, select **Microsoft Teams**.
 
-  **Figure 1** - Select Microsoft Teams from the list of services & add-ins
+   **Figure 1** - Select Microsoft Teams from the list of services & add-ins
 
-  ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
+   ![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
 
 5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**. Select **Faculty and Staff**.
 
-  **Figure 2** - Select the license that you want to configure
+   **Figure 2** - Select the license that you want to configure
 
-  ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
+   ![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
 
 6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
 
-  **Figure 3** - Turn on Microsoft Teams for your organization
+   **Figure 3** - Turn on Microsoft Teams for your organization
 
-  ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
+   ![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
 
 7. Click **Save**.
 
@@ -188,11 +188,11 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
 2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
 3. In the **Set up a work or school account** window, enter the user's account info.
 
-  For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
+   For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
 
-  **Figure 7** - Device is now managed by Intune for Education
+   **Figure 7** - Device is now managed by Intune for Education
 
-  ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
+   ![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
 
 4. Enter the account password and then click **Sign in** to authenticate the user.
 
@@ -200,17 +200,17 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
 
 5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
 
-  **Figure 8** - Device is connected to organization's MDM
+   **Figure 8** - Device is connected to organization's MDM
 
-  ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
+   ![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
 
 6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [Verify the device is Azure AD joined](#verify-the-device-is-azure-ad-joined). 
 
-  It may take several minutes before the new device shows up so check again later.
+   It may take several minutes before the new device shows up so check again later.
 
 
 > [!div class="step-by-step"]
-[<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
+> [<< Set up Windows 10 education devices](set-up-windows-10-education-devices.md)
 
   
 ## Related topic
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index 1f3638abf3..a36cdb45da 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -105,18 +105,18 @@ To get started with Microsoft Education in a trial environment, follow these ste
 
 1. [Set up a new Office 365 for Education tenant](set-up-office365-edu-tenant.md).
 
-  Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to a few days.
+   Wait for your tenant to be education-verified before proceeding with the next step. Verification can take up to a few days.
 
 2. Once you have an education-verified tenant, click https://aka.ms/intuneforedupreviewtrial to apply the Intune for Education trial promo code. 
-  1. In the Intune for Education Trial page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**.
-  2. Sign in with your global admin credentials. 
+   1. In the Intune for Education Trial page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**.
+   2. Sign in with your global admin credentials. 
 
 3. Sign in to Office 365 admin portal and:
-  1. Select **Admin > Users** and then search for your admin account. 
-  2. In the user page, select **Product licenses** and expand the **Office 365 Education** license you assigned to yourself. 
-  3. Confirm that School Data Sync is turned on.
+   1. Select **Admin > Users** and then search for your admin account. 
+   2. In the user page, select **Product licenses** and expand the **Office 365 Education** license you assigned to yourself. 
+   3. Confirm that School Data Sync is turned on.
 
-3. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [Use School Data Sync to import student data](use-school-data-sync.md).
+4. Skip ahead and follow the rest of the instructions in this walkthrough beginning with [Use School Data Sync to import student data](use-school-data-sync.md).
 
 ### Option 3: Try out Intune for Education
 Already have an Office 365 for Education verified tenant? Just sign in with your global admin credentials to apply the Intune for Education preview trial code to your tenant and follow the rest of the walkthrough.
@@ -124,9 +124,9 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
 1. Click https://aka.ms/intuneforedupreviewtrial to get started.
 2. In the **Intune for Education Trial** page, on the upper right, click **Sign in** next to **Want to add this to an existing subscription?**.
 
-  **Figure 2** - Intune for Education trial sign in page
+   **Figure 2** - Intune for Education trial sign in page
 
-  ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
+   ![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
 
 3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
 4. If you don't already have Microsoft Teams deployed to your tenant, you can start with [Enable Microsoft Teams for your school](enable-microsoft-teams.md) and then follow the rest of the instructions in this walkthrough. 
diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md
index 81e21b05f7..a67cc68626 100644
--- a/education/get-started/inclusive-classroom-it-admin.md
+++ b/education/get-started/inclusive-classroom-it-admin.md
@@ -1,84 +1,92 @@
----
-title: Inclusive Classroom IT Admin Guide
-description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office.
-keywords: Inclusive Classroom, Admin, Administrator, Microsoft Intune, Intune, Ease of Access, Office 365, account
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.topic: article
-ms.localizationpriority: medium
-ms.pagetype: edu
-ROBOTS: noindex,nofollow
-author: levinec
-ms.author: ellevin
-ms.date: 06/12/2018
-ms.reviewer: 
-manager: dansimp
----
-
-# Inclusive Classroom IT Admin Guide
-The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Microsoft Office. 
-You will also learn how to deploy apps using Microsoft Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription.
-
-1. [Inclusive Classroom features](#features)
-2. [Deploying apps with Microsoft Intune](#intune)
-3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease)
-4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account)
-
-## Inclusive Classroom features
-|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  |
-|---|---|---|---|---|---|---|
-| Read aloud with simultaneous highlighting | 
            • OneNote 2016 (add-in), OneNote for the web, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word 2016, Word for the web, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
              | 
            X
             
            (N/A for Word for iOS, Word for the web, Outlook Web Access, or Office Lens)
             | 
            X
             
            (N/A for Word for iOS, Word for the web, Outlook Web Access, or Office Lens)
              | 
            X
              | 
            X
             
            (N/A for Outlook PC)
              | 
            X
             
            (N/A for any OneNote apps or Outlook PC)
              | 
-| Adjustable text spacing and font size  | 
            • OneNote 2016 (add-in), OneNote for the web, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word 2016, Word for the web, Word Mac, Word for iPad
            • Outlook Web Access
            • Office Lens on iOS, Android
              | 
            X
             
            (N/A for Word for iOS, Word for the web, Outlook Web Access, or Office Lens)
              | 
            X
             
            (N/A for Word for iOS, Word for the web, Outlook Web Access, or Office Lens)
              |
            X
               | 
            X
              | 
            X
             
            (N/A for any OneNote apps)
              | 
-| Syllabification  | 
            • OneNote 2016 (add-in), OneNote for the web, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word for the web
            • Outlook Web Access
              |   | 
            X
             
            (N/A for Word for iOS, Word for the web, Outlook Web Access)
              | 
            X
             
            (N/A for Word iOS)
              | 
            X
             
            (N/A for Word iOS)
              | 
            X
             
            (N/A for any OneNote apps or Word iOS)
              | 
-| Parts of speech identification  | 
            • OneNote 2016 (add-in), OneNote for the web, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word 2016, Word for the web, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
              | 
            X
             
            (N/A for Word for the web, Outlook Web Access)
              | 
            X
             
            (N/A for Word for the web, Outlook Web Access)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
-| Line focus mode  | 
            • Word 2016, Word for the web, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
              |   | 
            X
             
            (N/A for Word for the web, Outlook Web Access)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
-| Picture Dictionary  | 
            • Word 2016, Word on the web, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
              |   | 
            X
             
            (N/A for Word for the web, Outlook Web Access)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
            X
             
            (N/A for any OneNote apps)
              | 
-
            
-
-| Writing and proofing features  | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
-|---|---|---|---|---|---|---|
-| Dictation  | 
            • OneNote 2016, OneNote for Windows 10
            • Word 2016
            • Outlook 2016
            • PowerPoint 2016
               |   | 
            X
              | 
            X
              |   |   |  
-| Spelling suggestions for phonetic misspellings  | 
            • Word 2016, Word on the web, Word for Mac
            • Outlook 2016
              |   | 
            X
              | 
            X
              | 
            X
              |   |  
-| Synonyms alongside spelling suggestions that can be read aloud  | 
            • Word 2016
            • Outlook 2016
              |   | 
            X
              | 
            X
              | 
            X
              |   |  
-| Grammar checks  | 
            • Word 2016, Word for the web, Word for Mac
            • Outlook 2016
              |   | 
            X
              | 
            X
              |   |   |  
-| Customizable writing critiques  | 
            • Word 2016, Word for Mac
            • Outlook 2016
              | 
            X
              | 
            X
              | 
            X
              |   |   |  
-| Tell me what you want to do  | 
            • Office 2016
            • Office on the web
            • Office on iOS, Android, Windows 10
              | 
            X
              | 
            X
              | 
            X
              | 
            X
              |   | 
-| Editor  | 
            • Word 2016
              |   | 
            X
              | 
            X
              |   |   |  
-
            
-
-| Creating accessible content features  |  Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
-|---|---|---|---|---|---|---|
-| Accessibility Checker  | 
            • All Office 365 authoring applications on PC, Mac, Web
              |   | 
            X
              | 
            X
              |   |   |  
-| Accessible Templates  | 
            • Word for PCs, Mac
            • Excel for PCs, Mac
            • PowerPoint for PCs, Mac
            • Sway on iOS, Web, Windows 10
              |   | 
            X
              | 
            X
              |   |   | 
-| Ability to add alt-text for images  | 
            • Word for PCs (includes automatic suggestions for image descriptions)
            • SharePoint Online (includes automatic suggestions for image descriptions)
            • PowerPoint for PCs (includes automatic suggestions for image descriptions)
            • OneNote (includes automatic extraction of text in images)
            • All Office 365 authoring applications (include ability to add alt-text manually)
              | 
            X
              | 
            X
              | 
            X
              |   |   | 
-| Ability to add captions to videos  | 
            • PowerPoint for PCs
            • Sway on iOS, Web, Windows 10
            • Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)
              |   | 
            X
              |   |   |   |  
-| Export as tagged PDF  | 
            • Word for PCs, Mac
            • Sway on iOS, Web, Windows 10
              |   | 
            X
              | 
            X
              |   |   |  
-| Ability to request accessible content  | 
            • Outlook Web Access
              |   |   |   |   |   |  
-
            
-
-| Communication features   | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R)  | Office 365 ProPlus Semi Annual (C2R)  | Office 365 ProPlus Annual (C2R)  | 
-|---|---|---|---|---|---|---|
-| Microsoft Translator  | 
            • Word 2016
            • Excel 2016
            • "Translator for Outlook" Add-in
            • PowerPoint 2016 (and PowerPoint Garage Add-in)
              | 
            X
              | 
            X
              | 
            X
              | 
            X
              | 
            X
              |  
-
            
-
-## Deploying apps with Microsoft Intune
-Microsoft Intune can be used to deploy apps such as Immersive Reader and Microsoft Translator to all the devices connected in the same groups.
-1. Go to the Intune for Education portal and log in with your account.
-2. Select the **Apps** page.
-3. Find the app you're looking for in the included list (if it's not there, you can select **Add app** and download it from the Microsoft Store). 
-4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to.
-
-## How to show/hide the Ease of access settings for text in Windows 10
-The Ease of access settings in Windows 10 are very useful accessibility tools, but having those options could be a bit much for everyone in a group to have in their device. With the following instructions you can chose to hide or show the Ease of access settings on users' devices.
-1. Go to the Intune for Education portal and login with your account.
-2. Select the **Groups** page and then select your desired group.
-3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**.
-4. Select **Save** after making your selection.
-
-## How to change your Office 365 account from monthly, semi-annual, or yearly
-Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly.
-1. Sign-in to your services and subscriptions with your Microsoft account.
-2. Find the subscription in the list, then select **Change how you pay**. 
-    >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires.
-3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. 
+---
+title: Inclusive Classroom IT Admin Guide
+description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office.
+keywords: Inclusive Classroom, Admin, Administrator, Microsoft Intune, Intune, Ease of Access, Office 365, account
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.topic: article
+ms.localizationpriority: medium
+ms.pagetype: edu
+ROBOTS: noindex,nofollow
+author: levinec
+ms.author: ellevin
+ms.date: 06/12/2018
+ms.reviewer: 
+manager: dansimp
+---
+
+# Inclusive Classroom IT Admin Guide
+The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Microsoft Office. 
+You will also learn how to deploy apps using Microsoft Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription.
+
+1. [Inclusive Classroom features](#features)
+2. [Deploying apps with Microsoft Intune](#intune)
+3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease)
+4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account)
+
+## Inclusive Classroom features
+
+|             Reading features              |                                                                                                              Available in which apps                                                                                                               |                                                                                Office 2016 MSI                                                                                 |                                                                   Office 2019                                                                   |                                  Office 365 ProPlus Monthly (C2R)                                  |                                Office 365 ProPlus Semi Annual (C2R)                                |                                         Office 365 ProPlus Annual (C2R)                                          |
+|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------|
+| Read aloud with simultaneous highlighting | 
            • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word 2016, Word Online, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
             | 
            X
             
            (N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)
             | 
            X
             
            (N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)
             |                                
            X
                                            |    
            X
             
            (N/A for Outlook PC)
                | 
            X
             
            (N/A for any OneNote apps or Outlook PC)
             |
+|   Adjustable text spacing and font size   |       
            • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word 2016, Word Online, Word Mac, Word for iPad
            • Outlook Web Access
            • Office Lens on iOS, Android
                    | 
            X
             
            (N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)
             | 
            X
             
            (N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)
             |                                
            X
                                            |                                
            X
                                            |        
            X
             
            (N/A for any OneNote apps)
                    |
+|              Syllabification              |                                           
            • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word Online
            • Outlook Web Access
                                                        |                                                                                                                                                                                |         
            X
             
            (N/A for Word for iOS, Word Online, Outlook Web Access)
                     |     
            X
             
            (N/A for Word iOS)
                 |     
            X
             
            (N/A for Word iOS)
                 |  
            X
             
            (N/A for any OneNote apps or Word iOS)
              |
+|      Parts of speech identification       | 
            • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
            • Word 2016, Word Online, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
             |                               
            X
             
            (N/A for Word Online, Outlook Web Access)
                                            |                
            X
             
            (N/A for Word Online, Outlook Web Access)
                            | 
            X
             
            (N/A for any OneNote apps)
             | 
            X
             
            (N/A for any OneNote apps)
             |        
            X
             
            (N/A for any OneNote apps)
                    |
+|              Line focus mode              |                                                   
            • Word 2016, Word Online, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
                                                                |                                                                                                                                                                                |                
            X
             
            (N/A for Word Online, Outlook Web Access)
                            | 
            X
             
            (N/A for any OneNote apps)
             | 
            X
             
            (N/A for any OneNote apps)
             |        
            X
             
            (N/A for any OneNote apps)
                    |
+|            Picture Dictionary             |                                                   
            • Word 2016, Word Online, Word Mac, Word for iOS
            • Outlook 2016, Outlook Web Access
            • Office Lens on iOS, Android
                                                                |                                                                                                                                                                                |                
            X
             
            (N/A for Word Online, Outlook Web Access)
                            | 
            X
             
            (N/A for any OneNote apps)
             | 
            X
             
            (N/A for any OneNote apps)
             |        
            X
             
            (N/A for any OneNote apps)
                    |
+
+
            
+
+
+|                 Writing and proofing features                  |                                                Available in which apps                                                |           Office 2016 MSI            |             Office 2019              |   Office 365 ProPlus Monthly (C2R)   | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
+|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|---------------------------------|
+|                           Dictation                            | 
            • OneNote 2016, OneNote for Windows 10
            • Word 2016
            • Outlook 2016
            • PowerPoint 2016
             |                                      | 
            X
             | 
            X
             |                                      |                                 |
+|         Spelling suggestions for phonetic misspellings         |                      
            • Word 2016, Word Online, Word for Mac
            • Outlook 2016
                                  |                                      | 
            X
             | 
            X
             | 
            X
             |                                 |
+| Synonyms alongside spelling suggestions that can be read aloud |                                   
            • Word 2016
            • Outlook 2016
                                                |                                      | 
            X
             | 
            X
             | 
            X
             |                                 |
+|                         Grammar checks                         |                      
            • Word 2016, Word Online, Word for Mac
            • Outlook 2016
                                  |                                      | 
            X
             | 
            X
             |                                      |                                 |
+|                 Customizable writing critiques                 |                            
            • Word 2016, Word for Mac
            • Outlook 2016
                                         | 
            X
             | 
            X
             | 
            X
             |                                      |                                 |
+|                  Tell me what you want to do                   |            
            • Office 2016
            • Office Online
            • Office on iOS, Android, Windows 10
                         | 
            X
             | 
            X
             | 
            X
             | 
            X
             |                                 |
+|                             Editor                             |                                              
            • Word 2016
                                                          |                                      | 
            X
             | 
            X
             |                                      |                                 |
+
+
            
+
+
+| Creating accessible content features  |                                                                                                                                                                                                Available in which apps                                                                                                                                                                                                 |           Office 2016 MSI            |             Office 2019              |   Office 365 ProPlus Monthly (C2R)   | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) |
+|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|---------------------------------|
+|         Accessibility Checker         |                                                                                                                                                                        
            • All Office 365 authoring applications on PC, Mac, Web
                                                                                                                                                                                     |                                      | 
            X
             | 
            X
             |                                      |                                 |
+|         Accessible Templates          |                                                                                                                                          
            • Word for PCs, Mac
            • Excel for PCs, Mac
            • PowerPoint for PCs, Mac
            • Sway on iOS, Web, Windows 10
                                                                                                                                                       |                                      | 
            X
             | 
            X
             |                                      |                                 |
+|  Ability to add alt-text for images   | 
            • Word for PCs (includes automatic suggestions for image descriptions)
            • SharePoint Online (includes automatic suggestions for image descriptions)
            • PowerPoint for PCs (includes automatic suggestions for image descriptions)
            • OneNote (includes automatic extraction of text in images)
            • All Office 365 authoring applications (include ability to add alt-text manually)
             | 
            X
             | 
            X
             | 
            X
             |                                      |                                 |
+|   Ability to add captions to videos   |                                                                                                                
            • PowerPoint for PCs
            • Sway on iOS, Web, Windows 10
            • Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)
                                                                                                                             |                                      | 
            X
             |                                      |                                      |                                 |
+|         Export as tagged PDF          |                                                                                                                                                                        
            • Word for PCs, Mac
            • Sway on iOS, Web, Windows 10
                                                                                                                                                                                    |                                      | 
            X
             | 
            X
             |                                      |                                 |
+| Ability to request accessible content |                                                                                                                                                                                          
            • Outlook Web Access
                                                                                                                                                                                                      |                                      |                                      |                                      |                                      |                                 |
+
+
            
+
+
+| Communication features |                                                            Available in which apps                                                            |           Office 2016 MSI            |             Office 2019              |   Office 365 ProPlus Monthly (C2R)   | Office 365 ProPlus Semi Annual (C2R) |   Office 365 ProPlus Annual (C2R)    |
+|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|--------------------------------------|
+|  Microsoft Translator  | 
            • Word 2016
            • Excel 2016
            • "Translator for Outlook" Add-in
            • PowerPoint 2016 (and PowerPoint Garage Add-in)
             | 
            X
             | 
            X
             | 
            X
             | 
            X
             | 
            X
             |
+
+
            
+
+## Deploying apps with Microsoft Intune
+Microsoft Intune can be used to deploy apps such as Immersive Reader and Microsoft Translator to all the devices connected in the same groups.
+1. Go to the Intune for Education portal and log in with your account.
+2. Select the **Apps** page.
+3. Find the app you're looking for in the included list (if it's not there, you can select **Add app** and download it from the Microsoft Store). 
+4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to.
+
+## How to show/hide the Ease of access settings for text in Windows 10
+The Ease of access settings in Windows 10 are very useful accessibility tools, but having those options could be a bit much for everyone in a group to have in their device. With the following instructions you can chose to hide or show the Ease of access settings on users' devices.
+1. Go to the Intune for Education portal and login with your account.
+2. Select the **Groups** page and then select your desired group.
+3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**.
+4. Select **Save** after making your selection.
+
+## How to change your Office 365 account from monthly, semi-annual, or yearly
+Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly.
+1. Sign-in to your services and subscriptions with your Microsoft account.
+2. Find the subscription in the list, then select **Change how you pay**. 
+    >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires.
+3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. 
diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md
index 8f307ea6a9..0d5813061e 100644
--- a/education/get-started/set-up-office365-edu-tenant.md
+++ b/education/get-started/set-up-office365-edu-tenant.md
@@ -18,8 +18,8 @@ manager: dansimp
 # Set up an Office 365 Education tenant
 
 > [!div class="step-by-step"]
-[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
-[Use School Data Sync to import student data >>](use-school-data-sync.md)
+> [<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+> [Use School Data Sync to import student data >>](use-school-data-sync.md)
 
 Schools can use Office 365 to save time and be more productive. Built with powerful tools and accessible from any device, setting it up is the first step in getting your school to the cloud. 
 
@@ -34,24 +34,24 @@ You can watch the descriptive audio version here: [Microsoft Education: Set up a
 1. Go to the Office 365 for Education sign up page to sign up for a free subscription for your school.
 2. Create an account and a user ID and password to use to sign into your account. 
 
-  **Figure 1** - Office 365 account creation
+   **Figure 1** - Office 365 account creation
 
-  ![Create an Office 365 account](images/o365_createaccount.png)
+   ![Create an Office 365 account](images/o365_createaccount.png)
 
 3. Save your sign-in info so you can use it to sign in to https://portal.office.com (the sign-in page). Click **You're ready to go...** 
 4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
-  1. Add your domain name and follow the steps to confirm ownership of the domain. 
-  2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
+   1. Add your domain name and follow the steps to confirm ownership of the domain. 
+   2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
  
-    In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
+      In some cases, you may need to wait several hours for the DNS verification to complete. You can click **I'll verify later** and come back later and log into the Office 365 portal and then go to the **Admin** center and select **Domains** to check the status entry for your domain.
 
-    You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
+      You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.  
 
 As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See *Complete Office 365 for Education setup* in [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) for info.
 
 > [!div class="step-by-step"]
-[<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
-[Use School Data Sync to import student data >>](use-school-data-sync.md)
+> [<< Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
+> [Use School Data Sync to import student data >>](use-school-data-sync.md)
 
 
 ## Related topic
diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md
index d448a1840d..bc564efa41 100644
--- a/education/get-started/set-up-windows-10-education-devices.md
+++ b/education/get-started/set-up-windows-10-education-devices.md
@@ -18,8 +18,8 @@ manager: dansimp
 # Set up Windows 10 education devices
 
 > [!div class="step-by-step"]
-[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
-[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
+> [<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+> [Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
 
 We recommend using the latest build of Windows 10, version 1703 on your education devices. 
 
@@ -28,8 +28,8 @@ To set up new Windows 10 devices and enroll them to your education tenant, choos
 - **Option 2: [Go through Windows OOBE and join the device to Azure AD](set-up-windows-education-devices.md)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
 
 > [!div class="step-by-step"]
-[<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
-[Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
+> [<< Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md)
+> [Finish setup and other tasks >>](finish-setup-and-other-tasks.md)
 
 
 
diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md
index fb4f46d999..65cd88c27c 100644
--- a/education/get-started/set-up-windows-education-devices.md
+++ b/education/get-started/set-up-windows-education-devices.md
@@ -30,15 +30,15 @@ You can watch the descriptive audio version here: [Microsoft Education: Set up a
 1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
 2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
 
-  **Figure 1** - Let's start with region
+   **Figure 1** - Let's start with region
 
-  ![Let's start with region](images/win10_letsstartwithregion.png)
+   ![Let's start with region](images/win10_letsstartwithregion.png)
 
 3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
 
-  **Figure 2** - Select setup for an organization
+   **Figure 2** - Select setup for an organization
 
-  ![Select setup for an organization](images/win10_setupforanorg.png)
+   ![Select setup for an organization](images/win10_setupforanorg.png)
 
 4. Sign in using the user's account and password. Depending on the user password setting, you may be prompted to update the password.
 5. Choose privacy settings for the device. Location, speech recognition, diagnostics, and other settings are all on by default. Configure the settings based on the school's policies. 
diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md
index 7f6d4c02f9..9a4b451c83 100644
--- a/education/get-started/use-intune-for-education.md
+++ b/education/get-started/use-intune-for-education.md
@@ -18,8 +18,8 @@ manager: dansimp
 # Use Intune for Education to manage groups, apps, and settings
 
 > [!div class="step-by-step"]
-[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
-[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
+> [<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+> [Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
 
 Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the Intune for Education documentation. 
 
@@ -52,81 +52,81 @@ Intune for Education provides an **Express configuration** option so you can get
 
 1. Log into the Intune for Education console. You will see the Intune for Education dashboard once you're logged in.
 
-  **Figure 1** - Intune for Education dashboard
+   **Figure 1** - Intune for Education dashboard
 
-  ![Intune for Education dashboard](images/i4e_portal.png)
+   ![Intune for Education dashboard](images/i4e_portal.png)
 
 2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
 3. In the **Welcome to Intune for Education** screen, click **Get started**.
   
-  **Figure 2** - Click Get started to set up Intune for Education
+   **Figure 2** - Click Get started to set up Intune for Education
 
-  ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
+   ![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
 
 4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
 
-  **Figure 3** - SDS is configured
+   **Figure 3** - SDS is configured
 
-  ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
+   ![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
 
 5. In the **Choose group** screen, select **All Users**. All apps and settings that we select during express setup will apply to this group. 
 
-  You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
+   You can choose another group during this step, but note that your experience may vary from what we show in the walkthrough.
 
 6. The **Next** button will appear at the bottom of the screen after you select **All Users**. Click **Next**.
 
-  > [!TIP]
-  > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
-  >
-  > **Figure 4** - Click on the buttons to go back to that step
-  >
-  > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
+   > [!TIP]
+   > At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
+   >
+   > **Figure 4** - Click on the buttons to go back to that step
+   >
+   > ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
 
 7. In the **Choose apps** screen, you will see a selection of Web apps, Microsoft Store apps, and desktop (Win32) apps. You will also see a list of popular apps from each category. 
 
-  - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
+   - Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in the **Choose group** step.
   
-    In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
+     In this walkthrough, it's up to you to select the apps you choose to install. Just remember what they are so that later in the walkthrough you can verify that the apps were installed correctly on the device.
 
-    > [!TIP]
-    > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
+     > [!TIP]
+     > Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
 
-  **Figure 5** - Choose the apps that you want to install for the group
+   **Figure 5** - Choose the apps that you want to install for the group
 
-  ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
+   ![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
 
 8. When you're done choosing apps, click **Next** at the bottom of the screen.
 
-  If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
+   If you select Microsoft Store apps, you will see a notification that Intune for Education is getting these apps.
 
-8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
+9. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
 
-  **Figure 6** - Expand the settings group to get more details
+   **Figure 6** - Expand the settings group to get more details
 
-  ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
+   ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
 
-9. For this walkthrough, set the following settings:
-  - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
-  - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
+10. For this walkthrough, set the following settings:
+    - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
+    - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
 
-  **Figure 28** - Set some additional settings
+    **Figure 28** - Set some additional settings
 
-  ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
+    ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
 
-10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
+11. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
 
-  **Figure 7** - Review the group, apps, and settings you configured
+    **Figure 7** - Review the group, apps, and settings you configured
 
-  ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
+    ![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
 
-11. Click **Save** to end express configuration.
-12. You will see the **You're done!** screen which lets you choose one of two options. 
+12. Click **Save** to end express configuration.
+13. You will see the **You're done!** screen which lets you choose one of two options. 
 
-  **Figure 8** - All done with Intune for Education express configuration
+    **Figure 8** - All done with Intune for Education express configuration
 
-  ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
+    ![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
 
-13. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
+14. Click **All done** or click the **X** on the upper-right corner of the screen to dismiss this screen and go back to the dashboard.
 
 ## Add apps bought from Microsoft Store for Education
 
@@ -138,39 +138,39 @@ Intune for Education provides an **Express configuration** option so you can get
 
   1. In the Intune for Education console, click **Apps** from the menu on the left.
 
-    **Figure 9** - Click on **Apps** to see the list of apps for your tenant
+     **Figure 9** - Click on **Apps** to see the list of apps for your tenant
 
-    ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
+     ![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
 
   2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
 
-    **Figure 10** - Select the option to add a new Store app
+     **Figure 10** - Select the option to add a new Store app
 
-    ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
+     ![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
 
   3. In the Microsoft Store page, check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express setup for Intune for Education.
   
-    For example, these apps are free:
-    - Duolingo - Learn Languages for Free
-    - Flashcards Pro 
-    - Khan Academy
-    - My Study Life
+     For example, these apps are free:
+     - Duolingo - Learn Languages for Free
+     - Flashcards Pro 
+     - Khan Academy
+     - My Study Life
 
   4. Find or select the app you want to install and click **Get the app**.
   5. In the app's Store page, click the **...** button and select **Add to private store**.
   6. Repeat steps 3-5 to install another app or move to the next step.
   7. In the Microsoft Store for Education portal, select **Manage > Apps & software > Manage apps** to verify that the apps you purchased appear in your inventory.
 
-    For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
+     For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
 
-    **Figure 11** - Apps inventory in Microsoft Store for Education
+     **Figure 11** - Apps inventory in Microsoft Store for Education
 
-    ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
+     ![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
 
-    In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in Distribute apps using your private store.
+     In the **Private store** column of the **Apps & software** page, the status for some apps will indicate that it's "In private store" while others will say "Not in private store". We won't go over this in the walkthrough, but you can learn more about this in Distribute apps using your private store.
 
-    > [!NOTE]  
-    > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
+     > [!NOTE]  
+     > You'll see in the above screenshot that some apps say that **Add is in progress**. Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps. 
 
 ## Install apps for all users
 
@@ -178,34 +178,34 @@ Now that you've bought the apps, use Intune for Education to specify the group t
 
 1. In the Intune for Education console, click the **Groups** option from the menu on the left.
 
-  **Figure 12** - Groups page in Intune for Education
+   **Figure 12** - Groups page in Intune for Education
 
-  ![Groups page in Intune for Education](images/i4e_groupspage.png)
+   ![Groups page in Intune for Education](images/i4e_groupspage.png)
 
 2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page. 
 
-  **Figure 13** - List of all users in the tenant
+   **Figure 13** - List of all users in the tenant
 
-  ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
+   ![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
 
 3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
 
-  **Figure 14** - Edit apps to assign them to users
+   **Figure 14** - Edit apps to assign them to users
 
-  ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
+   ![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
 
 4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select. 
 
-  **Figure 15** - Select the apps to deploy to the group
+   **Figure 15** - Select the apps to deploy to the group
 
-  ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
+   ![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
 
 5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
 6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected. 
 
-  **Figure 16** - Updated list of assigned apps
+   **Figure 16** - Updated list of assigned apps
 
-  ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
+   ![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
 
 You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
 
@@ -215,8 +215,8 @@ You're now done assigning apps to all users in your tenant. It's time to set up
 -->
 
 > [!div class="step-by-step"]
-[<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
-[Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
+> [<< Configure Microsoft Store for Education](configure-microsoft-store-for-education.md)
+> [Set up Windows 10 education devices >>](set-up-windows-10-education-devices.md)
 
 
 
diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md
index 6498bdec28..c6192599ba 100644
--- a/education/get-started/use-school-data-sync.md
+++ b/education/get-started/use-school-data-sync.md
@@ -18,8 +18,8 @@ manager: dansimp
 # Use School Data Sync to import student data
 
 > [!div class="step-by-step"]
-[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
-[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+> [<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+> [Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
 
 School Data Sync (SDS) helps you import Student Information System (SIS) data into Office 365. It helps automate the process for importing and integrating SIS data that you can use with Office 365 and apps like OneNote Class Notebooks. 
 
@@ -36,34 +36,34 @@ You can watch the descriptive audio version here: [Microsoft Education: Use Scho
 1. Go to the O365-EDU-Tools GitHub site.
 2. Click the green **Clone or download** button to download the SDS sample files.
 
-  **Figure 1** - Download the SDS sample files from GitHub
+   **Figure 1** - Download the SDS sample files from GitHub
 
-  ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
+   ![Download the SDS sample files from GitHub](images/sds_github_downloadsample.png)
 
 3. In the **Clone with HTTPS** pop-up window, choose **Download ZIP** and note the location where you're saving the folder.
 4. Go to the folder where you saved the .zip and unzip the files.
 5. Open the **O365-EDU-Tools-master** folder and then open the **CSV Samples** subfolder. Confirm that you can see the following sample CSV files.
 
-  **Figure 2** - Sample CSV files
+   **Figure 2** - Sample CSV files
 
-  ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
+   ![Use the sample CSV files](images/sds_sample_csv_files_us_uk.png)
 
-  > [!NOTE] 
-  > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
-  > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
-  > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
+   > [!NOTE] 
+   > - The sample CSV files uses sample accounts and passwords. If you are using the sample files for testing, remember the accounts and their corresponding passwords. You may be asked to change the password during your first sign in. 
+   > - If you are modifying the sample CSV files to use in your organization, change the accounts and passwords to match the user accounts and passwords in your organization.
+   > - If you are using CSV files from your existing production environment, see the detailed instructions in step 5 in the next section.
 
 To learn more about the CSV files that are required and the info you need to include in each file, see CSV files for School Data Sync. If you run into any issues, see School Data Sync errors and troubleshooting.
 
 ## Use SDS to import student data
 
 1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com.
-2.  Click Sign in. Then enter your O365 Global Admin account credentials. 
+2. Click Sign in. Then enter your O365 Global Admin account credentials. 
 3. After logging in, click **+ Add Profile** in the left hand navigation pane to create a Sync Profile..  This opens up the new profile setup wizard within the main page.
 
-  **Figure 3** - New SDS profile setup wizard
+   **Figure 3** - New SDS profile setup wizard
     
-  ![Screenshot that shows creating a new profile](images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png)
+   ![Screenshot that shows creating a new profile](images/03bfe22a-469b-4b73-ab8d-af5aaac8ff89.png)
 
 4. For the new profile, in the **How do you want to connect to your school?** screen:
   
@@ -74,101 +74,101 @@ To learn more about the CSV files that are required and the info you need to inc
 
 5. In the **Sync options** screen:
 
-  1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
-  2. In the **Import data** section, click **Upload Files** to bring up the **Select data files to be uploaded** window.  
-  3. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
-  4. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
-  5. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
+   1. In the **Select new or existing users** section, you can select either **Existing users** or **New users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
+   2. In the **Import data** section, click **Upload Files** to bring up the **Select data files to be uploaded** window.  
+   3. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
+   4. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
+   5. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
 
-    > [!NOTE]
-    > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
+      > [!NOTE]
+      > After you click **Upload**, the status in the **Select data files to be uploaded** window will indicate that files are being uploaded and verified.
 
-  6. After all the files are successfully uploaded, click **OK**. 
-  7. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
-  8. In the Replace Unsupported Special Characters section, checking this box will allow SDS to automatically replace unsupported special characters while the sync is running. Special characters will be replaced with an "_", and no longer result in an error during the sync process for that object.
-  9. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
-  10. In the **Student enrollment option** section:
-    * If you want to sync your student roster data immediately, leave the box unchecked.
-    * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
-  11. In the Default Term Dates section, You can set default start and end dates for Section terms. These dates will only be used if you do not provide these dates in your CSV files.  If you upload files with Section start and end dates, you will be asked to select the format of the dates provided. If the format that you enter does not match the format of start and end dates in your files, you will receive an error message and need to edit the date format so that it matches the format in your files.
-  12. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
-  13. Click **Next**.
+   6. After all the files are successfully uploaded, click **OK**. 
+   7. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
+   8. In the Replace Unsupported Special Characters section, checking this box will allow SDS to automatically replace unsupported special characters while the sync is running. Special characters will be replaced with an "_", and no longer result in an error during the sync process for that object.
+   9. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
+   10. In the **Student enrollment option** section:
+       * If you want to sync your student roster data immediately, leave the box unchecked.
+       * If you prefer to sync student enrollment/rostering data at a later date, check this box and then pick a date by clicking the empty box and selecting the appropriate date in the calendar when you would like to begin syncing your student roster data. Some schools prefer to delay syncing student roster data so they don't expose rosters before the start of the new term, semester, or school year.  
+   11. In the Default Term Dates section, You can set default start and end dates for Section terms. These dates will only be used if you do not provide these dates in your CSV files.  If you upload files with Section start and end dates, you will be asked to select the format of the dates provided. If the format that you enter does not match the format of start and end dates in your files, you will receive an error message and need to edit the date format so that it matches the format in your files.
+   12. In the **License Options** section, check the box for **Intune for Education** to allow students and teachers to receive the Intune for Education license. This will also create the SDS dynamic groups and security groups, which will be used within Intune for Education.
+   13. Click **Next**.
 
-    **Figure 4** - Sync options for the new profile
+       **Figure 4** - Sync options for the new profile
 
-    ![Specify sync options for the new SDS profile](images/how-to-deploy-SDS-using-CSV-files-2a.PNG)
+       ![Specify sync options for the new SDS profile](images/how-to-deploy-SDS-using-CSV-files-2a.PNG)
 
 6. In the **Teacher options** screen:
 
-  1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
-    * Primary Key (Source Directory) - This is the Teacher attribute in the CSV file used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate source directory attribute, and properly configure the identity matching settings for teacher.
-    * Primary Key (Target Directory) - This is the User attribute in Azure AD used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate target directory attribute, and properly configure the identity matching settings for the teacher.
-    * Domain (optional) - This is an optional domain value that you can add to the selected Source Directory attribute to complete your Teacher Identity Matching. If you need to match to a UserPrincipalName or Mail attribute, you must have a domain included in the string. Your source attribute must either include the domain already or you can append the appropriate domain to the source attribute using this dropdown menu.
+   1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
+      * Primary Key (Source Directory) - This is the Teacher attribute in the CSV file used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate source directory attribute, and properly configure the identity matching settings for teacher.
+      * Primary Key (Target Directory) - This is the User attribute in Azure AD used for SDS Identity Matching. Watch the Identity Matching video for additional information on how to select the appropriate target directory attribute, and properly configure the identity matching settings for the teacher.
+      * Domain (optional) - This is an optional domain value that you can add to the selected Source Directory attribute to complete your Teacher Identity Matching. If you need to match to a UserPrincipalName or Mail attribute, you must have a domain included in the string. Your source attribute must either include the domain already or you can append the appropriate domain to the source attribute using this dropdown menu.
 
-  2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+   2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
     
-  3. In the **License assignment** section, choose the SKU to assign licenses for teachers. 
+   3. In the **License assignment** section, choose the SKU to assign licenses for teachers. 
     
-  4. Click **Next**.
+   4. Click **Next**.
 
-    **Figure 5** - Specify options for teacher mapping
+      **Figure 5** - Specify options for teacher mapping
 
-    ![Specify options for teacher mapping](images/how-to-deploy-SDS-using-CSV-files-3.PNG)
+      ![Specify options for teacher mapping](images/how-to-deploy-SDS-using-CSV-files-3.PNG)
 
 7. In the **Student options** screen:
 
-  1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
-  2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
-  3. In the **License assignment** section, choose the SKU to assign licenses for students. 
-  4. Click **Next**.
+   1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
+   2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
+   3. In the **License assignment** section, choose the SKU to assign licenses for students. 
+   4. Click **Next**.
 
-    **Figure 6** - Specify options for student mapping
+      **Figure 6** - Specify options for student mapping
 
-    ![Specify options for student mapping](images/how-to-deploy-SDS-using-CSV-files-4.PNG)
+      ![Specify options for student mapping](images/how-to-deploy-SDS-using-CSV-files-4.PNG)
 
 8. In the profile **Review** page, review the summary and confirm that the options selected are correct. 
 9. Click **Create profile**. You will see a notification that your profile is being submitted and then you will see a page for your profile. 
 
-  **Figure 7** - SDS profile page
+   **Figure 7** - SDS profile page
  
-  ![SDS profile page](images/how-to-deploy-SDS-using-CSV-files-5.png)
+   ![SDS profile page](images/how-to-deploy-SDS-using-CSV-files-5.png)
 
 10. After the profile is created and the status indicates as **Setting up**, refresh the page until you see the status change to **Sync in progress**. Beneath the **Sync in progress** status, you will see which of the 5 sync stages SDS is working on:
-  * Stage 1 - Validating data
-  * Stage 2 - Processing schools and sections
-  * Stage 3 - Processing students and teachers
-  * Stage 4 - Adding students and teachers into sections
-  * Stage 5 - Setting up security groups
+    * Stage 1 - Validating data
+    * Stage 2 - Processing schools and sections
+    * Stage 3 - Processing students and teachers
+    * Stage 4 - Adding students and teachers into sections
+    * Stage 5 - Setting up security groups
 
-  If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
+    If you don't see a **Sync in progress** status on the sync profile, and receive an error message instead, this indicates that SDS has encountered data issues during the pre-sync validation check and has not started syncing your data. This gives you the opportunity to fix the errors identified by the pre-sync validation checks before continuing. Once you've fixed any errors or if you prefer to continue with the errors and begin syncing your data anyway, click the **Resume sync** button to start the sync process.
 
-  Once you've completed all five sync stages, your profile status will update one final time. 
+    Once you've completed all five sync stages, your profile status will update one final time. 
     * If you haven't encountered any errors, you will see a green check mark which states **Everything is ok**, and the profile status will change to **Sync complete. Ready for more data.** 
     * If SDS encountered sync errors, you will see a red status icon that indicates an error, and a profile status of **Sync complete. Profile contains multiple errors**. Download the available error report to identify and fix your sync errors. Once complete, upload new files as needed and re-sync your data until errors are resolved.
 
-  Here are some examples of what the sync status can look like:
+    Here are some examples of what the sync status can look like:
 
-  **Figure 8** - New profile: Sync in progress
+    **Figure 8** - New profile: Sync in progress
 
-  ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
+    ![Sync in progress for the new profile](images/sds_profile_status_syncinprogress_062317.png)
 
-  **Figure 9** - New profile: Sync complete - no errors
+    **Figure 9** - New profile: Sync complete - no errors
 
-  ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
+    ![New profile sync complete with no errors](images/sds_profile_status_everythingok_062317.png)
 
-  **Figure 10** - New profile: Sync complete - with errors
+    **Figure 10** - New profile: Sync complete - with errors
 
-  ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
+    ![New profile sync complete with errors](images/sds_profile_status_syncerrors_062317.png)
 
-  Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
+    Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
 
-  You can refresh the page to confirm that your profile synced successfully.
+    You can refresh the page to confirm that your profile synced successfully.
 
 That's it for importing sample school data using SDS.
 
 > [!div class="step-by-step"]
-[<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
-[Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
+> [<< Set up an Office 365 education tenant](set-up-office365-edu-tenant.md)
+> [Configure Microsoft Store for Education >>](configure-microsoft-store-for-education.md)
 
 ## Related topic
 [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md)
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index 9d5d36ec6e..b842f7b7e8 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -78,15 +78,15 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
 
 4. Select the **Immersive Reader** button.
 
-  ![Word's Immersive Reader](images/word_online_immersive_reader.png)
+   ![Word Online's Immersive Reader](images/word_online_immersive_reader.png)
 
 5. Press the **Play** button to hear text read aloud.
 
 6. Select these various settings to see different ways to configure Immersive Reader for your students.
 
-  | Text to Speech | Text Preferences | Grammar Options | Line Focus |
-  | :------------: | :--------------: | :-------------: | :--------: |
-  | ![Word Text to Speech](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |
+   | Text to Speech | Text Preferences | Grammar Options | Line Focus |
+   | :------------: | :--------------: | :-------------: | :--------: |
+   | ![Word Online Text to Speech](images/wordonline_tts.png) | ![Word Online Text Preferences](images/wordonline_text_preferences.png) | ![Word Online Grammar Options](images/wordonline_grammar_options.png) | ![Word Online Line Focus](images/wordonline_line_focus.png) |
 
 
            
 
            
@@ -133,18 +133,18 @@ When you're not using the pen, just use the magnet to stick it to the left side
 2. Take the digital pen out of the box and make notes or draw.
 
 3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities.
-  - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling.
+   - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling.
 
-    ![OneNote Draw tab](images/onenote_draw.png)
+     ![OneNote Draw tab](images/onenote_draw.png)
 
-  - Type anywhere on the page! Just click your cursor where you want to place text.
-  - Use the checkmark in the **Home** tab to keep track of completed tasks.
+   - Type anywhere on the page! Just click your cursor where you want to place text.
+   - Use the checkmark in the **Home** tab to keep track of completed tasks.
 
-    ![OneNote To Do Tag](images/onenote_checkmark.png)
+     ![OneNote To Do Tag](images/onenote_checkmark.png)
 
-  - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
+   - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
 
-    ![OneNote Researcher](images/onenote_researcher.png)
+     ![OneNote Researcher](images/onenote_researcher.png)
 
 
            
 
            
@@ -170,7 +170,7 @@ Use video to create a project summary.
 4. In the **Start** menu, search for **Photos** or select the Photos tile to launch the app.
 
 5. Select the first video to preview it full screen. Select **Edit & Create**, then select **Create a video with text**.
-  1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen.
+   1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen.
 
 6. Name your project “Laser Maze Project.” Hit Enter to continue.
 
@@ -178,24 +178,24 @@ Use video to create a project summary.
 
 8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this:
 
-  ![Photos app layout showing videos added in previous steps](images/photo_app_1.png)
+   ![Photos app layout showing videos added in previous steps](images/photo_app_1.png)
 
 9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
 
 10.	Select the third card in the Storyboard (the video of the children assembling the maze) and select **Trim**.  Drag the trim handle on the left to shorten the duration of the clip and select **Done**.
 
 11.	Select the last card on the Storyboard and select **3D effects**.
-  1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser.
-  2. Find the **lightning bolt** effect and click or drag to add it to the scene.  Rotate, scale, and position the effect so it looks like the lightning is coming out of the laser beam and hitting the black back of the mirror.
-  3. Position the blue anchor over the end of the laser pointer in the video and toggle on **Attach to a point** for the lightning bolt effect to anchor the effect in the scene.
-  4. Play back your effect.
-  5. Select **Done** when you have it where you want it.
+    1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser.
+    2. Find the **lightning bolt** effect and click or drag to add it to the scene.  Rotate, scale, and position the effect so it looks like the lightning is coming out of the laser beam and hitting the black back of the mirror.
+    3. Position the blue anchor over the end of the laser pointer in the video and toggle on **Attach to a point** for the lightning bolt effect to anchor the effect in the scene.
+    4. Play back your effect.
+    5. Select **Done** when you have it where you want it.
 
-  ![Lighting bolt effect being added to a video clip](images/photo_app_2.png)
+    ![Lighting bolt effect being added to a video clip](images/photo_app_2.png)
 
 12. Select **Music** and select a track from the **Recommended** music collection.
-  1. The music will update automatically to match the length of your video project, even as you make changes.
-  2. If you don’t see more than a few music options, confirm that you’re connected to Wi-Fi and then close and re-open Microsoft Photos (returning to your project via the **Albums** tab). Additional music files should download in the background.
+    1. The music will update automatically to match the length of your video project, even as you make changes.
+    2. If you don’t see more than a few music options, confirm that you’re connected to Wi-Fi and then close and re-open Microsoft Photos (returning to your project via the **Albums** tab). Additional music files should download in the background.
 
 13. You can adjust the volume for the background music using the **Music volume** button.
 
@@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
 
 3. Scroll down to the **Details** section and select **Download World**.
 
-  ![Select the download world link](images/mcee_downloadworld.png)
+   ![Select the download world link](images/mcee_downloadworld.png)
 
 4. When prompted, save the world.
 
@@ -239,28 +239,28 @@ Today, we'll explore a Minecraft world through the eyes of a student.
 8. Click **Lesson Hub Vol 1** to enter the downloaded world.
 
 9. Explore the world by using the keys on your keyboard.
-  * **W** moves forward.
-  * **A** moves left.
-  * **S** moves right.
-  * **D** moves backward.
+   * **W** moves forward.
+   * **A** moves left.
+   * **S** moves right.
+   * **D** moves backward.
 
 10. Use your mouse as your "eyes". Just move it to look around.
 
 11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land.
 
-  To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram.
+    To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram.
 
-  ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png)
+    ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png)
 
 12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting.
 
-  **Try this!**
+    **Try this!**
 
-  1. Go to education.minecraft.net/.
-  2. Click **Class Resources**.
-  3. Click **Find a Lesson**.
+    1. Go to education.minecraft.net/.
+    2. Click **Class Resources**.
+    3. Click **Find a Lesson**.
 
-  ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png)
+    ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png)
 
 
            
 
            
@@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app
 To get started:
 1. Open the OneNote app for Windows 10 (not OneNote 2016).
 
-  ![OneNote icon](images/OneNote_logo.png)
+   ![OneNote icon](images/OneNote_logo.png)
 
 2. In the top left corner, click on the **<** arrow to access your notebooks and pages.
 
-  ![OneNote back arrow navigation button](images/left_arrow.png)
+   ![OneNote back arrow navigation button](images/left_arrow.png)
 
 3. Click **Add Page** to launch a blank work space.
 
-  ![Select add page button](images/plus-page.png)
+   ![Select add page button](images/plus-page.png)
 
 4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices.
 
@@ -292,30 +292,30 @@ To solve the equation 3x+4=7, follow these instructions:
 
 2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse.
 
-  ![Lasso button](images/lasso.png)
+   ![Lasso button](images/lasso.png)
 
 3. On the **Draw** tab, click the **Math** button.
 
-  ![Math button](images/math-button.png)
+   ![Math button](images/math-button.png)
 
 4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation.
 
-  ![Solve for x menu](images/solve-for-x.png)
+   ![Solve for x menu](images/solve-for-x.png)
 
 5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation.
 
 6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem.
 
-  ![Replay button](images/replay.png)
+   ![Replay button](images/replay.png)
 
 To graph the equation 3x+4=7, follow these instructions:
 1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level.
 
-  ![Graph both sides in 2D](images/graph-for-x.png)
+   ![Graph both sides in 2D](images/graph-for-x.png)
 
 2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
-
            
-
            
+   
            
+   
            
 
 **Watch what Educators say about Microsoft Education delivering better learning outcomes**
 Bring out the best in students by providing a platform for collaborating, exploring, personalized learning, and getting things done across all devices.
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index 3d8864eb0b..253c4ded12 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -32,7 +32,7 @@ manager: dansimp
 |  |  |
 
 
            
-To get the most out of Microsoft Education, we've pre-configured your tenant for you so you don't need to set it up. A tenant is representative of an organization. It is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Office 365. We've also pre-populated the tenant with fictitious Student Information System (SIS) data so you can work with this as you follow the guide.
+To get the most out of Microsoft Education, we've pre-configured your tenant for you so you don't need to set it up. A tenant is representative of an organization. It is a dedicated instance of the Azure AD service that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Office 365. We've also pre-populated the tenant with fictitious Student Information System (SIS) data so you can work with this as you follow the guide.
 
 If you run into any problems while following the steps in this guide, or you have questions about Trial in a Box or Microsoft Education, see [Microsoft Education Trial in a Box Support](support-options.md).
 
@@ -97,26 +97,26 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
     ![Configure student PC settings](images/suspc_configure_pcsettings_selected.png)
 
-  - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes).
-  - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC.
-  - **Optimize device for a single student, instead of a shared cart or lab** optimizes the device for use by a single student (1:1). 
-    - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). 
-    - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data or if the student doesn't use the PC over a prolonged period.
-  - **Let guests sign-in to these PCs** allows guests to use student PCs without a school account. If you select this option, a **Guest** account button will be added in the PC's sign-in screen to allow anyone to use the PC.
-  - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
-  - **Lock screen background** shows the default backgroudn used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default.
+   - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes).
+   - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC.
+   - **Optimize device for a single student, instead of a shared cart or lab** optimizes the device for use by a single student (1:1). 
+     - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). 
+     - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data or if the student doesn't use the PC over a prolonged period.
+   - **Let guests sign-in to these PCs** allows guests to use student PCs without a school account. If you select this option, a **Guest** account button will be added in the PC's sign-in screen to allow anyone to use the PC.
+   - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
+   - **Lock screen background** shows the default backgroudn used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default.
 
 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.
 
     ![Configure the Take a Test app](images/suspc_takeatest.png)
 
-  1. Specify if you want to create a Take a Test button on the students' sign-in screens.
-  2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 
+   1. Specify if you want to create a Take a Test button on the students' sign-in screens.
+   2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 
 
-    > [!NOTE]
-    > The Take a Test app doesn't provide monitoring capabilities, but it allows tools like AssistX ClassPolicy to see what is going on in the app.
+      > [!NOTE]
+      > The Take a Test app doesn't provide monitoring capabilities, but it allows tools like AssistX ClassPolicy to see what is going on in the app.
 
-  3. Enter the assessment URL. 
+   3. Enter the assessment URL. 
 
 8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision. 
 
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
index 20bbe1c2a3..80fd5383f3 100644
--- a/education/trial-in-a-box/support-options.md
+++ b/education/trial-in-a-box/support-options.md
@@ -35,10 +35,10 @@ For more information about checking for updates, and how to optionally turn on a
 2. In the admin center dashboard, select your profile on the upper righthand corner and select **My account** from the options.
 3. Select **Personal info** and then edit **Contact details** to update  your phone, primary email address, and alternate email address. 
 
-  > [!NOTE]
-  > For the alternate email address, make sure you use a different address from your Office 365 email address.
+   > [!NOTE]
+   > For the alternate email address, make sure you use a different address from your Office 365 email address.
 
-  ![Complete your contact details](images/o365_adminaccountinfo.png)
+   ![Complete your contact details](images/o365_adminaccountinfo.png)
 
 4. Click **Save**.
 
@@ -46,15 +46,15 @@ For more information about checking for updates, and how to optionally turn on a
 
 1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.
 
-  ![Select Need help to get support](images/o365_needhelp.png)
+   ![Select Need help to get support](images/o365_needhelp.png)
 
-  You will see a sidebar window open up on the right-hand side of the screen.
+   You will see a sidebar window open up on the right-hand side of the screen.
 
-  ![Option to have a support representative call you](images/o365_needhelp_callingoption.png)
+   ![Option to have a support representative call you](images/o365_needhelp_callingoption.png)
 
-  If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**.
+   If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**.
 
-  ![Track your support tickets](images/o365_needhelp_supporttickets.png)
+   ![Track your support tickets](images/o365_needhelp_supporttickets.png)
 
 2. Click the **question button** ![Question button](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window.
 3. In the field below **Need help?**, enter a description of your help request.
@@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it.
 1. Go to https://portal.office.com
 2. Select **Can't access your account** and follow the prompts to get back into your account.
 
-  ![Recover your account](images/officeportal_cantaccessaccount.png)
+   ![Recover your account](images/officeportal_cantaccessaccount.png)
 
 
 
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index d190cfc2e9..92f671930d 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -51,12 +51,12 @@ You can set the policy using one of these methods:
 - Set up School PCs app
 
     Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways:
-    - Reach out to your device manufacturer.
-    - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If  you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
-    - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
+  - Reach out to your device manufacturer.
+  - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If  you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version.
+  - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709.
 
     To use the Autopilot Reset setting in the Set up School PCs app:
-    * When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
+  - When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
 
     ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg)
     
@@ -70,10 +70,10 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
     ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png)
 
     This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
-    1. Confirm/verify that the end user has the right to trigger Autopilot Reset
-    2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
+   1. Confirm/verify that the end user has the right to trigger Autopilot Reset
+   2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
 
-    ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png)
+      ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png)
 
 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
 
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index 3a091a05ba..da30be64ef 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -101,8 +101,8 @@ When you change to Windows 10 Pro Education, you get the following benefits:
 - **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S mode, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
 - **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
 - **Roll back options to Windows 10 Pro**
-    - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). 
-    - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. 
+  - When a user leaves the domain or you turn off the setting to automatically change to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). 
+  - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. 
 
     See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info.
 
@@ -114,7 +114,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi
 
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your work or school account.
 
-  If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
+   If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
 
 2. Click **Manage** from the top menu and then select the **Benefits tile**.
 3. In the **Benefits** tile, look for the **Change to Windows 10 Pro Education for free** link and then click it.
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index a155dc3bdb..9769d7a3bf 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -43,7 +43,7 @@ Before you can do any analysis or make decisions about which apps to migrate or
 > [!NOTE]  
 > The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section.
 
- 
+ 
 
 You can divide the apps into the following categories:
 
@@ -83,7 +83,7 @@ Table 1. Google App replacements
 | Chrome                                     | Microsoft Edge                       |
 | Google Drive                               | Microsoft OneDrive for Business      |
 
- 
+ 
 
 It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide.
 
@@ -164,7 +164,7 @@ Table 2. Settings in the Device Management node in the Google Admin Console
 
            These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:
            
 
              
 
            • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
              • 
-
            • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
              • 
+
            • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.
              • 
 
            • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.
              • 
 
            • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.
              • 
 
            • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.
              • 
@@ -173,7 +173,7 @@ Table 2. Settings in the Device Management node in the Google Admin Console
 
 
 
- 
+ 
 
 Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows.
 
@@ -215,7 +215,7 @@ Table 3. Settings in the Security node in the Google Admin Console
 
 
 
- 
+ 
 
 **Identify locally-configured settings to migrate**
 
@@ -248,7 +248,7 @@ Table 4. Locally-configured settings
 | Powerwash              | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section.                                                                                                                                                                                                                                                                                                                                                                     |
 | Reset settings         | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section.                                                                                                                                                                                                                                                                                                                                                                       |
 
- 
+ 
 
 Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration.
 
@@ -483,7 +483,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
 
 
 
- 
+ 
 
 ### 
 
@@ -603,7 +603,7 @@ Table 6. Device, user, and app management products and technologies
 
 
 
- 
+ 
 
 You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution.
 
@@ -680,21 +680,21 @@ Table 7. Network infrastructure products and technologies and deployment resourc
 
 DHCP
 
 
 
 DNS
 
 
 
 
 
- 
+ 
 
 If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section.
 
@@ -722,22 +722,22 @@ Table 8. AD DS, Azure AD and deployment resources
 
 AD DS
 
 
 
 Azure AD
 
 
 
 
 
- 
+ 
 
 If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
@@ -765,44 +765,44 @@ Table 9. Management systems and deployment resources
 
 Windows provisioning packages
 
 
 
 Group Policy
 
 
 
 Configuration Manager
 
 
 
 Intune
 
 
 
 MDT
 
 
 
 
 
- 
+ 
 
 If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
@@ -830,29 +830,29 @@ Table 10. Management systems and app deployment resources
 
 Group Policy
 
 
 
 Configuration Manager
 
 
 
 Intune
 
 
 
 
 
- 
+ 
 
 If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps.
 
@@ -958,9 +958,9 @@ After you complete these steps, your management system should take over the day-
 
 [Try it out: Windows 10 in the classroom](https://go.microsoft.com/fwlink/p/?LinkId=623255)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index dd40da27e0..1cb747217a 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -48,16 +48,16 @@ It is easy to be education ready when using Microsoft products. We recommend the
     You can [sign up to learn more about Intune for Education](https://info.microsoft.com/US-WNDWS-CNTNT-FY17-01Jan-17-IntuneforEducationlandingpageandnurture292531_01Registration-ForminBody.html).
 
 3. On PCs running Windows 10, version 1703:
-  1. Provision the PC using one of these methods:
-    * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
-    * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
-  2. Join the PC to Azure Active Directory.
-    * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
-    * Manually Azure AD join the PC during the Windows device setup experience.
-  3. Enroll the PCs in MDM.
-    * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
-  4. Ensure that needed assistive technology apps can be used.
-    * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
+   1. Provision the PC using one of these methods:
+      * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
+      * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
+   2. Join the PC to Azure Active Directory.
+      * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
+      * Manually Azure AD join the PC during the Windows device setup experience.
+   3. Enroll the PCs in MDM.
+      * If you have activated Intune for Education in your Azure AD tenant, enrollment will happen automatically when the PC is joined to Azure AD. Intune for Education will automatically set **SetEduPolicies** to True and **AllowCortana** to False.
+   4. Ensure that needed assistive technology apps can be used.
+      * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info.
 
 4. Distribute the PCs to students.
 
@@ -87,14 +87,14 @@ Use one of these methods to set this policy.
 ### MDM
 - Intune for Education automatically sets this policy in the **All devices** group policy configuration.
 - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
-    - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
 
-        For example, in Intune, create a new configuration policy and add an OMA-URI. 
-        - OMA-URI:  ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
-        - Data type:  Integer
-        - Value:  0
+      For example, in Intune, create a new configuration policy and add an OMA-URI. 
+    - OMA-URI:  ./Vendor/MSFT/Policy/Config/Experience/AllowCortana
+    - Data type:  Integer
+    - Value:  0
 
-        ![Create an OMA URI for AllowCortana](images/allowcortana_omauri.png)
+      ![Create an OMA URI for AllowCortana](images/allowcortana_omauri.png)
 
 ### Group Policy
 Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
@@ -116,14 +116,14 @@ Use one of these methods to set this policy.
 ### MDM
 - Intune for Education automatically sets this policy in the **All devices** group policy configuration.
 - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy.
-    - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+  - If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
 
-        For example, in Intune, create a new configuration policy and add an OMA-URI.
-        - OMA-URI:  ./Vendor/MSFT/SharedPC/SetEduPolicies
-        - Data type:  Boolean
-        - Value:  true
+      For example, in Intune, create a new configuration policy and add an OMA-URI.
+    - OMA-URI:  ./Vendor/MSFT/SharedPC/SetEduPolicies
+    - Data type:  Boolean
+    - Value:  true
 
-        ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png)
+      ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png)
 
 ### Group Policy
 **SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/library/windows/desktop/mt779129(v=vs.85).aspx). 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 9807b6583b..4b3c170a20 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -596,8 +596,8 @@ To create a new Office 365 Education subscription for use in the classroom, use
 #### To create a new Office 365 subscription
 
 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
-   >**Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods:
-      
              • In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap **More actions**), and then click or tap **New InPrivate window**.
              • In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap **Settings**), click or tap **Safety**, and then click or tap **InPrivate Browsing**.
              
+   > **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods:
+   >    
              • In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window.
              • In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing.
              
 
 
 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**.
@@ -1102,30 +1102,30 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
 
 
 1. Import operating systems
-Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
+Import the operating systems that you selected in the Select the operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
 
 
 
 2. Import device drivers
 Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

              
-Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+Import device drivers for each device in your institution. For more information about how to import device drivers, see Import Device Drivers into the Deployment Workbench.
 
 
 
 
 3. Create MDT applications for Microsoft Store apps
-Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.

              
+Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

              
 
              Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files by performing one of the following tasks:
              
 
                
 
              • For offline-licensed apps, download the .appx files from the Microsoft Store for Business.
                • 
 
              • For apps that are not offline licensed, obtain the .appx files from the app software vendor directly.
                • 
 
              
 
              If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

              
-If you have Intune or System Center Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

              
+If you have Intune or System Center Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using System Center Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

              
 In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:

              
 
                
-
              • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](https://technet.microsoft.com/windows/jj874388.aspx).
                • 
-
              • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
                • 
+
              • Prepare your environment for sideloading, see Try it out: sideload Microsoft Store apps.
                • 
+
              • Create an MDT application, see Create a New Application in the Deployment Workbench.
                • 
 
              
 
 
@@ -1134,10 +1134,10 @@ In addition, you must prepare your environment for sideloading Microsoft Store a
 
 4. Create MDT applications for Windows desktop apps
 You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

              
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219423.aspx).

              
-If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool.

              
+If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
 

              
-**Note**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section.
+Note  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section.
 
 For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx).
 
@@ -1153,7 +1153,7 @@ For more information about how to create an MDT application for Window desktop a
 
            • Upgrade existing devices to 64-bit Windows 10 Education.
              • 
 
            • Upgrade existing devices to 32-bit Windows 10 Education.
              • 
 
            
-
            Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+
            Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench.
 
 
 
@@ -1161,7 +1161,7 @@ For more information about how to create an MDT application for Window desktop a
 
 6. Update the deployment share
 Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

            
-For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
+For more information about how to update a deployment share, see Update a Deployment Share in the Deployment Workbench.
 
 
 
@@ -1338,7 +1338,7 @@ For more information about how to create a task sequence in the:
 * Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
 * Configuration Manager console, see [Create a task sequence to install an operating system in System Center Configuration Manager](https://technet.microsoft.com/library/mt627927.aspx).
 
-####Summary
+#### Summary
 In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or System Center Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
 
 ## Prepare for device management
@@ -1384,8 +1384,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Restrict the local administrator accounts on the devices
 Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

            
-**Group Policy.** Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.

            
-**Intune.** Not available.
+Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.

            
+Intune. Not available.
 
 
 
@@ -1393,8 +1393,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Manage the built-in administrator account created during device deployment
 When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.

            
-**Group Policy.** To rename the built-in Administrator account, use the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/library/cc747484.aspx). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/library/jj852165.aspx).

            
-**Intune.** Not available.
+Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.

            
+Intune. Not available.
 
 
 
@@ -1402,8 +1402,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Control Microsoft Store access
 You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

            
-**Group Policy.** To disable the Microsoft Store app, use the **Turn off the Store Application** group policy setting. To prevent Microsoft Store apps from receiving updates, use the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/library/hh832040.aspx#BKMK_UseGP).

            
-**Intune.** To enable or disable Microsoft Store access, use the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration policy**.
+Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.

            
+Intune. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
 
 
 
@@ -1411,8 +1411,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Use of Remote Desktop connections to devices
 Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

            
-**Group Policy.** To enable or disable Remote Desktop connections to devices, use the **Allow Users to connect remotely using Remote Desktop** setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

            
-**Intune.** Not available.
+Group Policy. To enable or disable Remote Desktop connections to devices, use the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

            
+Intune. Not available.
 
 
 
@@ -1421,8 +1421,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Use of camera
 A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

            
-**Group Policy.** Not available.

            
-**Intune.** To enable or disable the camera, use the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+Group Policy. Not available.

            
+Intune. To enable or disable the camera, use the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.
 
 
 
@@ -1430,8 +1430,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Use of audio recording
 Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

            
-**Group Policy.** To disable the Sound Recorder app, use the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](https://technet.microsoft.com/library/ee791894.aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/library/ee791899.aspx).

            
-**Intune.** To enable or disable audio recording, use the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
+Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.

            
+Intune. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
 
 
 
@@ -1439,8 +1439,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Use of screen capture
 Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

            
-**Group Policy.** Not available.

            
-**Intune.** To enable or disable screen capture, use the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy.
+Group Policy. Not available.

            
+Intune. To enable or disable screen capture, use the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.
 
 
 
@@ -1448,8 +1448,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Use of location services
 Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

            
-**Group Policy.** To enable or disable location services, use the **Turn off location** group policy setting in User Configuration\Windows Components\Location and Sensors.

            
-**Intune.** To enable or disable location services, use the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+Group Policy. To enable or disable location services, use the Turn off location group policy setting in User Configuration\Windows Components\Location and Sensors.

            
+Intune. To enable or disable location services, use the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.
 
 
 
@@ -1457,8 +1457,8 @@ Use the information in Table 17 to help you determine whether you need to config
 
 Changing wallpaper
 Custom wallpapers can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on institution-owned devices.

            
-**Group Policy.** To configure the wallpaper, use the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.

            
-**Intune.** Not available.
+Group Policy. To configure the wallpaper, use the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.

            
+Intune. Not available.
 
 
 
@@ -1466,7 +1466,7 @@ Use the information in Table 17 to help you determine whether you need to config
 
 
 
            
-*Table 17. Recommended settings for educational institutions*
+Table 17. Recommended settings for educational institutions
 
 ### Configure settings by using Group Policy
 
@@ -1659,10 +1659,10 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
 Verify that Windows Update is active and current with operating system and software updates.

            
 For more information about completing this task when you have:
 
              
-
            • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
              • 
-
            • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
              • 
-
            • WSUS, see [Windows Server Update Services](https://msdn.microsoft.com/library/bb332157.aspx).
              • 
-
            • Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10).
              • 
+
            • Intune, see Keep Windows PCs up to date with software updates in Microsoft Intune.
              • 
+
            • Group Policy, see Windows Update for Business.
              • 
+
            • WSUS, see Windows Server Update Services.
              • 
+
            • Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in Windows 10 help.
              • 
 
            
 
 x
@@ -1672,7 +1672,7 @@ For more information about completing this task when you have:
 
 
 Verify that Windows Defender is active and current with malware Security intelligence.

            
-For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02) and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03).
+For more information about completing this task, see Turn Windows Defender on or off and Updating Windows Defender.
 
 x
 x
@@ -1681,7 +1681,7 @@ For more information about completing this task, see [Turn Windows Defender on o
 
 
 Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

            
-For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses).
+For more information about completing this task, see the “How do I find and remove a virus?” topic in Protect my PC from viruses.
 
 x
 x
@@ -1692,8 +1692,8 @@ For more information about completing this task, see the “How do I find and re
 Download and approve updates for Windows 10, apps, device driver, and other software.

            
 For more information, see:
 
 
 x
@@ -1703,7 +1703,7 @@ For more information, see:
 
 
 Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

            
-For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).
+For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options.
 
 
 x
@@ -1714,9 +1714,9 @@ For more information about Windows 10 servicing options for updates and upgrades
 Refresh the operating system and apps on devices.

            
 For more information about completing this task, see the following resources:
 
 
 
@@ -1728,8 +1728,8 @@ For more information about completing this task, see the following resources:
 Install any new Windows desktop apps, or update any Windows desktop apps used in the curriculum.

            
 For more information, see:
 
 
 
@@ -1742,8 +1742,8 @@ For more information, see:
 Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

            
 You can also deploy Microsoft Store apps directly to devices by using Intune, System Center Configuration Manager, or both in a hybrid configuration. For more information, see:
 
 
 
@@ -1755,8 +1755,8 @@ You can also deploy Microsoft Store apps directly to devices by using Intune, Sy
 Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).

            
 For more information about how to:
 
              
-
            • Remove unnecessary user accounts, see [Active Directory Administrative Center](https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/adac/active-directory-administrative-center).
              • 
-
            • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
              • 
+
            • Remove unnecessary user accounts, see Active Directory Administrative Center.
              • 
+
            • Remove licenses, see Assign or remove licenses for Office 365 for business.
              • 
 
            
 
 
@@ -1769,8 +1769,8 @@ For more information about how to:
 Add new accounts (and corresponding licenses) to AD DS (if you have an on-premises AD DS infrastructure).

            
 For more information about how to:
 
              
-
            • Add user accounts, see [Bulk-import user and group accounts into AD DS](#bulk-import-user-and-group-accounts-into-ad-ds).
              • 
-
            • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
              • 
+
            • Add user accounts, see Bulk-import user and group accounts into AD DS.
              • 
+
            • Assign licenses, see Assign or remove licenses for Office 365 for business.
              • 
 
            
 
 
@@ -1782,8 +1782,8 @@ For more information about how to:
 Remove unnecessary user accounts (and corresponding licenses) from Office 365 (if you do not have an on-premises AD DS infrastructure).

            
 For more information about how to:
 
              
-
            • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e).
              • 
-
            • Remove licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
              • 
+
            • Remove unnecessary user accounts, see Delete or restore users.
              • 
+
            • Remove licenses, see Assign or remove licenses for Office 365 for business.
              • 
 
            
 
 
@@ -1795,8 +1795,8 @@ For more information about how to:
 Add new accounts (and corresponding licenses) to Office 365 (if you don’t have an on-premises AD DS infrastructure).

            
 For more information about how to:
 
              
-
            • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
              • 
-
            • Assign licenses, see [Assign or remove licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-remove-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
              • 
+
            • Add user accounts, see Add users to Office 365 for business and Add users individually or in bulk to Office 365.
              • 
+
            • Assign licenses, see Assign or remove licenses for Office 365 for business.
              • 
 
            
 
 
@@ -1808,8 +1808,8 @@ For more information about how to:
 Create or modify security groups, and manage group membership in Office 365.

            
 For more information about how to:
 
              
-
            • Create or modify security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
              • 
-
            • Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
              • 
+
            • Create or modify security groups, see Create an Office 365 Group in the admin center.
              • 
+
            • Manage group membership, see Manage Group membership in the Office 365 admin center.
              • 
 
            
 
 
@@ -1819,7 +1819,7 @@ For more information about how to:
 
 
 Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

            
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Create and manage distribution groups](https://technet.microsoft.com/library/bb124513.aspx) and [Create, edit, or delete a security group](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB).
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Create and manage distribution groups and Create, edit, or delete a security group.
 
 
 x
@@ -1828,7 +1828,7 @@ For more information about how to create or modify Exchange Online or Exchange S
 
 
 Install new student devices.

            
-Follow the same steps you followed in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+Follow the same steps you followed in the Deploy Windows 10 to devices section.
 
 
 
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 710b04792f..db25071667 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -176,7 +176,7 @@ Complete the following steps to select the appropriate Office 365 Education lice
 
 
          • Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
            • 
 
            
-*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans*
+Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans
 
            
 @@ -200,7 +200,7 @@ Complete the following steps to select the appropriate Office 365 Education lice
 
            
 The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
 
            
-
          • Determine whether students or faculty need Azure Rights Management.
            You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
            • 
+
          • Determine whether students or faculty need Azure Rights Management.
            You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see Azure Rights Management.
          • Record the Office 365 Education license plans needed for the classroom in Table 2.

            
 
 *Table 2. Office 365 Education license plans needed for the classroom*
@@ -224,7 +224,7 @@ The best user experience is to run Office 365 ProPlus or use native Office apps
 
 
            • 
 

 
            
 
            
-You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
+You will use the Office 365 Education license plan information you record in Table 2 in the Create user accounts in Office 365 section of this guide.
 
 ### Create a new Office 365 Education subscription
 
@@ -235,11 +235,11 @@ To create a new Office 365 Education subscription for use in the classroom, use
 #### To create a new Office 365 subscription
 
 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar.
-   
+
    **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
-  - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
-  - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
-  
+   - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**.
+   - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**.
+
 2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account.
 3. Click the hyperlink in the email in your school email account.
 4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription.
@@ -277,12 +277,13 @@ All new Office 365 Education subscriptions have automatic tenant join enabled by
 *Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join*
 
 
-| Action | Windows PowerShell command |
-|------- |----------------------------|
-| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`|
-| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`|
+| Action  |                Windows PowerShell command                 |
+|---------|-----------------------------------------------------------|
+| Enable  | `Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`  |
+| Disable | `Set-MsolCompanySettings -AllowEmailVerifiedUsers $false` |
+
 
            
-**Note**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+Note  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
 
 ### Disable automatic licensing
 
@@ -294,10 +295,12 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
 
 *Table 4. Windows PowerShell commands to enable or disable automatic licensing*
 
-| Action | Windows PowerShell command|
-| -------| --------------------------|
-| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`|
-|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`|
+
+| Action  |                Windows PowerShell command                 |
+|---------|-----------------------------------------------------------|
+| Enable  | `Set-MsolCompanySettings -AllowAdHocSubscriptions $true`  |
+| Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false` |
+
 
            
 ### Enable Azure AD Premium
 
@@ -380,15 +383,15 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
 
 - **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
- ![fig 6](images/deploy-win-10-school-figure6.png)
+  ![fig 6](images/deploy-win-10-school-figure6.png)
 
- *Figure 6. Azure AD Connect on premises*
+  *Figure 6. Azure AD Connect on premises*
 
 - **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
- ![fig 7](images/deploy-win-10-school-figure7.png)
+  ![fig 7](images/deploy-win-10-school-figure7.png)
 
- *Figure 7. Azure AD Connect in Azure*
+  *Figure 7. Azure AD Connect in Azure*
 
 This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/library/dn635310.aspx).
 
@@ -439,11 +442,13 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
 
 *Table 5. AD DS bulk-import account methods*
 
-|Method | Description and reason to select this method |
-|-------| ---------------------------------------------|
-|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
-|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+|       Method       |                                                                                                                                                                                                                                                                                                                                         Description and reason to select this method                                                                                                                                                                                                                                                                                                                                         |
+|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|     Ldifde.exe     | This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). |
+|      VBScript      |                                                                                                             This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).                                                                                                              |
+| Windows PowerShell |                                                                          This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).                                                                          |
+
 
            
 ### Create a source file that contains the user and group accounts
 
@@ -451,11 +456,13 @@ After you have selected your user and group account bulk import method, you’re
 
 *Table 6. Source file format for each bulk import method*
 
-| Method | Source file format |
-|--------| -------------------|
-|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx).|
-| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+
+|       Method       |                                                                                                                                                                                                                                                                                                      Source file format                                                                                                                                                                                                                                                                                                       |
+|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|     Ldifde.exe     | Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). |
+|      VBScript      |                                                                                                                              VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx).                                                                                                                              |
+| Windows PowerShell |                               Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).                               |
+
 
            
 ### Import the user accounts into AD DS
 
@@ -556,15 +563,17 @@ After you create the Microsoft Store for Business portal, configure it by using
 
 *Table 7. Menu selections to configure Microsoft Store for Business settings*
 
-| Menu selection        | What you can do in this menu |
-|---------------| -------------------|
-|Account information|Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Microsoft Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
-|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
-|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
-|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
-|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
-|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
-|Private store|Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+
+|    Menu selection    |                                                                                                                                                                                  What you can do in this menu                                                                                                                                                                                  |
+|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Account information  |              Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Microsoft Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).               |
+| Device Guard signing |                                                                           Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).                                                                            |
+|    LOB publishers    |            Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).             |
+|   Management tools   |                                                                    Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).                                                                    |
+|  Offline licensing   |                                                       Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).                                                        |
+|     Permissions      | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business). |
+|    Private store     | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store). |
+
 
            
 ### Find, acquire, and distribute apps in the portal
 
@@ -595,11 +604,11 @@ Depending on your school’s requirements, you may need any combination of the f
 
 - **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home.
 - **Windows 10 Pro**. Use this operating system to:
- - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro.
- - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration.
+  - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro.
+  - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration.
 - **Windows 10 Education**. Use this operating system to:
- - Upgrade institution-owned devices to Windows 10 Education.
- - Deploy new instances of Windows 10 Education so that new devices have a known configuration.
+  - Upgrade institution-owned devices to Windows 10 Education.
+  - Deploy new instances of Windows 10 Education so that new devices have a known configuration.
 - **Windows 10 Pro Education**. Use this operating system to upgrade existing eligible institution-owned devices running Windows 10 Pro Education, version 1903 or later, to Windows 10 Education using [subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
 
 **Note**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home.
@@ -660,7 +669,7 @@ Select this method when you want to deploy Windows over-the-network and perform
 
          • Deploys images more slowly than when using local media.
            • 
 
          • Requires no additional infrastructure.
            • 
 
          
- 
+
 Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
 
 
@@ -707,7 +716,7 @@ The first step in preparation for Windows 10 deployment is to configure—that i
 
 
 1. Import operating systems
-Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
+Import the operating systems that you selected in the Select operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
 
 
 
@@ -721,7 +730,7 @@ Import device drivers for each device in your institution. For more information
 
 
 3. Create MDT applications for Microsoft Store apps
-Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.

          
+Create an MDT application for each Microsoft Store app you want to deploy. You can deploy Microsoft Store apps by using sideloading, which allows you to use the Add-AppxPackage Windows PowerShell cmdlet to deploy the .appx files associated with the app (called provisioned apps). Use this method to deploy up to 24 apps to Windows 10.

          
 
 Prior to sideloading the .appx files, obtain the Microsoft Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Microsoft Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Microsoft Store or Microsoft Store for Business.

          
 
@@ -729,8 +738,8 @@ If you have Intune, you can deploy Microsoft Store apps after you deploy Windows
 
 In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

          
 
            
-
          • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/itpro/windows/deploy/sideload-apps-in-windows-10).
            • 
-
          • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
            • 
+
          • Prepare your environment for sideloading, see Sideload LOB apps in Windows 10.
            • 
+
          • Create an MDT application, see Create a New Application in the Deployment Workbench.
            • 
 
          
 
 
@@ -787,9 +796,9 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
 
 1. Set up and configure Windows Deployment Services.
          Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
 
-  - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
-  - The Windows Deployment Services Help file, included in Windows Deployment Services
-  - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx)
+   - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
+   - The Windows Deployment Services Help file, included in Windows Deployment Services
+   - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx)
 
 2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
          The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
 
@@ -903,89 +912,89 @@ Microsoft has several recommended settings for educational institutions. Table 1
 
 Use of Microsoft accounts
 You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

          
-**Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

          
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

          
-**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
+Note  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

          
+Group Policy. Configure the Accounts: Block Microsoft accounts Group Policy setting to use the Users can’t add Microsoft accounts setting option.

          
+Intune. Enable or disable the camera by using the Allow Microsoft account, Allow adding non-Microsoft accounts manually, and Allow settings synchronization for Microsoft accounts policy settings under the Accounts and Synchronization section of a Windows 10 General Configuration policy.
 
 
 
 
 Restrict local administrator accounts on the devices
 Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

          
-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/library/cc732525.aspx).

          
-**Intune**. Not available.
+Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.

          
+Intune. Not available.
 
 
 
 
 Restrict the local administrator accounts on the devices
 Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

          
-**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/library/cc732525.aspx).

          
-**Intune**. Not available.
+Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.

          
+Intune. Not available.
 
 
 
 
 Manage the built-in administrator account created during device deployment
 When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

          
-**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/library/jj852165.aspx).

          
-**Intune**. Not available.
+Group Policy. Rename the built-in Administrator account by using the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.

          
+Intune. Not available.
 
 
 
 
 Control Microsoft Store access
 You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

          
-**Group Policy**. You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/library/hh832040.aspx#BKMK_UseGP).

          
-**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy.
+Group Policy. You can disable the Microsoft Store app by using the Turn off the Store Application Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.

          
+Intune. You can enable or disable the camera by using the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
 
 
 
 
 Use of Remote Desktop connections to devices
 Remote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

          
-**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

          
-**Intune**. Not available.
+Group Policy. You can enable or disable Remote Desktop connections to devices by using the Allow Users to connect remotely using Remote Desktop setting in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

          
+Intune. Not available.
 
 
 
 
 Use of camera
 A device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

          
-**Group Policy**. Not available.

          
-**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+Group Policy. Not available.

          
+Intune. You can enable or disable the camera by using the Allow camera policy setting in the Hardware section of a Windows 10 General Configuration policy.
 
 
 
 
 Use of audio recording
 Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

          
-**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/library/ee791899.aspx).

          
-**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy.
+Group Policy. You can disable the Sound Recorder app by using the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in Editing an AppLocker Policy and Create Your AppLocker Policies.

          
+Intune. You can enable or disable the camera by using the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
 
 
 
 
 Use of screen capture
 Screen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

          
-**Group Policy**. Not available.

          
-**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy.
+Group Policy. Not available.

          
+Intune. You can enable or disable the camera by using the Allow screen capture policy setting in the System section of a Windows 10 General Configuration policy.
 
 
 
 
 Use of location services
 Providing a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

          
-**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.

          
-**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy.
+Group Policy. You can enable or disable location services by using the Turn off location Group Policy setting in User Configuration\Windows Components\Location and Sensors.

          
+Intune. You can enable or disable the camera by using the Allow geolocation policy setting in the Hardware section of a Windows 10 General Configuration policy.
 
 
 
 
 Changing wallpaper
 Displaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.

          
-**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.

          
-**Intune**. Not available.
+Group Policy. You can configure the wallpaper by using the Desktop WallPaper setting in User Configuration\Administrative Templates\Desktop\Desktop.

          
+Intune. Not available.
 
 
 
@@ -1037,12 +1046,14 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
 
 *Table 12. Deployment preparation checklist*
 
-|Task |      |
-| ---| --- |
-|   |The target devices have sufficient system resources to run Windows 10. |
-|   | Identify the necessary devices drivers, and import them to the MDT deployment share.|
-|   | Create an MDT application for each Microsoft Store and Windows desktop app.|
-|   | Notify the students and faculty about the deployment.|
+
+| Task |                                                                                      |
+|------|--------------------------------------------------------------------------------------|
+|      |        The target devices have sufficient system resources to run Windows 10.        |
+|      | Identify the necessary devices drivers, and import them to the MDT deployment share. |
+|      |     Create an MDT application for each Microsoft Store and Windows desktop app.      |
+|      |                Notify the students and faculty about the deployment.                 |
+
 
          
 ### Perform the deployment
 
@@ -1126,10 +1137,10 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour
 Verify that Windows Update is active and current with operating system and software updates.

          
 For more information about completing this task when you have:
 
            
-
          • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
            • 
-
          • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
            • 
-
          • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/library/bb332157.aspx?f=255&MSPPError=-2147217396).
            • 
-
          • Neither Intune, Group Policy, or WSUS, see [Update Windows 10](https://windows.microsoft.com/en-id/windows-10/update-windows-10)
            • 
+
          • Intune, see Keep Windows PCs up to date with software updates in Microsoft Intune.
            • 
+
          • Group Policy, see Windows Update for Business.
            • 
+
          • Windows Server Update Services (WSUS), see Windows Server Update Services.
            • 
+
          • Neither Intune, Group Policy, or WSUS, see Update Windows 10
            • 
 
          
 
 X
@@ -1139,7 +1150,7 @@ For more information about completing this task when you have:
 
 
 Verify that Windows Defender is active and current with malware Security intelligence.

          
-For more information about completing this task, see [Turn Windows Defender on or off](https://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](https://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03). 
+For more information about completing this task, see Turn Windows Defender on or off and Updating Windows Defender. 
 X
 X
 X
@@ -1147,7 +1158,7 @@ For more information about completing this task, see [Turn Windows Defender on o
 
 
 Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

          
-For more information about completing this task, see [How do I find and remove a virus?](https://windows.microsoft.com/en-US/windows-8/how-find-remove-virus)
+For more information about completing this task, see How do I find and remove a virus?
 
 X
 X
@@ -1156,7 +1167,7 @@ For more information about completing this task, see [How do I find and remove a
 
 
 Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

           
-For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).
+For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options for updates and upgrades.
 
 X
 X
@@ -1164,7 +1175,7 @@ For more information about Windows 10 servicing options for updates and upgrades
 
 
 Refresh the operating system and apps on devices.

          
-For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+For more information about completing this task, see the Deploy Windows 10 to devices section.
 
 
 
@@ -1174,7 +1185,7 @@ For more information about completing this task, see the [Deploy Windows 10 to d
 
 
 Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

          
-For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+For more information, see the Deploy apps by using Intune section.
 
 
 
@@ -1185,7 +1196,7 @@ For more information, see the [Deploy apps by using Intune](#deploy-apps-by-usin
 
 Install new or update existing Microsoft Store apps that are used in the curriculum.

          
 Microsoft Store apps are automatically updated from Microsoft Store. The menu bar in the Microsoft Store app shows whether any Microsoft Store app updates are available for download.

          
-You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
+You can also deploy Microsoft Store apps directly to devices by using Intune. For more information, see the Deploy apps by using Intune section.
 
 
 
@@ -1197,8 +1208,8 @@ You can also deploy Microsoft Store apps directly to devices by using Intune. Fo
 Remove unnecessary user accounts (and corresponding licenses) from Office 365.

          
 For more information about how to:
 
            
-
          • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
            • 
-
          • Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
            • 
+
          • Remove unnecessary user accounts, see Delete or restore users.
            • 
+
          • Unassign licenses, see Assign or unassign licenses for Office 365 for business.
            • 
 
          
 
 
@@ -1211,8 +1222,8 @@ For more information about how to:
 Add new accounts (and corresponding licenses) to Office 365.

          
 For more information about how to:
 
            
-
          • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
            • 
-
          • Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
            • 
+
          • Add user accounts, see Add users to Office 365 for business and Add users individually or in bulk to Office 365.
            • 
+
          • Assign licenses, see Assign or unassign licenses for Office 365 for business.
            • 
 
          
 
 
@@ -1224,8 +1235,8 @@ For more information about how to:
 Create or modify security groups and manage group membership in Office 365.

          
 For more information about how to:
 
            
-
          • Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
            • 
-
          • Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
            • 
+
          • Create or modify security groups, see View, create, and delete Groups in the Office 365 admin center.
            • 
+
          • Manage group membership, see Manage Group membership in the Office 365 admin center.
            • 
 
          
 
 
@@ -1236,7 +1247,7 @@ For more information about how to:
 
 
 Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

          
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange).
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Manage Distribution Groups and Groups in Exchange Online and SharePoint Online.
 
 
 
@@ -1246,7 +1257,7 @@ For more information about how to create or modify Exchange Online or Exchange S
 
 
 Install new student devices

          
-Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section.
+Follow the same steps described in the Deploy Windows 10 to devices section.
 
 
 
@@ -1261,10 +1272,10 @@ Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-wi
 
 Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified. 
 
-##Related resources
+## Related resources
 
 
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 5669774a73..5ddc9d7456 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -91,19 +91,19 @@ If the school allows the use of personal or Microsoft account in addition to org
 Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype.
 
 To manage and edit your profile in the Skype UWP app, follow these steps:
-1.	In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png)  to go to the user’s profile page.
-2.	In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
-3.	In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**.
+1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png)  to go to the user’s profile page.
+2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
+3. In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**.
 
-    The profile page includes these sections:
+   The profile page includes these sections:
 
-        * Personal information
-        * Contact details
-        * Profile settings
+       * Personal information
+       * Contact details
+       * Profile settings
 
 4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch.
-5.	If you do not wish the name to be included, edit the fields and replace the fields with **XXX**.
-6.	To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
+5. If you do not wish the name to be included, edit the fields and replace the fields with **XXX**.
+6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
 
    ![Skype profile icon](images/skype_uwp_manageprofilepic.png)
 
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 9f82a24149..e23fe11c3d 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -174,4 +174,4 @@ You can manage your orders through Microsoft Store for Business. For info on ord
 It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. 
 
 > [!NOTE]
-For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. 
+> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. 
diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md
index 5a291fb8b8..0862548ea6 100644
--- a/education/windows/enable-s-mode-on-surface-go-devices.md
+++ b/education/windows/enable-s-mode-on-surface-go-devices.md
@@ -36,30 +36,30 @@ Here are some things you’ll need before attempting any of these procedures:
 Like enterprise administrators performing large-scale deployment of customized Windows images, education customers can create their own customized Windows images for deployment to multiple classroom devices. An education customer who plans to follow [a traditional image-based deployment
 process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-scenarios#traditional-deployment) using a Windows 10 Pro (1803) image for Surface Go devices can enable S mode as follows:
 
-1.  Use DISM to mount your offline Windows 10 Pro (1803) image.
+1. Use DISM to mount your offline Windows 10 Pro (1803) image.
 
    ```
    dism /Mount-image /imagefile:\ {/Index:\ | /Name:\} /MountDir:\
    ```
 
-2.  Create an unattend.xml answer file, adding the
-    amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing
-    and setting amd64_Microsoft_Windows_CodeIntegrity\\SkuPolicyRequired to “1”.
-    The resulting xml should look like this…
+2. Create an unattend.xml answer file, adding the
+   amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing
+   and setting amd64_Microsoft_Windows_CodeIntegrity\\SkuPolicyRequired to “1”.
+   The resulting xml should look like this…
 
    Copy
    ```
-    
-     
-         1
-      
-     
+   
+    
+        1
+     
+    
    ```
 3. Save the answer file in the **Windows\Panther** folder of your mounted image as unattend.xml.
 4. Use DISM to apply the unattend.xml file and enable S Mode:
@@ -77,7 +77,7 @@ process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-sce
       ```
          dism /Unmount-image /MountDir:C:\\mount /Commit
       ```
->Note: don’t forget the /Commit parameter to ensure you don’t lose your
+   >Note: don’t forget the /Commit parameter to ensure you don’t lose your
     changes.
 
 Your Windows 10 Pro (1803) image now has S mode enabled and is ready to deploy to Surface Go devices.
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 954335a82f..0908c78b04 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -35,9 +35,9 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
  
 - **Minecraft: Education Edition** requires Windows 10.
 - Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
-    - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
-    * Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
-    * If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
+  - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
+  - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
+  - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
 
  
 
diff --git a/education/windows/index.md b/education/windows/index.md
index d30a753c88..0f1dedb139 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -18,28 +18,28 @@ ms.date: 10/13/2017
 
 ## ![Learn more about Windows](images/education.png) Learn
 
-
          [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
          Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
          
-
          [Compare each Windows edition](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
          Find out more about the features and functionality we support in each edition of Windows.
          
-
          [Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/en-us/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)
          When you've made your decision, find out how to buy Windows for your school.
          
+
          Windows 10 editions for education customers
          Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
          
+
          Compare each Windows edition
          Find out more about the features and functionality we support in each edition of Windows.
          
+
          Get Windows 10 Education or Windows 10 Pro Education
          When you've made your decision, find out how to buy Windows for your school.
          
 
 ## ![Plan for Windows 10 in your school](images/clipboard.png) Plan
 
-
          [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)
          Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
          
-
          [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
          Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
          
-[Get Minecraft Education Edition](get-minecraft-for-education.md)
          Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
          
-
          [Take tests in Windows 10](take-tests-in-windows-10.md)
          Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
          
-
          [Chromebook migration guide](chromebook-migration-guide.md)
          Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
          
+
          Windows 10 configuration recommendations for education customers
          Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
          
+
          Deployment recommendations for school IT administrators
          Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
          
+Get Minecraft Education Edition
          Minecraft Education Edition is built for learning. Learn how to get early access and add it to your Microsoft Store for Business for distribution.
          
+
          Take tests in Windows 10
          Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
          
+
          Chromebook migration guide
          Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
          
 
 ## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy
 
-
          [Set up Windows devices for education](set-up-windows-10.md)
          Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
          
-
          [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
          Get step-by-step guidance to help you deploy Windows 10 in a school environment.
          
-
          [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
          Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
          
-
          [Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)
          Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
          
+
          Set up Windows devices for education
          Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
          
+
          Deploy Windows 10 in a school
          Get step-by-step guidance to help you deploy Windows 10 in a school environment.
          
+
          Deploy Windows 10 in a school district
          Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
          
+
          Test Windows 10 S on existing Windows 10 education devices
          Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
          
 
 ## ![Switch to Windows 10 for Education](images/windows.png) Switch
 
-
          [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
          If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
          
+
          Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
          If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
          
 
 
 ## Windows 8.1
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 933f721799..00a5baee8a 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -117,7 +117,7 @@ After you've finished the purchase, you can find your invoice by checking **Mine
 
 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
 
-  ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png)
+   ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png)
 
 The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. 
 
@@ -156,7 +156,7 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro
      
     ![Minecraft Education Edition product page with auto assign control highlighted.](images/mcee-auto-assign-legacy.png)
  
- -Or-
+   -Or-
  
     ![Minecraft Education Edition product page with auto assign control highlighted.](images/mcee-auto-assign-bd.png)
     
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index e424106156..7b8f55bb14 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -16,7 +16,7 @@ manager: dansimp
 
 # Azure AD Join for school PCs  
 
->   [!NOTE]  
+> [!NOTE]
 >   Set up School PCs app uses Azure AD Join to configure PCs. The app is helpful if you use the cloud based directory, Azure Active Directory (AD). If your organization uses Active Directory or requires no account to connect, install and use [Windows Configuration
 >   Designer](set-up-students-pcs-to-join-domain.md) to 
 >   join your PCs to your school's domain.
diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md
index 348f7a22f0..48a2aa9549 100644
--- a/education/windows/set-up-school-pcs-provisioning-package.md
+++ b/education/windows/set-up-school-pcs-provisioning-package.md
@@ -54,34 +54,34 @@ This section lists only the MDM and local group policies that are configured uni
 For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation.  
 
 
-|Policy name  |Default value |Description |
-|---------|---------|---------|
-|Authority|User-defined  | Authenticates the admin user. Value is set automatically when signed in to Azure AD.
-|BPRT|User-defined| Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. |
-|WLAN Setting| XML is generated from the Wi-Fi profile in the Set up School PCs app.| Configures settings for wireless connectivity.| 
-|Hide OOBE for desktop| True | Hides the interactive OOBE flow for Windows 10.|
-|Download Mode|1 - HTTP blended with peering behind the same NAT|Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates|
-|Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel| Specifies how frequently devices receive preview builds and feature updates.|  
-|Allow auto update   | 4 - Auto-installs and restarts without device-user control    |  When an auto update is available, it auto-installs and restarts the device without any input or action from the device user.|
-|Configure automatic updates  | 3 - Set to install at 3am    |  Scheduled time to install updates.|
-|Update power policy for cart restarts   | 1 - Configured| Skips all restart checks to ensure that the reboot will happen at the scheduled install time. |  
-|Select when Preview Builds and Feature Updates are received   | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.|  
-|Allow all trusted apps |   Disabled      | Prevents untrusted apps from being installed to device        |
-|Allow developer unlock  |   Disabled     | Students cannot unlock the PC and use it in developer mode          |
-|Allow Cortana | Disabled | Cortana is not allowed on the device.
-|Allow manual MDM unenrollment   | Disabled          |   Students cannot remove the mobile device manager from their device.     |
-|Settings page visibility|Enabled |Specific pages in the System Settings app are not visible or accessible to students.|
-|Allow add provisioning package  |  Disabled         | Students cannot add and upload new provisioning packages to their device.        |
-|Allow remove provisioning package   | Disabled       | Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app        |
-|Start Layout|Enabled |Lets you specify the Start layout for users and prevents them from changing the configuration.|
-|Import Edge Assets| Enabled| Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files.|  
-|Allow pinned folder downloads|1 - The shortcut is visible and disables the setting in the Settings app |Makes the Downloads shortcut on the Start menu visible to students.|
-|Allow pinned folder File Explorer|1 - The shortcut is visible and disables the setting in the Settings app |Makes the File Explorer shortcut on the Start menu visible to students.|
-|Personalization  |     Deploy lock screen image  | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default.     | Deploys a jpg, jpeg, or png image to be used as lock screen image on the device.
-|Personalization| Lock screen image URL| Image filename| You can specify a jpg, jpeg, or png image to be used as the device lock screen image. This setting can take an http or https URL to a remote image to be downloaded, or a file URLto an existing local image. 
-|Update|Active hours end    | 5 PM       | There will be no update reboots before this time.        |
-|Update|Active hours start     |  7 AM     |  There will be no update reboots after this time.      |    
-|Updates Windows    |  Nightly       |  Sets Windows to update on a nightly basis.       |  
+|                         Policy name                         |                                 Default value                                  |                                                                                     Description                                                                                     |
+|-------------------------------------------------------------|--------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                          Authority                          |                                  User-defined                                  |                                                Authenticates the admin user. Value is set automatically when signed in to Azure AD.                                                 |
+|                            BPRT                             |                                  User-defined                                  |                                        Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package.                                        |
+|                        WLAN Setting                         |     XML is generated from the Wi-Fi profile in the Set up School PCs app.      |                                                                   Configures settings for wireless connectivity.                                                                    |
+|                    Hide OOBE for desktop                    |                                      True                                      |                                                                   Hides the interactive OOBE flow for Windows 10.                                                                   |
+|                        Download Mode                        |               1 - HTTP blended with peering behind the same NAT                |                               Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates                               |
+| Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel |                                                    Specifies how frequently devices receive preview builds and feature updates.                                                     |
+|                      Allow auto update                      |           4 - Auto-installs and restarts without device-user control           |                            When an auto update is available, it auto-installs and restarts the device without any input or action from the device user.                             |
+|                 Configure automatic updates                 |                           3 - Set to install at 3am                            |                                                                         Scheduled time to install updates.                                                                          |
+|            Update power policy for cart restarts            |                                 1 - Configured                                 |                                            Skips all restart checks to ensure that the reboot will happen at the scheduled install time.                                            |
+| Select when Preview Builds and Feature Updates are received |                                    365 days                                    |                                         Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days.                                          |
+|                   Allow all trusted apps                    |                                    Disabled                                    |                                                               Prevents untrusted apps from being installed to device                                                                |
+|                   Allow developer unlock                    |                                    Disabled                                    |                                                             Students cannot unlock the PC and use it in developer mode                                                              |
+|                        Allow Cortana                        |                                    Disabled                                    |                                                                        Cortana is not allowed on the device.                                                                        |
+|                Allow manual MDM unenrollment                |                                    Disabled                                    |                                                         Students cannot remove the mobile device manager from their device.                                                         |
+|                  Settings page visibility                   |                                    Enabled                                     |                                                Specific pages in the System Settings app are not visible or accessible to students.                                                 |
+|               Allow add provisioning package                |                                    Disabled                                    |                                                      Students cannot add and upload new provisioning packages to their device.                                                      |
+|              Allow remove provisioning package              |                                    Disabled                                    |                                      Students cannot remove packages that you've uploaded to their device, including the Set up School PCs app                                      |
+|                        Start Layout                         |                                    Enabled                                     |                                           Lets you specify the Start layout for users and prevents them from changing the configuration.                                            |
+|                     Import Edge Assets                      |                                    Enabled                                     | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. |
+|                Allow pinned folder downloads                |    1 - The shortcut is visible and disables the setting in the Settings app    |                                                         Makes the Downloads shortcut on the Start menu visible to students.                                                         |
+|              Allow pinned folder File Explorer              |    1 - The shortcut is visible and disables the setting in the Settings app    |                                                       Makes the File Explorer shortcut on the Start menu visible to students.                                                       |
+|                       Personalization                       |                            Deploy lock screen image                            |             Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default.             |
+|                       Personalization                       |                             Lock screen image URL                              |                                                                                   Image filename                                                                                    |
+|                           Update                            |                                Active hours end                                |                                                                                        5 PM                                                                                         |
+|                           Update                            |                               Active hours start                               |                                                                                        7 AM                                                                                         |
+|                       Updates Windows                       |                                    Nightly                                     |                                                                     Sets Windows to update on a nightly basis.                                                                      |
 
 ## Apps uninstalled from Windows 10 devices
 Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that are not relevant to the classroom experience, and uninstalls them from each device.  ALl apps uninstalled from Windows 10 devices include:  
diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md
index 23e8378dc8..5808bdcd4d 100644
--- a/education/windows/set-up-school-pcs-technical.md
+++ b/education/windows/set-up-school-pcs-technical.md
@@ -58,7 +58,7 @@ The following table describes the Set up School PCs app features and lists each
 | [Settings roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD**                                                                                                             |             |          |            | X                |
 | Synchronize student and application data across devices for a personalized experience.                                                                                                                                                          |             |          |            |                  |
 
->   [!NOTE]  
+> [!NOTE]
 >   If your school uses Active Directory, use [Windows Configuration
 >   Designer](set-up-students-pcs-to-join-domain.md) 
 >   to configure your PCs to join the domain. You can only use the Set up School
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index a72bf722c9..22ee5f98f0 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -38,31 +38,31 @@ Follow the steps in [Provision PCs with common settings for initial deployment (
 3. Find the **SharedPC** settings group.
     - Set **EnableSharedPCMode** to **TRUE** to configure the PC for shared use.
 4. (Optional) To configure the PC for secure testing, follow these steps.
-  1. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
-  2. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
+   1. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
+   2. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
 
-    **Figure 7** - Add the account to use for test-taking
+      **Figure 7** - Add the account to use for test-taking
 
-    ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
+      ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
 
-    The account can be in one of the following formats:
-    - username
-    - domain\username
-    - computer name\\username
-    - username@tenant.com
+      The account can be in one of the following formats:
+      - username
+      - domain\username
+      - computer name\\username
+      - username@tenant.com
 
-  3. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
-    1. In **LaunchURI**, enter the assessment URL.
-    2. In **TesterAccount**, enter the test account you entered in the previous step.
+   3. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
+      1. In **LaunchURI**, enter the assessment URL.
+      2. In **TesterAccount**, enter the test account you entered in the previous step.
 
 5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer.
 
 6. Follow the steps to [build a package](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package#build-package). 
-    - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username*\Windows Imaging and Configuration Designer (WICD)\*Project name*). 
-    - Copy the provisioning package to a USB drive.
+   - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). 
+   - Copy the provisioning package to a USB drive.
 
-    > [!IMPORTANT]
-    > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+     > [!IMPORTANT]
+     > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
 
 ## Apply package
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index cd8384cac2..f1ee030a57 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -52,23 +52,23 @@ You can set up a test-taking account in Intune for Education. To do this, follow
     ![Add a test profile in Intune for Education](images/i4e_takeatestprofile_addnewprofile.png)
 
 3. In the new profile page:
-  1. Enter a name for the profile.
-  2. Enter the assessment URL.
-  3. Toggle the switch to **Allow screen capture**.
-  4. Select a user account to use as the test-taking account.
-  5. Click **Save**.
+   1. Enter a name for the profile.
+   2. Enter the assessment URL.
+   3. Toggle the switch to **Allow screen capture**.
+   4. Select a user account to use as the test-taking account.
+   5. Click **Save**.
 
-    **Figure 3** - Add information about the test profile
+      **Figure 3** - Add information about the test profile
 
-    ![Add information about the test profile](images/i4e_takeatestprofile_newtestaccount.png)
+      ![Add information about the test profile](images/i4e_takeatestprofile_newtestaccount.png)
 
-    After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
+      After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
     
-4.  In the test account page, click **Groups**.
+4. In the test account page, click **Groups**.
 
-    **Figure 4** - Assign the test account to a group
+   **Figure 4** - Assign the test account to a group
 
-    ![Assign the test account to a group](images/i4e_takeatestprofile_accountsummary.png)
+   ![Assign the test account to a group](images/i4e_takeatestprofile_accountsummary.png)
 
 5. In the **Groups** page, click **Change group assignments**.
 
@@ -77,12 +77,12 @@ You can set up a test-taking account in Intune for Education. To do this, follow
     ![Change group assignments](images/i4e_takeatestprofile_groups_changegroupassignments.png)
 
 6. In the **Change group assignments** page:
-  1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. 
-  2. Click **OK** when you're done making your selection.
+   1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. 
+   2. Click **OK** when you're done making your selection.
 
-    **Figure 6** - Select the group(s) that will use the test account
+      **Figure 6** - Select the group(s) that will use the test account
 
-    ![Select the groups that will use the test account](images/i4e_takeatestprofile_groupassignment_selected.png)
+      ![Select the groups that will use the test account](images/i4e_takeatestprofile_groupassignment_selected.png)
 
 And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
 
@@ -91,8 +91,8 @@ You can configure a dedicated testing account through MDM or Configuration Manag
 
 **Best practice**
 - Create a single account in the directory specifically for test taking 
-    - Active Directory example: Contoso\TestAccount
-    - Azure Active Directory example: testaccount@contoso.com
+  - Active Directory example: Contoso\TestAccount
+  - Azure Active Directory example: testaccount@contoso.com
 
 - Deploy the policies to the group of test-taking devices
 
@@ -101,14 +101,14 @@ You can configure a dedicated testing account through MDM or Configuration Manag
 1. Launch your management console.
 2. Create a policy to set up single app kiosk mode using the following values:
 
-    - **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
-    - **String value** = {"*Account*":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
+   - **Custom OMA-DM URI** = ./Vendor/MSFT/AssignedAccess/KioskModeApp
+   - **String value** = {"*Account*":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}
 
-    *Account* can be in one of the following formats:
-      - username (not recommended)
-      - domain\username
-      - computer name\\username (not recommended)
-      - username@tenant.com
+     *Account* can be in one of the following formats:
+     - username (not recommended)
+     - domain\username
+     - computer name\\username (not recommended)
+     - username@tenant.com
 
 3. Create a policy to configure the assessment URL using the following values:
 
@@ -130,28 +130,28 @@ To set up a test account through Windows Configuration Designer, follow these st
 
 1. [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd).
 2. Create a provisioning package by following the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these other settings to customize the test account.
-  1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
-  2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
-  3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
+   1. After you're done with the wizard, do not click **Create**. Instead, click the **Switch to advanced editor** to switch the project to the advanced editor to see all the available **Runtine settings**.
+   2. Under **Runtime settings**, go to **AssignedAccess > AssignedAccessSettings**.
+   3. Enter **{"Account":"*redmond\\kioskuser*","AUMID":” Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App "}**, using the account that you want to set up.
 
-    **Figure 7** - Add the account to use for test-taking
+      **Figure 7** - Add the account to use for test-taking
 
-    ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
+      ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
 
-    The account can be in one of the following formats:
-    - username
-    - domain\username
-    - computer name\\username
-    - username@tenant.com
+      The account can be in one of the following formats:
+      - username
+      - domain\username
+      - computer name\\username
+      - username@tenant.com
 
-  4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
-    1. In **LaunchURI**, enter the assessment URL.
-    2. In **TesterAccount**, enter the test account you entered in step 3.
+   4. Under **Runtime settings**, go to **TakeATest** and configure the following settings:
+      1. In **LaunchURI**, enter the assessment URL.
+      2. In **TesterAccount**, enter the test account you entered in step 3.
 
 3. Follow the steps to [build a package](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package#build-package). 
 
-    - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username*\Windows Imaging and Configuration Designer (WICD)\*Project name*). 
-    - Copy the provisioning package to a USB drive.
+   - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username\Windows Imaging and Configuration Designer (WICD)\*Project name). 
+   - Copy the provisioning package to a USB drive.
 
 4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/itpro/windows/configure/provisioning-apply-package) to apply the package that you created.
 
@@ -207,17 +207,17 @@ Anything hosted on the web can be presented in a locked down manner, not just as
 **To provide a link to the test**
 
 1. Create the link to the test using schema activation.
-  - Create a link using a web UI
+   - Create a link using a web UI
 
-    For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
+     For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
 
-    To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+     To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
 
-  - Create a link using schema activation
+   - Create a link using schema activation
 
-    You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. 
+     You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. 
 
-    For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
+     For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
 
 2. Distribute the link. 
 
@@ -232,20 +232,20 @@ One of the ways you can present content in a locked down manner is by embedding
 
 1. Embed a link or create a desktop shortcut with:
 
-  ```
-  ms-edu-secureassessment:#enforceLockdown
-  ```
+   ```
+   ms-edu-secureassessment:#enforceLockdown
+   ```
 
 2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
 
-  - `&enableTextSuggestions` - Enables text suggestions
-  - `&requirePrinting` - Enables printing
-  - `&enableScreenCapture` - Enables screen capture
-  - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
+   - `&enableTextSuggestions` - Enables text suggestions
+   - `&requirePrinting` - Enables printing
+   - `&enableScreenCapture` - Enables screen capture
+   - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
 
-  If you exclude these parameters, the default behavior is disabled.
+   If you exclude these parameters, the default behavior is disabled.
 
-  For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+   For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
 
     > [!NOTE] 
     > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 5735ed9223..bb20a3760e 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -28,31 +28,31 @@ To configure the assessment URL and a dedicated testing account on a single PC,
 2. Open the **Settings** app and go to **Accounts > Access work or school**.
 3. Click **Set up an account for taking tests**.
 
-  **Figure 1** - Use the Settings app to set up a test-taking account
+   **Figure 1** - Use the Settings app to set up a test-taking account
 
-  ![Use the Settings app to set up a test-taking account](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
+   ![Use the Settings app to set up a test-taking account](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
 
 4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
 
-  **Figure 2** - Choose the test-taking account
+   **Figure 2** - Choose the test-taking account
 
-  ![Choose the test-taking account](images/tat_settingsapp_setuptesttakingaccount_1703.png) 
+   ![Choose the test-taking account](images/tat_settingsapp_setuptesttakingaccount_1703.png) 
 
     > [!NOTE]  
     > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
 
 5. In the **Set up an account for taking tests**, enter the assessment URL in the field under **Enter the test's web address**. 
 6. Select the options you want to enable during the test.
-  - To enable printing, select **Require printing**. 
+   - To enable printing, select **Require printing**. 
 
       > [!NOTE]  
       > Make sure a printer is preconfigured on the Take a Test account if you're enabling this option.
 
-  - To enable teachers to monitor screens, select **Allow screen monitoring**.
-  - To allow text suggestions, select **Allow text suggestions**.
+   - To enable teachers to monitor screens, select **Allow screen monitoring**.
+   - To allow text suggestions, select **Allow text suggestions**.
 
-6. Click **Save**.
-7. To take the test, the student must sign in using the test-taking account that you created.
+7. Click **Save**.
+8. To take the test, the student must sign in using the test-taking account that you created.
 
 ## Provide a link to the test
 Anything hosted on the web can be presented in a locked down manner, not just assessments. To lock down online content, just embed a URL with a specific prefix and devices will be locked down when users follow the link. We recommend using this method for lower stakes assessments.
@@ -61,29 +61,29 @@ Anything hosted on the web can be presented in a locked down manner, not just as
 
 1. Create the link to the test. 
 
-  There are different ways you can do this:
-  - Create a link using a web UI
+   There are different ways you can do this:
+   - Create a link using a web UI
 
-    For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
+     For this option, you can just copy the assessment URL, select the options you want to allow during the test, and click a button to create the link. We recommend this for option for teachers.
 
-    To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
+     To get started, go here: [Create a link using a web UI](https://education.microsoft.com/courses-and-resources/windows-10-create-a-take-a-test-link).
 
-  - Create a link using schema activation
+   - Create a link using schema activation
 
-    You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. 
+     You can accomplish the same thing as the first option (using a web UI), by manually embedding a URL with a specific prefix. You can select parameters depending on what you want to enable. 
 
-    For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
+     For more info, see [Create a link using schema activation](#create-a-link-using-schema-activation).
 
 2. Distribute the link.
 
-  Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. 
+   Once the links are created, you can distribute them through the web, email, OneNote, or any other method of your choosing. 
 
-  You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
+   You can also create shortcuts to distribute the link. For more info, see [Create a shortcut for the test link](#create-a-shortcut-for-the-test-link).
 
 3. To take the test, have the students click on the link and provide user consent.
 
-  > [!NOTE] 
-  > If you enabled printing, the printer must be preconfigured for the account before the student takes the test.
+   > [!NOTE] 
+   > If you enabled printing, the printer must be preconfigured for the account before the student takes the test.
 
 
 ### Create a link using schema activation
@@ -93,20 +93,20 @@ One of the ways you can present content in a locked down manner is by embedding
 
 1. Embed a link or create a desktop shortcut with:
 
-  ```
-  ms-edu-secureassessment:#enforceLockdown
-  ```
+   ```
+   ms-edu-secureassessment:#enforceLockdown
+   ```
 
 2. To enable printing, screen capture, or both, use the above link and append one of these parameters:
 
-  - `&enableTextSuggestions` - Enables text suggestions
-  - `&requirePrinting` - Enables printing
-  - `&enableScreenCapture` - Enables screen capture
-  - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
+   - `&enableTextSuggestions` - Enables text suggestions
+   - `&requirePrinting` - Enables printing
+   - `&enableScreenCapture` - Enables screen capture
+   - `&requirePrinting&enableScreenCapture` - Enables printing and screen capture; you can use a combination of `&enableTextSuggestions`, `&requirePrinting`, and `&enableScreenCapture` if you want to enable more than one capability. 
 
-  If you exclude these parameters, the default behavior is disabled.
+   If you exclude these parameters, the default behavior is disabled.
 
-  For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
+   For tests that utilizes the Windows lockdown API, which checks for running processes before locking down, remove `enforceLockdown`. Removing `enforceLockdown` will result in the app not locking down immediately, which allows you to close apps that are not allowed to run during lockdown. The test web application may lock down the device once you have closed the apps.
 
     > [!NOTE] 
     > The Windows 10, version 1607 legacy configuration, `ms-edu-secureassessment:!enforcelockdown` is still supported, but not in combination with the new parameters.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 6c28ad5469..cad3303266 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -41,22 +41,22 @@ There are several ways to configure devices for assessments. You can:
 
     There are different methods to configure the assessment URL and a dedicated testing account depending on whether you're setting up Take a Test on a single PC or multiple PCs.
 
-    - **For a single PC**
+  - **For a single PC**
         
-        You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
+      You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md).
 
-    - **For multiple PCs**
+  - **For multiple PCs**
     
-        You can use any of these methods:
-            - Mobile device management (MDM) or Microsoft System Center Configuration Manager
-            - A provisioning package created in Windows Configuration Designer
-            - Group Policy to deploy a scheduled task that runs a Powershell script
+      You can use any of these methods:
+    - Mobile device management (MDM) or Microsoft System Center Configuration Manager
+    - A provisioning package created in Windows Configuration Designer
+    - Group Policy to deploy a scheduled task that runs a Powershell script
 
-        Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options:
-            - Set up School PCs app
-            - Intune for Education
+      Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options:
+    - Set up School PCs app
+    - Intune for Education
 
-        For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
+      For more info about these methods, see [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md).
 
 - **Distribute the assessment URL through the web, email, OneNote, or any other method of your choosing. You can also create shortcuts to distribute the link**
 
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index a94a8ba8cf..d20b5ec239 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -242,7 +242,7 @@ For help with activation issues, click on the appropriate link below for support
 
 
          
 1 Internet access fees may apply.
          
-2 Devices must be configured for educational use by applying **[SetEduPolicies](https://docs.microsoft.com/education/windows/configure-windows-for-education#setedupolicies)** using the Set up School PCs app.
          
+2 Devices must be configured for educational use by applying SetEduPolicies using the Set up School PCs app.
          
 
 
          
 
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 95b8972f96..4c9d0245bd 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -89,8 +89,8 @@ We recommend that you:
 * Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.  
 * Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues.    
 
->> [!WARNING]
-> Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.  
+> > [!WARNING]
+> > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.  
 
 ### Use an additional USB drive  
 To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup. 
diff --git a/mdop/agpm/agpm-server-tab-agpm30ops.md b/mdop/agpm/agpm-server-tab-agpm30ops.md
index abf3c535d2..184530ce23 100644
--- a/mdop/agpm/agpm-server-tab-agpm30ops.md
+++ b/mdop/agpm/agpm-server-tab-agpm30ops.md
@@ -36,7 +36,7 @@ The maximum number of unique versions to store for each GPO does not include the
 
 When a GPO version is deleted, a record of that version remains in the history of the GPO, but the GPO version itself is deleted from the archive. You can prevent a GPO version from being deleted by marking it in the history as not deletable.
 
- 
+ 
 
 ### Additional references
 
@@ -46,9 +46,9 @@ When a GPO version is deleted, a record of that version remains in the history o
 
 -   [Performing Reviewer Tasks](performing-reviewer-tasks-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/agpm-server-tab-agpm40.md b/mdop/agpm/agpm-server-tab-agpm40.md
index 45bde742b9..6e0807ad30 100644
--- a/mdop/agpm/agpm-server-tab-agpm40.md
+++ b/mdop/agpm/agpm-server-tab-agpm40.md
@@ -36,7 +36,7 @@ The maximum number of unique versions to store for each GPO does not include the
 
 When a GPO version is deleted, a record of that version remains in the history of the GPO, but the GPO version itself is deleted from the archive. You can prevent a GPO version from being deleted by marking it in the history as not deletable.
 
- 
+ 
 
 ### Additional references
 
@@ -46,9 +46,9 @@ When a GPO version is deleted, a record of that version remains in the history o
 
 -   [Performing Reviewer Tasks](performing-reviewer-tasks-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md b/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md
index 8045845e1d..90d438d2f0 100644
--- a/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md
+++ b/mdop/agpm/approve-or-reject-a-pending-action-agpm30ops.md
@@ -42,7 +42,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
     **Note**  
     If an Approver's e-mail address is included in the **To e-mail address** field on the **Domain** **Delegation** tab, the Approver will receive e-mail from the AGPM alias when an Editor or Reviewer submits a request.
 
-     
+     
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 
 -   [Performing Approver Tasks](performing-approver-tasks-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md b/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md
index 3323f73d29..cba1a90592 100644
--- a/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md
+++ b/mdop/agpm/approve-or-reject-a-pending-action-agpm40.md
@@ -42,7 +42,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
     **Note**  
     If an Approver's e-mail address is included in the **To e-mail address** field on the **Domain** **Delegation** tab, the Approver will receive e-mail from the AGPM alias when an Editor or Reviewer submits a request.
 
-     
+     
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 
 -   [Performing Approver Tasks](performing-approver-tasks-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/approve-or-reject-a-pending-action.md b/mdop/agpm/approve-or-reject-a-pending-action.md
index 235e9e039c..08603a71fc 100644
--- a/mdop/agpm/approve-or-reject-a-pending-action.md
+++ b/mdop/agpm/approve-or-reject-a-pending-action.md
@@ -42,7 +42,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
     **Note**  
     If an Approver's e-mail address is included in the **To** field on the **Domain** **Delegation** tab, the Approver will receive e-mail from the AGPM alias when an Editor or Reviewer submits a request.
 
-     
+     
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 
 -   [Performing Approver Tasks](performing-approver-tasks.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/back-up-the-archive-agpm40.md b/mdop/agpm/back-up-the-archive-agpm40.md
index 1472e31534..e07a0de456 100644
--- a/mdop/agpm/back-up-the-archive-agpm40.md
+++ b/mdop/agpm/back-up-the-archive-agpm40.md
@@ -34,7 +34,7 @@ A user account that has access to both the AGPM Server—the computer on which t
 **Note**  
 If an AGPM Administrator backs up the archive infrequently, the Group Policy Objects (GPOs) in the archive backup will not be current. To better ensure that the archive backup is current, back up the archive as part of your organization’s daily backup strategy.
 
- 
+ 
 
 ### Additional references
 
@@ -44,9 +44,9 @@ If an AGPM Administrator backs up the archive infrequently, the Group Policy Obj
 
 -   [Managing the Archive](managing-the-archive-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/back-up-the-archive.md b/mdop/agpm/back-up-the-archive.md
index a24a1ffa63..a85193dcac 100644
--- a/mdop/agpm/back-up-the-archive.md
+++ b/mdop/agpm/back-up-the-archive.md
@@ -34,7 +34,7 @@ A user account that has access to both the AGPM Server—the computer on which t
 **Note**  
 If an AGPM Administrator backs up the archive infrequently, the Group Policy Objects (GPOs) in the archive backup will not be current. To better ensure that the archive backup is current, back up the archive as part of your organization’s daily backup strategy.
 
- 
+ 
 
 ### Additional references
 
@@ -44,9 +44,9 @@ If an AGPM Administrator backs up the archive infrequently, the Group Policy Obj
 
 -   [Managing the Archive](managing-the-archive.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md b/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md
index 119101341b..4b298d6115 100644
--- a/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md
+++ b/mdop/agpm/checklist-administer-the-agpm-server-and-archive-agpm40.md
@@ -33,17 +33,17 @@ In Advanced Group Policy Management (AGPM), both the AGPM Service and the archiv
 
 
 
          Delegate access to Group Policy Objects (GPOs) in the archive.
          
-
          [Delegate Domain-Level Access to the Archive](delegate-domain-level-access-to-the-archive-agpm40.md)
          
-
          [Delegate Access to an Individual GPO in the Archive](delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md)
          
+
          Delegate Domain-Level Access to the Archive
          
+
          Delegate Access to an Individual GPO in the Archive
          
 
 
 
          Back up the archive to enable disaster recovery.
          
-
          [Back Up the Archive](back-up-the-archive-agpm40.md)
          
+
          Back Up the Archive
          
 
 
 
 
- 
+ 
 
 @@ -59,33 +59,33 @@ In Advanced Group Policy Management (AGPM), both the AGPM Service and the archiv
 
-
+
-
+
-
+
-
+
          
 

 
          
 
          Restore the archive from a backup to recover from a disaster.
          [Restore the Archive from a Backup](restore-the-archive-from-a-backup-agpm40.md)
          Restore the Archive from a Backup
          		
 
          
 
          
 
          Move the AGPM Service, the archive, or both to a different server.
          [Move the AGPM Server and the Archive](move-the-agpm-server-and-the-archive-agpm40.md)
          Move the AGPM Server and the Archive
          		
 
          
 
          
 
          Change the archive path, the AGPM Service Account, or the port on which the AGPM Service listens.
          [Modify the AGPM Service](modify-the-agpm-service-agpm40.md)
          Modify the AGPM Service
          		
 
          
 
          
 
          Troubleshoot common problems with the AGPM Server.
          [Troubleshooting AGPM](troubleshooting-agpm-agpm40.md)
          
-
          [Configure Logging and Tracing](configure-logging-and-tracing-agpm40.md)
          Troubleshooting AGPM
          
+
          Configure Logging and Tracing
          		
 
          
           
 
          
 
- 
+ 
 
 ### Additional references
 
 -   [Advanced Group Policy Management 4.0](advanced-group-policy-management-40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md b/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md
index 2820f91efd..51a6f1f128 100644
--- a/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md
+++ b/mdop/agpm/checklist-administer-the-agpm-server-and-archive.md
@@ -33,17 +33,17 @@ In Advanced Group Policy Management (AGPM), both the AGPM Service and the archiv
 
 
 
          Delegate access to Group Policy Objects (GPOs) in the archive.
          
-
          [Delegate Domain-Level Access to the Archive](delegate-domain-level-access-to-the-archive-agpm30ops.md)
          
-
          [Delegate Access to an Individual GPO in the Archive](delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md)
          
+
          Delegate Domain-Level Access to the Archive
          
+
          Delegate Access to an Individual GPO in the Archive
          
 
 
 
          Back up the archive to enable disaster recovery.
          
-
          [Back Up the Archive](back-up-the-archive.md)
          
+
          Back Up the Archive
          
 
 
 
 
- 
+ 
 
 @@ -59,33 +59,33 @@ In Advanced Group Policy Management (AGPM), both the AGPM Service and the archiv
 
-
+
-
+
-
+
-
+
          
 

 
          
 
          Restore the archive from a backup to recover from a disaster.
          [Restore the Archive from a Backup](restore-the-archive-from-a-backup.md)
          Restore the Archive from a Backup
          		
 
          
 
          
 
          Move the AGPM Service, the archive, or both to a different server.
          [Move the AGPM Server and the Archive](move-the-agpm-server-and-the-archive.md)
          Move the AGPM Server and the Archive
          		
 
          
 
          
 
          Change the archive path, the AGPM Service Account, or the port on which the AGPM Service listens.
          [Modify the AGPM Service](modify-the-agpm-service-agpm30ops.md)
          Modify the AGPM Service
          		
 
          
 
          
 
          Troubleshoot common problems with the AGPM Server.
          [Troubleshooting Advanced Group Policy Management](troubleshooting-advanced-group-policy-management-agpm30ops.md)
          
-
          [Configure Logging and Tracing](configure-logging-and-tracing-agpm30ops.md)
          Troubleshooting Advanced Group Policy Management
          
+
          Configure Logging and Tracing
          		
 
          
           
 
          
 
- 
+ 
 
 ### Additional references
 
 -   [Operations Guide for Microsoft Advanced Group Policy Management 3.0](operations-guide-for-microsoft-advanced-group-policy-management-30-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md
index 07913b01e7..25fa7701f1 100644
--- a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md
+++ b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm30ops.md
@@ -33,41 +33,41 @@ In an environment where multiple people make changes to Group Policy Objects (GP
 
 
 
          Editor requests the creation of a new GPO or an Approver creates a new GPO.
          
-
          [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo-agpm30ops.md)
          
-
          [Create a New Controlled GPO](create-a-new-controlled-gpo-agpm30ops.md)
          
+
          Request the Creation of a New Controlled GPO
          
+
          Create a New Controlled GPO
          
 
 
 
          Approver approves the creation of the GPO if it was requested by an Editor.
          
-
          [Approve or Reject a Pending Action](approve-or-reject-a-pending-action-agpm30ops.md)
          
+
          Approve or Reject a Pending Action
          
 
 
 
          Editor checks out a copy of the GPO from the archive, so no one else can modify the GPO. Editor makes changes to the GPO, and then checks the modified GPO into the archive.
          
-
          [Edit a GPO Offline](edit-a-gpo-offline-agpm30ops.md)
          
+
          Edit a GPO Offline
          
 
 
 
          Editor requests deployment of the GPO to the production environment.
          
-
          [Request Deployment of a GPO](request-deployment-of-a-gpo-agpm30ops.md)
          
+
          Request Deployment of a GPO
          
 
 
 
          Reviewers, such as Approvers or Editors, analyze the GPO.
          
-
          [Performing Reviewer Tasks](performing-reviewer-tasks-agpm30ops.md)
          
+
          Performing Reviewer Tasks
          
 
 
 
          Approver approves and deploys the GPO to the production environment or rejects the GPO.
          
-
          [Approve or Reject a Pending Action](approve-or-reject-a-pending-action-agpm30ops.md)
          
+
          Approve or Reject a Pending Action
          
 
 
 
 
- 
+ 
 
 ### Additional references
 
 [Operations Guide for Microsoft Advanced Group Policy Management 3.0](operations-guide-for-microsoft-advanced-group-policy-management-30-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md
index 69f0aff557..a95a9654f7 100644
--- a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md
+++ b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40.md
@@ -33,45 +33,45 @@ In an environment where multiple people change Group Policy Objects (GPOs) by us
 
 
 
          Editor requests that a new GPO be created or an Approver creates a new GPO.
          
-
          [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo-agpm40.md)
          
-
          [Create a New Controlled GPO](create-a-new-controlled-gpo-agpm40.md)
          
+
          Request the Creation of a New Controlled GPO
          
+
          Create a New Controlled GPO
          
 
 
 
          Approver approves the creation of the GPO if it was requested by an Editor.
          
-
          [Approve or Reject a Pending Action](approve-or-reject-a-pending-action-agpm40.md)
          
+
          Approve or Reject a Pending Action
          
 
 
 
          Editor checks out a copy of the GPO from the archive so that no one else can modify the GPO. Editor makes changes to the GPO, and then checks the modified GPO into the archive.
          
-
          [Edit a GPO Offline](edit-a-gpo-offline-agpm40.md)
          
+
          Edit a GPO Offline
          
 
 
 
          If developing in a test forest, Editor exports the GPO to a file, transfers the file to the production forest, and imports the file. Additionally, an Editor can link the GPO to an organizational unit that contains test computers and users.
          
-
          [Using a Test Environment](using-a-test-environment.md)
          
+
          Using a Test Environment
          
 
 
 
          Editor requests deployment of the GPO to the production environment of the domain.
          
-
          [Request Deployment of a GPO](request-deployment-of-a-gpo-agpm40.md)
          
+
          Request Deployment of a GPO
          
 
 
 
          Reviewers, such as Approvers or Editors, analyze the GPO.
          
-
          [Performing Reviewer Tasks](performing-reviewer-tasks-agpm40.md)
          
+
          Performing Reviewer Tasks
          
 
 
 
          Approver approves and deploys the GPO to the production environment of the domain or rejects the GPO.
          
-
          [Approve or Reject a Pending Action](approve-or-reject-a-pending-action-agpm40.md)
          
+
          Approve or Reject a Pending Action
          
 
 
 
 
- 
+ 
 
 ### Additional references
 
 [Advanced Group Policy Management 4.0](advanced-group-policy-management-40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md
index 1045a5ae06..fcb032c722 100644
--- a/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md
+++ b/mdop/agpm/checklist-create-edit-and-deploy-a-gpo.md
@@ -33,37 +33,37 @@ In an environment where multiple people make changes to Group Policy objects (GP
 
 
 
          Editor requests the creation of a new GPO or an Approver creates a new GPO.
          
-
          [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo.md)
          
-
          [Create a New Controlled GPO](create-a-new-controlled-gpo.md)
          
+
          Request the Creation of a New Controlled GPO
          
+
          Create a New Controlled GPO
          
 
 
 
          Approver approves the creation of the GPO if it was requested by an Editor.
          
-
          [Approve or Reject a Pending Action](approve-or-reject-a-pending-action.md)
          
+
          Approve or Reject a Pending Action
          
 
 
 
          Editor checks out a copy of the GPO from the archive, so no one else can modify the GPO. Editor makes changes to the GPO, and then checks the modified GPO into the archive.
          
-
          [Edit a GPO Offline](edit-a-gpo-offline.md)
          
+
          Edit a GPO Offline
          
 
 
 
          Editor requests deployment of the GPO to the production environment.
          
-
          [Request Deployment of a GPO](request-deployment-of-a-gpo.md)
          
+
          Request Deployment of a GPO
          
 
 
 
          Reviewers, such as Approvers or Editors, analyze the GPO.
          
-
          [Performing Reviewer Tasks](performing-reviewer-tasks.md)
          
+
          Performing Reviewer Tasks
          
 
 
 
          Approver approves and deploys the GPO to the production environment or rejects the GPO.
          
-
          [Approve or Reject a Pending Action](approve-or-reject-a-pending-action.md)
          
+
          Approve or Reject a Pending Action
          
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/choosing-which-version-of-agpm-to-install.md b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
index 934b06e83f..c5b9d72127 100644
--- a/mdop/agpm/choosing-which-version-of-agpm-to-install.md
+++ b/mdop/agpm/choosing-which-version-of-agpm-to-install.md
@@ -56,7 +56,7 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 
 
          Windows Server 2012 R2
          
 
          Windows 10
          
-
          Supported with the caveats outlined in [KB 4015786](https://support.microsoft.com/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv)
+
          Supported with the caveats outlined in KB 4015786
 
          
 
 
@@ -92,7 +92,7 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and
 
 
 
- 
+ 
 
 ## AGPM 4.0 SP2
 
@@ -150,7 +150,7 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP2, and
 
 
 
- 
+ 
 
 ## AGPM 4.0 SP1
 
@@ -201,7 +201,7 @@ Table 2 lists the operating systems on which you can install AGPM 4.0 SP1, and t
 
 
 
- 
+ 
 
 ## AGPM 4.0
 
@@ -247,7 +247,7 @@ Table 3 lists the operating systems on which you can install AGPM 4.0, and the p
 
 
 
- 
+ 
 
 ## Versions of AGPM that precede AGPM 4.0
 
@@ -287,7 +287,7 @@ Table 4 lists the operating systems on which you can install the versions of AGP
 
 
 
- 
+ 
 
 ## How to Get MDOP Technologies
 
@@ -299,9 +299,9 @@ AGPM 4.0 SP2 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP i
 
 [Advanced Group Policy Management](index.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md b/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md
index 0a6c740b1a..4e4802cb36 100644
--- a/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md
+++ b/mdop/agpm/configure-e-mail-security-for-agpm-agpm30ops.md
@@ -24,7 +24,7 @@ By encrypting AGPM e-mail notifications, you can better protect those that could
 **Caution**  
 Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
 
- 
+ 
 
 A user account that has the AGPM Administrator (Full Control) role, the user account of the Approver who created the Group Policy Object (GPO) used in these procedures, or a user account that has the necessary permissions in AGPM is required to complete these procedures. Review the details in "Additional considerations" in this topic.
 
@@ -82,9 +82,9 @@ A user account that has the AGPM Administrator (Full Control) role, the user acc
 
 -   [Configuring Advanced Group Policy Management](configuring-advanced-group-policy-management.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md b/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md
index b0311c3ed6..e4c204dcf0 100644
--- a/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md
+++ b/mdop/agpm/configure-e-mail-security-for-agpm-agpm40.md
@@ -24,7 +24,7 @@ By encrypting AGPM e-mail notifications, you can better protect those that could
 **Caution**  
 Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
 
- 
+ 
 
 A user account that has the AGPM Administrator (Full Control) role, the user account of the Approver who created the Group Policy Object (GPO) used in these procedures, or a user account that has the necessary permissions in AGPM is required to complete these procedures. Review the details in "Additional considerations" in this topic.
 
@@ -78,9 +78,9 @@ A user account that has the AGPM Administrator (Full Control) role, the user acc
 
 -   [Configuring Advanced Group Policy Management](configuring-advanced-group-policy-management-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/create-a-template-agpm30ops.md b/mdop/agpm/create-a-template-agpm30ops.md
index 7d976f6c37..406acb5276 100644
--- a/mdop/agpm/create-a-template-agpm30ops.md
+++ b/mdop/agpm/create-a-template-agpm30ops.md
@@ -22,7 +22,7 @@ Creating a template enables you to save all of the settings of a particular vers
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management (AGPM) is required to complete this procedure. Review the details in "Additional considerations" in this topic.
 
@@ -52,9 +52,9 @@ A user account with the Editor or AGPM Administrator (Full Control) role or nece
 
 -   [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/create-a-template-agpm40.md b/mdop/agpm/create-a-template-agpm40.md
index acec837279..c8a1e97a01 100644
--- a/mdop/agpm/create-a-template-agpm40.md
+++ b/mdop/agpm/create-a-template-agpm40.md
@@ -22,7 +22,7 @@ Creating a template enables you to save all of the settings of a particular vers
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management (AGPM) is required to complete this procedure. Review the details in "Additional considerations" in this topic.
 
@@ -52,9 +52,9 @@ A user account with the Editor or AGPM Administrator (Full Control) role or nece
 
 -   [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/create-a-template.md b/mdop/agpm/create-a-template.md
index 454f143fc1..d0db0eb513 100644
--- a/mdop/agpm/create-a-template.md
+++ b/mdop/agpm/create-a-template.md
@@ -22,7 +22,7 @@ Creating a template enables you to save all of the settings of a particular vers
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management is required to complete this procedure. Review the details in "Additional considerations" in this topic.
 
@@ -52,9 +52,9 @@ A user account with the Editor or AGPM Administrator (Full Control) role or nece
 
 -   [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md
index 1a916e3bf2..d35b5810d4 100644
--- a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md
+++ b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm30ops.md
@@ -34,15 +34,15 @@ Some potential uses for a template include the following:
 **Note**  
 A template is a static version of a GPO that cannot be edited, yet can be used as a starting point for creating new, editable GPOs. Renaming or deleting a template does not affect GPOs created from that template.
 
- 
+ 
 
 -   [Create a Template](create-a-template-agpm30ops.md)
 
 -   [Set a Default Template](set-a-default-template-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md
index 5ac61c82c4..a3981ca8a0 100644
--- a/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md
+++ b/mdop/agpm/creating-a-template-and-setting-a-default-template-agpm40.md
@@ -34,15 +34,15 @@ Some potential uses for a template include the following:
 **Note**  
 A template is a static version of a GPO that cannot be edited, yet can be used as a starting point for creating new, editable GPOs. Renaming or deleting a template does not affect GPOs created from that template.
 
- 
+ 
 
 -   [Create a Template](create-a-template-agpm40.md)
 
 -   [Set a Default Template](set-a-default-template-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/creating-a-template-and-setting-a-default-template.md b/mdop/agpm/creating-a-template-and-setting-a-default-template.md
index bfdf6f7ae8..79e1c3682d 100644
--- a/mdop/agpm/creating-a-template-and-setting-a-default-template.md
+++ b/mdop/agpm/creating-a-template-and-setting-a-default-template.md
@@ -22,15 +22,15 @@ Creating a template enables you to save all of the settings of a particular vers
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs. Renaming or deleting a template does not impact GPOs created from that template.
 
- 
+ 
 
 -   [Create a Template](create-a-template.md)
 
 -   [Set a Default Template](set-a-default-template.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md
index 14df79cb4c..3c102e5273 100644
--- a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md
+++ b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm30ops.md
@@ -34,14 +34,14 @@ A user account with the AGPM Administrator (Full Control) role, the user account
         **Note**  
         If a user or group inherits domain-wide access, the **Remove** button is unavailable. You can modify domain-wide access on the **Domain Delegation** tab.
 
-         
+         
 
     3.  To modify the roles and permissions delegated to a user or group, click the **Advanced** button. In the **Permissions** dialog box, select the user or group, select the check box for each role to be assigned to that user or group, and click **OK**.
 
         **Note**  
         Editor and Approver include Reviewer permissions.
 
-         
+         
 
 ### Additional considerations
 
@@ -57,9 +57,9 @@ A user account with the AGPM Administrator (Full Control) role, the user account
 
 -   [Managing the Archive](managing-the-archive.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md
index 1d5cab244e..f5124591cc 100644
--- a/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md
+++ b/mdop/agpm/delegate-access-to-an-individual-gpo-in-the-archive-agpm40.md
@@ -34,14 +34,14 @@ A user account with the AGPM Administrator (Full Control) role, the user account
         **Note**  
         If a user or group inherits domain-wide access, the **Remove** button is unavailable. You can modify domain-wide access on the **Domain Delegation** tab.
 
-         
+         
 
     3.  To modify the roles and permissions delegated to a user or group, click the **Advanced** button. In the **Permissions** dialog box, select the user or group, select the check box for each role to be assigned to that user or group, and click **OK**.
 
         **Note**  
         Editor and Approver include Reviewer permissions.
 
-         
+         
 
 ### Additional considerations
 
@@ -57,9 +57,9 @@ A user account with the AGPM Administrator (Full Control) role, the user account
 
 -   [Managing the Archive](managing-the-archive-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md
index d45e8f5d17..3d5ef495b1 100644
--- a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md
+++ b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm30ops.md
@@ -36,7 +36,7 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
         **Note**  
         Editor and Approver include Reviewer permissions.
 
-         
+         
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
 
 -   [Managing the Archive](managing-the-archive.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md
index d2ea2f37e1..f1aa01ad7e 100644
--- a/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md
+++ b/mdop/agpm/delegate-domain-level-access-to-the-archive-agpm40.md
@@ -36,7 +36,7 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
         **Note**  
         Editor and Approver include Reviewer permissions.
 
-         
+         
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
 
 -   [Managing the Archive](managing-the-archive-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/delegate-domain-level-access.md b/mdop/agpm/delegate-domain-level-access.md
index 34cf70127e..da327eae2f 100644
--- a/mdop/agpm/delegate-domain-level-access.md
+++ b/mdop/agpm/delegate-domain-level-access.md
@@ -32,7 +32,7 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
     **Note**  
     Editor and Approver include Reviewer permissions.
 
-     
+     
 
 4.  In the **Advanced Security Settings** dialog box, select a Group Policy administrator, and then click **Edit**.
 
@@ -56,9 +56,9 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
 
 -   [Performing AGPM Administrator Tasks](performing-agpm-administrator-tasks.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md
index dfd93f9d27..2a17a1e42b 100644
--- a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md
+++ b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm30ops.md
@@ -34,14 +34,14 @@ A user account with the AGPM Administrator (Full Control) role, the user account
         **Note**  
         If a user or group inherits domain-wide access, the **Remove** button is unavailable. You can modify domain-wide access on the **Domain Delegation** tab.
 
-         
+         
 
     3.  To modify the roles and permissions delegated to a user or group, click the **Advanced** button. In the **Permissions** dialog box, select the user or group, select the check box for each role to be assigned to that user or group, and then click **OK**.
 
         **Note**  
         Editor and Approver include Reviewer permissions.
 
-         
+         
 
 ### Additional considerations
 
@@ -55,9 +55,9 @@ A user account with the AGPM Administrator (Full Control) role, the user account
 
 -   [Creating, Controlling, or Importing a GPO](creating-controlling-or-importing-a-gpo-editor-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md
index fc0b0fa130..19b09da4c5 100644
--- a/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md
+++ b/mdop/agpm/delegate-management-of-a-controlled-gpo-agpm40.md
@@ -34,14 +34,14 @@ A user account with the AGPM Administrator (Full Control) role, the user account
         **Note**  
         If a user or group inherits domain-wide access, the **Remove** button is unavailable. You can modify domain-wide access on the **Domain Delegation** tab.
 
-         
+         
 
     3.  To modify the roles and permissions delegated to a user or group, click the **Advanced** button. In the **Permissions** dialog box, select the user or group, select the check box for each role to be assigned to that user or group, and then click **OK**.
 
         **Note**  
         Editor and Approver include Reviewer permissions.
 
-         
+         
 
 ### Additional considerations
 
@@ -55,9 +55,9 @@ A user account with the AGPM Administrator (Full Control) role, the user account
 
 -   [Creating or Controlling a GPO](creating-or-controlling-a-gpo-agpm40-app.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/deploy-a-gpo-agpm30ops.md b/mdop/agpm/deploy-a-gpo-agpm30ops.md
index bb2b420849..15b54d327d 100644
--- a/mdop/agpm/deploy-a-gpo-agpm30ops.md
+++ b/mdop/agpm/deploy-a-gpo-agpm30ops.md
@@ -42,7 +42,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 To verify whether the most recent version of a GPO has been deployed, on the **Controlled** tab, double-click the GPO to display its **History**. In the **History** for the GPO, the **State** column indicates whether a GPO has been deployed.
 
- 
+ 
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ To verify whether the most recent version of a GPO has been deployed, on the **C
 
 -   [Performing Approver Tasks](performing-approver-tasks-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/deploy-a-gpo-agpm40.md b/mdop/agpm/deploy-a-gpo-agpm40.md
index f9af5a9fc8..d24c1562ea 100644
--- a/mdop/agpm/deploy-a-gpo-agpm40.md
+++ b/mdop/agpm/deploy-a-gpo-agpm40.md
@@ -42,7 +42,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 To verify whether the most recent version of a GPO has been deployed, on the **Controlled** tab, double-click the GPO to display its **History**. In the **History** for the GPO, the **State** column indicates whether a GPO has been deployed.
 
- 
+ 
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ To verify whether the most recent version of a GPO has been deployed, on the **C
 
 -   [Performing Approver Tasks](performing-approver-tasks-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/deploy-a-gpo.md b/mdop/agpm/deploy-a-gpo.md
index 68f2ffda9d..6cccb83b8a 100644
--- a/mdop/agpm/deploy-a-gpo.md
+++ b/mdop/agpm/deploy-a-gpo.md
@@ -42,7 +42,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 To verify whether the most recent version of a GPO has been deployed, on the **Controlled** tab, double-click the GPO to display its **History**. In the **History** for the GPO, the **State** column indicates whether a GPO has been deployed.
 
- 
+ 
 
 ### Additional considerations
 
@@ -52,9 +52,9 @@ To verify whether the most recent version of a GPO has been deployed, on the **C
 
 -   [Performing Approver Tasks](performing-approver-tasks.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/edit-a-gpo-offline-agpm30ops.md b/mdop/agpm/edit-a-gpo-offline-agpm30ops.md
index e2d68c2dbc..5518d46244 100644
--- a/mdop/agpm/edit-a-gpo-offline-agpm30ops.md
+++ b/mdop/agpm/edit-a-gpo-offline-agpm30ops.md
@@ -57,7 +57,7 @@ To edit a GPO, you check out the GPO from the archive, edit the GPO offline, and
     **Note**  
     To disable all Computer Configuration settings or all User Configuration settings, right-click the GPO in the **Group Policy Management Editor** window and click **Properties**. Select **Disable Computer Configuration settings** or **Disable User Configuration settings** as appropriate.
 
-     
+     
 
 3.  When you have finished modifying the GPO, close the **Group Policy Management Editor** window.
 
@@ -101,9 +101,9 @@ To edit a GPO, you check out the GPO from the archive, edit the GPO offline, and
 
     -   [Deploy a GPO](deploy-a-gpo-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/edit-a-gpo-offline-agpm40.md b/mdop/agpm/edit-a-gpo-offline-agpm40.md
index 83ee120136..4f311a1cc3 100644
--- a/mdop/agpm/edit-a-gpo-offline-agpm40.md
+++ b/mdop/agpm/edit-a-gpo-offline-agpm40.md
@@ -57,7 +57,7 @@ To edit a GPO, you check out the GPO from the archive, edit the GPO offline, and
     **Note**  
     To disable all Computer Configuration settings or all User Configuration settings, right-click the GPO in the **Group Policy Management Editor** window and click **Properties**. Select **Disable Computer Configuration settings** or **Disable User Configuration settings** as appropriate.
 
-     
+     
 
 3.  When you have finished modifying the GPO, close the **Group Policy Management Editor** window.
 
@@ -101,9 +101,9 @@ To edit a GPO, you check out the GPO from the archive, edit the GPO offline, and
 
     -   [Deploy a GPO](deploy-a-gpo-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/history-window-agpm30ops.md b/mdop/agpm/history-window-agpm30ops.md
index 36d184af14..c3295c3095 100644
--- a/mdop/agpm/history-window-agpm30ops.md
+++ b/mdop/agpm/history-window-agpm30ops.md
@@ -49,7 +49,7 @@ The tabs within the **History** window filter the states in the history of the G
 
 
 
- 
+
 
 ## Event information
 
@@ -88,11 +88,10 @@ Information is provided for each state in the history of the GPO.
 
          Deletable
          
 
          Whether this version of the GPO can be deleted if the number of unique versions of each GPO retained in the archive is limited.
          
 
          
-Note  
-
          You can modify whether a version of a GPO is deletable by right-clicking it and then clicking Do Not Allow Deletion or Allow Deletion.
          
+Note
          You can modify whether a version of a GPO is deletable by right-clicking it and then clicking Do Not Allow Deletion or Allow Deletion.
          
 
          
 
          
- 
+
 
          
 
 
@@ -114,7 +113,7 @@ Information is provided for each state in the history of the GPO.
 
 
 
- 
+
 
 ## Reports
 
@@ -144,7 +143,7 @@ The **Settings** and **Differences** buttons display reports about GPO settings
 
 
 
- 
+
 
 ### Key to difference reports
 
@@ -185,7 +184,7 @@ The **Settings** and **Differences** buttons display reports about GPO settings
 
 
 
- 
+
 
 -   For items with changed settings, the changed settings are identified when the item is expanded. The value for the attribute in each GPO is displayed in the same order that the GPOs are displayed in the report.
 
@@ -195,9 +194,9 @@ The **Settings** and **Differences** buttons display reports about GPO settings
 
 -   [Contents Tab](contents-tab-agpm30ops.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/agpm/history-window-agpm40.md b/mdop/agpm/history-window-agpm40.md
index f899c458b3..7603d75dd5 100644
--- a/mdop/agpm/history-window-agpm40.md
+++ b/mdop/agpm/history-window-agpm40.md
@@ -49,7 +49,7 @@ The tabs within the **History** window filter the states in the history of the G
 
 
 
- 
+
 
 ## Event information
 
@@ -88,11 +88,10 @@ Information is provided for each state in the history of the GPO.
 
          Deletable
          
 
          Whether this version of the GPO can be deleted if the number of unique versions of each GPO retained in the archive is limited.
          
 
          
-Note  
-
          You can change whether a version of a GPO can be deleted by right-clicking the GPO and then clicking Do Not Allow Deletion or Allow Deletion.
          
+Note
          You can change whether a version of a GPO can be deleted by right-clicking the GPO and then clicking Do Not Allow Deletion or Allow Deletion.
          
 
          
 
          
- 
+
 
          
 
 
@@ -114,7 +113,7 @@ Information is provided for each state in the history of the GPO.
 
 
 
- 
+
 
 ## Reports
 
@@ -144,7 +143,7 @@ The **Settings** and **Differences** buttons display reports about GPO settings
 
 
 
- 
+
 
 ### Key to difference reports
 
@@ -185,7 +184,7 @@ The **Settings** and **Differences** buttons display reports about GPO settings
 
 
 
- 
+
 
 -   For items with changed settings, the changed settings are identified when the item is expanded. The value for the attribute in each GPO is displayed in the same order that the GPOs are displayed in the report.
 
@@ -195,9 +194,9 @@ The **Settings** and **Differences** buttons display reports about GPO settings
 
 -   [Contents Tab](contents-tab-agpm40.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md
index c3b4414d7c..96315421b6 100644
--- a/mdop/agpm/index.md
+++ b/mdop/agpm/index.md
@@ -44,17 +44,17 @@ In addition to the product documentation available online, supplemental product
 
 
 
          MDOP Virtual Labs
          
-
          For a list of available MDOP virtual labs, go to [Microsoft Desktop Optimization Pack (MDOP) Virtual Labs](https://go.microsoft.com/fwlink/?LinkId=234276) (https://go.microsoft.com/fwlink/?LinkId=234276).
          
+
          For a list of available MDOP virtual labs, go to Microsoft Desktop Optimization Pack (MDOP) Virtual Labs (https://go.microsoft.com/fwlink/?LinkId=234276).
          
 
 
 
          MDOP TechCenter
          
-
          For technical whitepapers, evaluation materials, blogs, and additional MDOP resources, go to [MDOP TechCenter](https://go.microsoft.com/fwlink/?LinkId=225286) (https://go.microsoft.com/fwlink/?LinkId=225286)
          
+
          For technical whitepapers, evaluation materials, blogs, and additional MDOP resources, go to MDOP TechCenter (https://go.microsoft.com/fwlink/?LinkId=225286)
          
 
          
 
 
 
 
- 
+ 
 
 ## How to Get MDOP
 
@@ -70,9 +70,9 @@ MDOP subscribers can download the software at the [Microsoft Volume Licensing we
 **Purchase MDOP**
 Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md b/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md
index 4b71523caf..d119a83fa7 100644
--- a/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md
+++ b/mdop/agpm/limit-the-gpo-versions-stored-agpm30ops.md
@@ -32,7 +32,7 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
     **Important**  
     Only GPO versions displayed on the **Unique Versions** tab of the **History** window count toward the limit.
 
-     
+     
 
 4.  Click the **Apply** button.
 
@@ -46,9 +46,9 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
 
 -   [Managing the Archive](managing-the-archive.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md b/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md
index 8950fcffb6..2570da4136 100644
--- a/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md
+++ b/mdop/agpm/limit-the-gpo-versions-stored-agpm40.md
@@ -32,7 +32,7 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
     **Important**  
     Only GPO versions displayed on the **Unique Versions** tab of the **History** window count toward the limit.
 
-     
+     
 
 4.  Click the **Apply** button.
 
@@ -46,9 +46,9 @@ A user account with the AGPM Administrator (Full Control) role or necessary perm
 
 -   [Managing the Archive](managing-the-archive-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/managing-the-agpm-service-agpm30ops.md b/mdop/agpm/managing-the-agpm-service-agpm30ops.md
index dd84d8d402..9896b4a887 100644
--- a/mdop/agpm/managing-the-agpm-service-agpm30ops.md
+++ b/mdop/agpm/managing-the-agpm-service-agpm30ops.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Caution**  
 Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
- 
+ 
 
 -   [Start and Stop the AGPM Service](start-and-stop-the-agpm-service-agpm30ops.md)
 
@@ -34,9 +34,9 @@ Do not modify settings for the AGPM Service through **Administrative Tools** and
 
 -   [Performing AGPM Administrator Tasks](performing-agpm-administrator-tasks-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/managing-the-agpm-service-agpm40.md b/mdop/agpm/managing-the-agpm-service-agpm40.md
index a67dd02255..96280adf4b 100644
--- a/mdop/agpm/managing-the-agpm-service-agpm40.md
+++ b/mdop/agpm/managing-the-agpm-service-agpm40.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Caution**  
 Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
- 
+ 
 
 -   [Start and Stop the AGPM Service](start-and-stop-the-agpm-service-agpm40.md)
 
@@ -34,9 +34,9 @@ Do not modify settings for the AGPM Service through **Administrative Tools** and
 
 -   [Performing AGPM Administrator Tasks](performing-agpm-administrator-tasks-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/managing-the-agpm-service.md b/mdop/agpm/managing-the-agpm-service.md
index a4158688a0..174c061105 100644
--- a/mdop/agpm/managing-the-agpm-service.md
+++ b/mdop/agpm/managing-the-agpm-service.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Caution**  
 Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
- 
+ 
 
 -   [Start and Stop the AGPM Service](start-and-stop-the-agpm-service.md)
 
@@ -32,9 +32,9 @@ Do not modify settings for the AGPM Service through **Administrative Tools** and
 
 -   [Modify the Port on Which the AGPM Service Listens](modify-the-port-on-which-the-agpm-service-listens.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/modify-the-agpm-service-account.md b/mdop/agpm/modify-the-agpm-service-account.md
index 2046f75c10..21bd9e501c 100644
--- a/mdop/agpm/modify-the-agpm-service-account.md
+++ b/mdop/agpm/modify-the-agpm-service-account.md
@@ -24,7 +24,7 @@ The archive path and AGPM Service Account are configured during the installation
 **Caution**  
 Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
- 
+ 
 
 A user account that is a member of the Domain Admins group and has access to the AGPM Server (the computer on which Microsoft Advanced Group Policy Management - Server is installed) is required to complete this procedure.
 
@@ -33,7 +33,7 @@ The AGPM Service Account must have full access to the GPOs that it will manage a
 
 If you will be managing GPOs on multiple domains or if a member server will be the AGPM Server, you should configure a different account as the AGPM Service Account because the Local System account for one domain controller cannot access GPOs on other domains.
 
- 
+ 
 
 **To modify the AGPM Service Account**
 
@@ -57,9 +57,9 @@ If you will be managing GPOs on multiple domains or if a member server will be t
 
 -   [Managing the AGPM Service](managing-the-agpm-service.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/modify-the-agpm-service-agpm30ops.md b/mdop/agpm/modify-the-agpm-service-agpm30ops.md
index a67e0b4d03..ce08a4d000 100644
--- a/mdop/agpm/modify-the-agpm-service-agpm30ops.md
+++ b/mdop/agpm/modify-the-agpm-service-agpm30ops.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Caution**  
 Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
- 
+ 
 
 A user account that is a member of the Domain Admins group and has access to the AGPM Server (the computer on which Microsoft Advanced Group Policy Management - Server is installed) is required to complete this procedure. Additionally, you must provide credentials for the AGPM Service Account to complete this procedure.
 
@@ -45,7 +45,7 @@ A user account that is a member of the Domain Admins group and has access to the
         **Important**  
         The archive path can point to a folder on the AGPM Server or elsewhere, but the location should have sufficient space to store all GPOs and history data managed by this AGPM Server.
 
-         
+         
 
     2.  In the **AGPM Service Account** dialog box, enter credentials for a service account under which the AGPM Service will run, and click **Next**.
 
@@ -56,14 +56,14 @@ A user account that is a member of the Domain Admins group and has access to the
 
         If you will be managing GPOs on multiple domains or if a member server will be the AGPM Server, you should configure a different account as the AGPM Service Account because the Local System account for one domain controller cannot access GPOs on other domains.
 
-         
+         
 
     3.  In the **Archive Owner** dialog box, enter the user name of an AGPM Administrator (Full Control) or group of AGPM Administrators, and click **Next**.
 
         **Note**  
         Modifying the installation clears the credentials for the Archive Owner. You must re-enter credentials, but they are not required to match the credentials used during the original installation.
 
-         
+         
 
     4.  In the **Port Configuration** dialog box, type a new port on which the AGPM Service should listen or confirm the port currently selected, and click **Next**.
 
@@ -72,7 +72,7 @@ A user account that is a member of the Domain Admins group and has access to the
 
         If you manually configure port exceptions or have rules configuring port exceptions, you can clear the **Add port exception to firewall** check box.
 
-         
+         
 
 5.  Click **Change**, and when the installation is complete click **Finish**.
 
@@ -84,9 +84,9 @@ A user account that is a member of the Domain Admins group and has access to the
 
 -   [Managing the AGPM Service](managing-the-agpm-service-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/modify-the-agpm-service-agpm40.md b/mdop/agpm/modify-the-agpm-service-agpm40.md
index 567b557030..20ec5c3a65 100644
--- a/mdop/agpm/modify-the-agpm-service-agpm40.md
+++ b/mdop/agpm/modify-the-agpm-service-agpm40.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Caution**  
 Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
- 
+ 
 
 A user account that is a member of the Domain Admins group and has access to the AGPM Server (the computer on which Microsoft Advanced Group Policy Management - Server is installed) is required to complete this procedure. Additionally, you must provide credentials for the AGPM Service Account to complete this procedure.
 
@@ -41,7 +41,7 @@ A user account that is a member of the Domain Admins group and has access to the
         **Important**  
         The archive path can point to a folder on the AGPM Server or elsewhere, but the location should have sufficient space to store all GPOs and history data managed by this AGPM Server.
 
-         
+         
 
     2.  In the **AGPM Service Account** dialog box, enter credentials for a service account under which the AGPM Service will run, and click **Next**.
 
@@ -52,14 +52,14 @@ A user account that is a member of the Domain Admins group and has access to the
 
         If you will be managing GPOs on multiple domains or if a member server will be the AGPM Server, you should configure a different account as the AGPM Service Account because the Local System account for one domain controller cannot access GPOs on other domains.
 
-         
+         
 
     3.  In the **Archive Owner** dialog box, enter the user name of an AGPM Administrator (Full Control) or group of AGPM Administrators, and click **Next**.
 
         **Note**  
         Modifying the installation clears the credentials for the Archive Owner. You must re-enter credentials, but they are not required to match the credentials used during the original installation.
 
-         
+         
 
     4.  In the **Port Configuration** dialog box, type a new port on which the AGPM Service should listen or confirm the port currently selected, and click **Next**.
 
@@ -68,7 +68,7 @@ A user account that is a member of the Domain Admins group and has access to the
 
         If you manually configure port exceptions or have rules configuring port exceptions, you can clear the **Add port exception to firewall** check box.
 
-         
+         
 
 5.  Click **Change**, and when the installation is complete click **Finish**.
 
@@ -80,9 +80,9 @@ A user account that is a member of the Domain Admins group and has access to the
 
 -   [Managing the AGPM Service](managing-the-agpm-service-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/modify-the-archive-path.md b/mdop/agpm/modify-the-archive-path.md
index 26d73805cc..0e52f280d7 100644
--- a/mdop/agpm/modify-the-archive-path.md
+++ b/mdop/agpm/modify-the-archive-path.md
@@ -44,7 +44,7 @@ A user account that is a member of the Domain Admins group and has access to the
 
         If you will be managing GPOs on multiple domains or if a member server will be the AGPM Server, you should configure a different account as the AGPM Service Account because the Local System account for one domain controller cannot access GPOs on other domains.
 
-         
+         
 
     3.  For the archive owner, enter the credentials of an AGPM Administrator (Full Control).
 
@@ -54,9 +54,9 @@ A user account that is a member of the Domain Admins group and has access to the
 
 -   [Managing the AGPM Service](managing-the-agpm-service.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md b/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md
index cce4742600..6ad27ab0b6 100644
--- a/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md
+++ b/mdop/agpm/modify-the-port-on-which-the-agpm-service-listens.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Note**  
 Before modifying the port on which the AGPM Service listens, it is recommended that you back up the AGPM archive index file (gpostate.xml). This file is located in the folder entered as the archive path during the installation of Advanced Group Policy Management - Server. By default, this location of this file is %CommonAppData%\\Microsoft\\AGPM\\gpostate.xml on the AGPM Server. If you do not know which computer hosts the archive, you can follow the procedure for modifying the archive path to display the current archive path. For more information, see [Modify the Archive Path](modify-the-archive-path.md).
 
- 
+ 
 
 A user account with access to the AGPM Server (the computer on which the AGPM Service is installed) and the archive index file is required to complete this procedure.
 
@@ -44,9 +44,9 @@ A user account with access to the AGPM Server (the computer on which the AGPM Se
 
 -   [Managing the AGPM Service](managing-the-agpm-service.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md b/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md
index 9581264c82..027abbaaa7 100644
--- a/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md
+++ b/mdop/agpm/move-the-agpm-server-and-the-archive-agpm40.md
@@ -24,7 +24,7 @@ If you are replacing the AGPM Server and the server on which the archive is host
 
 -   By default, the archive is hosted on the AGPM Server, but you can specify an archive path to host it on another server instead.
 
- 
+ 
 
 A user account that is a member of the Domain Admins group and has access to the previous and new AGPM Servers is required to complete this procedure. Additionally, you must provide credentials for the AGPM Service Account to be used by the new AGPM Server to complete this procedure.
 
@@ -43,7 +43,7 @@ A user account that is a member of the Domain Admins group and has access to the
         **Note**  
         As a best practice, you should uninstall Microsoft Advanced Group Policy Management – Server from the previous AGPM Server. This will ensure that the AGPM Service cannot be unintentionally restarted on that server and potentially cause confusion if any AGPM Server connections to it remain.
 
-         
+         
 
 3.  Copy the archive from the backup to the new server that will host the archive. For more information, see [Restore the Archive from a Backup](restore-the-archive-from-a-backup-agpm40.md).
 
@@ -54,7 +54,7 @@ A user account that is a member of the Domain Admins group and has access to the
 
     2.  You must re-enter and confirm the password on the **Domain Delegation** tab. For more information, see [Configure E-Mail Notification](configure-e-mail-notification-agpm40.md).
 
-     
+     
 
 ### Additional references
 
@@ -72,9 +72,9 @@ A user account that is a member of the Domain Admins group and has access to the
 
 -   [Performing AGPM Administrator Tasks](performing-agpm-administrator-tasks-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/move-the-agpm-server-and-the-archive.md b/mdop/agpm/move-the-agpm-server-and-the-archive.md
index 071df53b78..93f0d42c02 100644
--- a/mdop/agpm/move-the-agpm-server-and-the-archive.md
+++ b/mdop/agpm/move-the-agpm-server-and-the-archive.md
@@ -24,7 +24,7 @@ If you are replacing the AGPM Server and the server on which the archive is host
 
 -   By default, the archive is hosted on the AGPM Server, but you can specify an archive path to host it on another server instead.
 
- 
+ 
 
 A user account that is a member of the Domain Admins group and has access to the previous and new AGPM Servers is required to complete this procedure. Additionally, you must provide credentials for the AGPM Service Account to be used by the new AGPM Server to complete this procedure.
 
@@ -43,7 +43,7 @@ A user account that is a member of the Domain Admins group and has access to the
         **Note**  
         As a best practice, you should uninstall Microsoft Advanced Group Policy Management – Server from the previous AGPM Server. This will ensure that the AGPM Service cannot be unintentionally restarted on that server and potentially cause confusion if any AGPM Server connections to it remain.
 
-         
+         
 
 3.  Copy the archive from the backup to the new server that will host the archive. For more information, see [Restore the Archive from a Backup](restore-the-archive-from-a-backup.md).
 
@@ -54,7 +54,7 @@ A user account that is a member of the Domain Admins group and has access to the
 
     2.  You must re-enter and confirm the password on the **Domain Delegation** tab. For more information, see [Configure E-Mail Notification](configure-e-mail-notification-agpm30ops.md).
 
-     
+     
 
 ### Additional references
 
@@ -72,9 +72,9 @@ A user account that is a member of the Domain Admins group and has access to the
 
 -   [Performing AGPM Administrator Tasks](performing-agpm-administrator-tasks-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md b/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md
index 81bf1531af..aa73d0ac46 100644
--- a/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md
+++ b/mdop/agpm/performing-agpm-administrator-tasks-agpm40.md
@@ -38,7 +38,7 @@ Because the AGPM Administrator role includes the permissions for all other roles
 
 [Performing Reviewer Tasks](performing-reviewer-tasks-agpm40.md), such as reviewing settings and comparing GPOs
 
- 
+ 
 
 ### Additional considerations
 
@@ -68,9 +68,9 @@ By default, the AGPM Administrator role has Full Control—all AGPM permissions:
 
 The **Modify Options** and **Modify Security** permissions are unique to the role of AGPM Administrator.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/performing-approver-tasks-agpm30ops.md b/mdop/agpm/performing-approver-tasks-agpm30ops.md
index 17aef02024..457707ad10 100644
--- a/mdop/agpm/performing-approver-tasks-agpm30ops.md
+++ b/mdop/agpm/performing-approver-tasks-agpm30ops.md
@@ -22,7 +22,7 @@ An Approver is a person authorized by an AGPM Administrator (Full Control) to cr
 **Important**  
 Make sure that you are connecting to the central archive for GPOs. For more information, see [Configure an AGPM Server Connection](configure-an-agpm-server-connection-reviewer-agpm30ops.md).
 
- 
+ 
 
 -   [Approve or Reject a Pending Action](approve-or-reject-a-pending-action-agpm30ops.md)
 
@@ -39,7 +39,7 @@ Make sure that you are connecting to the central archive for GPOs. For more info
 **Note**  
 Before approving a GPO, an Approver should review the policy settings that it contains. The Approver role includes the permissions for the Reviewer role, so that an Approver can review policy settings and compare GPOs. See [Performing Reviewer Tasks](performing-reviewer-tasks-agpm30ops.md) for more information.
 
- 
+ 
 
 ### Additional considerations
 
@@ -57,9 +57,9 @@ By default, the following permissions are provided for the Approver role:
 
 Also, an Approver has full control over GPOs that he created or controlled.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/performing-approver-tasks-agpm40.md b/mdop/agpm/performing-approver-tasks-agpm40.md
index 0baa5cc043..8a19c9ecda 100644
--- a/mdop/agpm/performing-approver-tasks-agpm40.md
+++ b/mdop/agpm/performing-approver-tasks-agpm40.md
@@ -22,7 +22,7 @@ An Approver is a person authorized by an AGPM Administrator (Full Control) to cr
 **Important**  
 Make sure that you are connecting to the central archive for GPOs. For more information, see [Configure an AGPM Server Connection](configure-an-agpm-server-connection-agpm40.md).
 
- 
+ 
 
 -   [Approve or Reject a Pending Action](approve-or-reject-a-pending-action-agpm40.md)
 
@@ -39,7 +39,7 @@ Make sure that you are connecting to the central archive for GPOs. For more info
 **Note**  
 Before approving a GPO, an Approver should review the policy settings that it contains. The Approver role includes the permissions for the Reviewer role, so that an Approver can review policy settings and compare GPOs. See [Performing Reviewer Tasks](performing-reviewer-tasks-agpm40.md) for more information.
 
- 
+ 
 
 ### Additional considerations
 
@@ -57,9 +57,9 @@ By default, the following permissions are provided for the Approver role:
 
 Also, an Approver has full control over GPOs that he created or controlled.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/performing-approver-tasks.md b/mdop/agpm/performing-approver-tasks.md
index 1bb25ef566..ce05f48885 100644
--- a/mdop/agpm/performing-approver-tasks.md
+++ b/mdop/agpm/performing-approver-tasks.md
@@ -22,7 +22,7 @@ An Approver is a person authorized by an AGPM Administrator (Full Control) to cr
 **Important**  
 Ensure that you are connecting to the central archive for GPOs. For more information, see [Configure the AGPM Server Connection](configure-the-agpm-server-connection-reviewer.md).
 
- 
+ 
 
 -   [Approve or Reject a Pending Action](approve-or-reject-a-pending-action.md)
 
@@ -39,7 +39,7 @@ Ensure that you are connecting to the central archive for GPOs. For more informa
 **Note**  
 Because the Approver role includes the permissions for the Reviewer role, an Approver can also review settings and compare GPOs. See [Performing Reviewer Tasks](performing-reviewer-tasks.md) for more information.
 
- 
+ 
 
 ### Additional considerations
 
@@ -57,9 +57,9 @@ By default, the following permissions are provided for the Approver role:
 
 Also, an Approver has full control over GPOs that he created or controlled.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/performing-editor-tasks-agpm30ops.md b/mdop/agpm/performing-editor-tasks-agpm30ops.md
index b38befa379..abc69827c2 100644
--- a/mdop/agpm/performing-editor-tasks-agpm30ops.md
+++ b/mdop/agpm/performing-editor-tasks-agpm30ops.md
@@ -22,7 +22,7 @@ An Editor is a person authorized by an AGPM Administrator (Full Control) to make
 **Important**  
 Ensure that you are connecting to the central archive for GPOs. For more information, see [Configure an AGPM Server Connection](configure-an-agpm-server-connection-reviewer-agpm30ops.md).
 
- 
+ 
 
 -   [Creating, Controlling, or Importing a GPO](creating-controlling-or-importing-a-gpo-agpm30ops.md)
 
@@ -35,7 +35,7 @@ Ensure that you are connecting to the central archive for GPOs. For more informa
 **Note**  
 Because the Editor role includes the permissions for the Reviewer role, an Editor can also review settings and compare GPOs. See [Performing Reviewer Tasks](performing-reviewer-tasks-agpm30ops.md) for more information.
 
- 
+ 
 
 ### Additional considerations
 
@@ -49,9 +49,9 @@ By default, the following permissions are provided for the Editor role:
 
 -   Create Template
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/performing-editor-tasks-agpm40.md b/mdop/agpm/performing-editor-tasks-agpm40.md
index 82d108b281..b776479dfc 100644
--- a/mdop/agpm/performing-editor-tasks-agpm40.md
+++ b/mdop/agpm/performing-editor-tasks-agpm40.md
@@ -22,7 +22,7 @@ In Advanced Group Policy Management (AGPM), an Editor is a person authorized by
 **Important**  
 Make sure that you are connecting to the central archive for GPOs. For more information, see [Configure an AGPM Server Connection](configure-an-agpm-server-connection-agpm40.md).
 
- 
+ 
 
 -   [Creating or Controlling a GPO](creating-or-controlling-a-gpo-agpm40-ed.md)
 
@@ -39,7 +39,7 @@ Make sure that you are connecting to the central archive for GPOs. For more info
 **Note**  
 Because the Editor role includes the permissions for the Reviewer role, an Editor can also review settings and compare GPOs. See [Performing Reviewer Tasks](performing-reviewer-tasks-agpm40.md) for more information.
 
- 
+ 
 
 ### Additional considerations
 
@@ -57,9 +57,9 @@ By default, the following permissions are provided for the Editor role:
 
 -   Create Template
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/performing-editor-tasks.md b/mdop/agpm/performing-editor-tasks.md
index bcad7c8bb0..eeea2a652c 100644
--- a/mdop/agpm/performing-editor-tasks.md
+++ b/mdop/agpm/performing-editor-tasks.md
@@ -22,7 +22,7 @@ An Editor is a person authorized by an AGPM Administrator (Full Control) to make
 **Important**  
 Ensure that you are connecting to the central archive for GPOs. For more information, see [Configure the AGPM Server Connection](configure-the-agpm-server-connection-reviewer.md).
 
- 
+ 
 
 -   [Creating, Controlling, or Importing a GPO](creating-controlling-or-importing-a-gpo-editor.md)
 
@@ -35,7 +35,7 @@ Ensure that you are connecting to the central archive for GPOs. For more informa
 **Note**  
 Because the Editor role includes the permissions for the Reviewer role, an Editor can also review settings and compare GPOs. See [Performing Reviewer Tasks](performing-reviewer-tasks.md) for more information.
 
- 
+ 
 
 ### Additional considerations
 
@@ -49,9 +49,9 @@ By default, the following permissions are provided for the Editor role:
 
 -   Create Template
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md
index f782b1e0c3..5eea73eb07 100644
--- a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md
+++ b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm30ops.md
@@ -36,7 +36,7 @@ A user account with the Editor role or necessary permissions in Advanced Group P
 **Note**  
 If a GPO was deleted from the production environment, restoring it to the archive will not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO. For information, see [Deploy a GPO](deploy-a-gpo-agpm30ops.md).
 
- 
+ 
 
 ### Additional considerations
 
@@ -48,9 +48,9 @@ If a GPO was deleted from the production environment, restoring it to the archiv
 
 -   [Deleting, Restoring, or Destroying a GPO](deleting-restoring-or-destroying-a-gpo-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md
index 9afa9d9981..9a569cc216 100644
--- a/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md
+++ b/mdop/agpm/request-restoration-of-a-deleted-gpo-agpm40.md
@@ -36,7 +36,7 @@ A user account with the Editor role or necessary permissions in Advanced Group P
 **Note**  
 If a GPO was deleted from the production environment, restoring it to the archive will not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO. For information, see [Request Deployment of a GPO](request-deployment-of-a-gpo-agpm40.md).
 
- 
+ 
 
 ### Additional considerations
 
@@ -48,9 +48,9 @@ If a GPO was deleted from the production environment, restoring it to the archiv
 
 -   [Deleting or Restoring a GPO](deleting-or-restoring-a-gpo-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md b/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md
index 342d6c7600..5f46d1b370 100644
--- a/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md
+++ b/mdop/agpm/restore-a-deleted-gpo-agpm30ops.md
@@ -36,7 +36,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 If a GPO was deleted from the production environment, restoring it to the archive will not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO. For information, see [Deploy a GPO](deploy-a-gpo-agpm30ops.md).
 
- 
+ 
 
 ### Additional considerations
 
@@ -46,9 +46,9 @@ If a GPO was deleted from the production environment, restoring it to the archiv
 
 -   [Deleting, Restoring, or Destroying a GPO](deleting-restoring-or-destroying-a-gpo-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/restore-a-deleted-gpo-agpm40.md b/mdop/agpm/restore-a-deleted-gpo-agpm40.md
index 3350340ca0..d68d3dc138 100644
--- a/mdop/agpm/restore-a-deleted-gpo-agpm40.md
+++ b/mdop/agpm/restore-a-deleted-gpo-agpm40.md
@@ -36,7 +36,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 If a GPO was deleted from the production environment, restoring it to the archive will not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO. For information, see [Deploy a GPO](deploy-a-gpo-agpm40.md).
 
- 
+ 
 
 ### Additional considerations
 
@@ -46,9 +46,9 @@ If a GPO was deleted from the production environment, restoring it to the archiv
 
 -   [Deleting, Restoring, or Destroying a GPO](deleting-restoring-or-destroying-a-gpo-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/restore-a-deleted-gpo.md b/mdop/agpm/restore-a-deleted-gpo.md
index aaa6e75e6d..27a79b4d0e 100644
--- a/mdop/agpm/restore-a-deleted-gpo.md
+++ b/mdop/agpm/restore-a-deleted-gpo.md
@@ -36,7 +36,7 @@ A user account with the Editor, Approver, or AGPM Administrator (Full Control) r
 **Note**  
 If a GPO was deleted from the production environment, restoring it to the archive will not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO. For information, see [Deploy a GPO](deploy-a-gpo.md).
 
- 
+ 
 
 ### Additional considerations
 
@@ -46,9 +46,9 @@ If a GPO was deleted from the production environment, restoring it to the archiv
 
 -   [Deleting, Restoring, or Destroying a GPO](deleting-restoring-or-destroying-a-gpo.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md
index 4495e614f3..14901c7456 100644
--- a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md
+++ b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo-agpm30ops.md
@@ -36,7 +36,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 To verify that the version that has been redeployed matches the version intended, examine a difference report for the two versions. In the **History** window for the GPO, highlight the two versions, and then right-click and select **Difference** and either **HTML Report** or **XML Report**.
 
- 
+ 
 
 ### Additional considerations
 
@@ -46,9 +46,9 @@ To verify that the version that has been redeployed matches the version intended
 
 -   [Performing Approver Tasks](performing-approver-tasks-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md
index 70ecdf9cf9..2363f2055b 100644
--- a/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md
+++ b/mdop/agpm/roll-back-to-a-previous-version-of-a-gpo.md
@@ -36,7 +36,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 To verify that the version that has been redeployed matches the version intended, examine a difference report for the two versions. In the **History** window for the GPO, highlight the two versions, and then right-click and select **Difference** and either **HTML Report** or **XML Report**.
 
- 
+ 
 
 ### Additional considerations
 
@@ -46,9 +46,9 @@ To verify that the version that has been redeployed matches the version intended
 
 -   [Performing Approver Tasks](performing-approver-tasks.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md b/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md
index 3e8f90b2c8..5a9b000943 100644
--- a/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md
+++ b/mdop/agpm/roll-back-to-an-earlier-version-of-a-gpo-agpm40.md
@@ -36,7 +36,7 @@ A user account with the Approver or AGPM Administrator (Full Control) role or ne
 **Note**  
 To verify that the version that has been redeployed matches the version intended, examine a difference report for the two versions. In the **History** window for the GPO, highlight the two versions, and then right-click and select **Difference** and either **HTML Report** or **XML Report**.
 
- 
+ 
 
 ### Additional considerations
 
@@ -46,9 +46,9 @@ To verify that the version that has been redeployed matches the version intended
 
 -   [Performing Approver Tasks](performing-approver-tasks-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/set-a-default-template-agpm30ops.md b/mdop/agpm/set-a-default-template-agpm30ops.md
index e1db68f7c0..aab61140e4 100644
--- a/mdop/agpm/set-a-default-template-agpm30ops.md
+++ b/mdop/agpm/set-a-default-template-agpm30ops.md
@@ -22,7 +22,7 @@ As an Editor, you can specify which of the available templates will be the defau
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management (AGPM) is required to complete this procedure. Review the details in "Additional considerations" in this topic.
 
@@ -54,9 +54,9 @@ A user account with the Editor or AGPM Administrator (Full Control) role or nece
 
 -   [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/set-a-default-template-agpm40.md b/mdop/agpm/set-a-default-template-agpm40.md
index 607827e3bd..68c165be29 100644
--- a/mdop/agpm/set-a-default-template-agpm40.md
+++ b/mdop/agpm/set-a-default-template-agpm40.md
@@ -22,7 +22,7 @@ As an Editor, you can specify which of the available templates will be the defau
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management (AGPM) is required to complete this procedure. Review the details in "Additional considerations" in this topic.
 
@@ -54,9 +54,9 @@ A user account with the Editor or AGPM Administrator (Full Control) role or nece
 
 -   [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/set-a-default-template.md b/mdop/agpm/set-a-default-template.md
index e898dea445..354b961123 100644
--- a/mdop/agpm/set-a-default-template.md
+++ b/mdop/agpm/set-a-default-template.md
@@ -22,7 +22,7 @@ As an Editor, you can specify which of the available templates will be the defau
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management is required to complete this procedure. Review the details in "Additional considerations" in this topic.
 
@@ -54,9 +54,9 @@ A user account with the Editor or AGPM Administrator (Full Control) role or nece
 
 -   [Request the Creation of a New Controlled GPO](request-the-creation-of-a-new-controlled-gpo.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md b/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md
index 09e1df9c24..bd04d77d92 100644
--- a/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md
+++ b/mdop/agpm/start-and-stop-the-agpm-service-agpm30ops.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Important**  
 Stopping or disabling the AGPM Service will prevent AGPM Clients from performing any operations (such as listing or editing GPOs) through the server.
 
- 
+ 
 
 A user account with access to the AGPM Server (the computer on which the AGPM Service is installed) is required to complete this procedure.
 
@@ -35,15 +35,15 @@ A user account with access to the AGPM Server (the computer on which the AGPM Se
     **Caution**  
     Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
-     
+     
 
 ### Additional references
 
 -   [Managing the AGPM Service](managing-the-agpm-service-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md b/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md
index 5d09af3efc..7d19498e83 100644
--- a/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md
+++ b/mdop/agpm/start-and-stop-the-agpm-service-agpm40.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Important**  
 Stopping or disabling the AGPM Service will prevent AGPM Clients from performing any operations (such as listing or editing GPOs) through the server.
 
- 
+ 
 
 A user account with access to the AGPM Server (the computer on which the AGPM Service is installed) is required to complete this procedure.
 
@@ -35,15 +35,15 @@ A user account with access to the AGPM Server (the computer on which the AGPM Se
     **Caution**  
     Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting.
 
-     
+     
 
 ### Additional references
 
 -   [Managing the AGPM Service](managing-the-agpm-service-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/start-and-stop-the-agpm-service.md b/mdop/agpm/start-and-stop-the-agpm-service.md
index 25c70d3eb6..05cb3f8cc5 100644
--- a/mdop/agpm/start-and-stop-the-agpm-service.md
+++ b/mdop/agpm/start-and-stop-the-agpm-service.md
@@ -22,7 +22,7 @@ The AGPM Service is a Windows service that acts as a security proxy, managing cl
 **Important**  
 Stopping or disabling the AGPM Service will prevent AGPM clients from performing any operations (such as listing or editing GPOs) through the server.
 
- 
+ 
 
 A user account with access to the AGPM Server (the computer on which the AGPM Service is installed) is required to complete this procedure.
 
@@ -35,15 +35,15 @@ A user account with access to the AGPM Server (the computer on which the AGPM Se
     **Caution**  
     Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting. To modify settings for the service, see [Managing the AGPM Service](managing-the-agpm-service.md).
 
-     
+     
 
 ### Additional references
 
 -   [Managing the AGPM Service](managing-the-agpm-service.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md
index b5f244c51b..b41ee4e572 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25.md
@@ -68,7 +68,7 @@ Archives cannot be migrated from an AGPM Server or a GPOVault Server running Win
 
 For Windows Server 2003, if GPOVault Server is installed on the computer on which you want to install AGPM Server, it is recommended that you do not uninstall GPOVault Server before beginning the installation. The installation of AGPM Server will uninstall GPOVault Server and automatically transfer your existing GPOVault archive data to an AGPM archive.
 
- 
+ 
 
 ### AGPM Client requirements
 
@@ -81,16 +81,16 @@ Before you begin this scenario, create four user accounts. During the scenario,
 **Note**  
 **Link GPOs** permission is assigned to members of Domain Administrators and Enterprise Administrators by default. To assign **Link GPOs** permission to additional users or groups (such as accounts with the roles of AGPM Administrator or Approver), click the node for the domain and then click the **Delegation** tab, select **Link GPOs**, click **Add**, and select users or groups to which to assign the permission.
 
- 
+ 
 
 For this scenario, you perform actions with different accounts. You can either log on with each account as indicated, or you can use the **Run as** command to start the GPMC with the indicated account.
 
 **Note**  
 To use the **Run as** command with GPMC on Windows Server 2003, click **Start**, point to **Administrative Tools**, right-click **Group Policy Management**, and click **Run as**. Click **The following user** and enter credentials for an account.
 
-To use the **Run as** command with GPMC on Windows Vista, click the **Start** button, point to **Run**, and type **runas /user:***DomainName\\UserName***"mmc %windir%\\system32\\gpmc.msc"**, and click **OK**. Type the password for the account when prompted.
+To use the **Run as** command with GPMC on Windows Vista, click the **Start** button, point to **Run**, and type **runas /user:**DomainName\\UserName**"mmc %windir%\\system32\\gpmc.msc"**, and click **OK**. Type the password for the account when prompted.
 
- 
+ 
 
 ## Steps for installing and configuring AGPM
 
@@ -134,7 +134,7 @@ In this step, you install AGPM Server on the member server or domain controller
     **Caution**  
     Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting. For information on how to modify settings for the service, see Help for Advanced Group Policy Management.
 
-     
+     
 
 ### Step 2: Install AGPM Client
 
@@ -211,12 +211,12 @@ As an AGPM Administrator (Full Control), you delegate domain-level access to GPO
 **Note**  
 You can also delegate access at the GPO level rather than the domain level. For details, see Help for Advanced Group Policy Management.
 
- 
+ 
 
 **Important**  
 You should restrict membership in the Group Policy Creator Owners group, so it cannot be used to circumvent AGPM management of access to GPOs. (In the **Group Policy Management Console**, click **Group Policy Objects** in the forest and domain in which you want to manage GPOs, click **Delegation**, and then configure the settings to meet the needs of your organization.)
 
- 
+ 
 
 **To delegate access to all GPOs throughout a domain**
 
@@ -512,7 +512,7 @@ Occasionally you may discover after deleting a GPO that it is still needed. In t
     **Note**  
     Restoring a GPO to the archive does not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO as in [Step 3: Review and deploy a GPO](#bkmk-manage3).
 
-     
+     
 
 After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a problem. In this step, you act as an Approver to roll back to a previous version of the GPO. You can roll back to any version in the history of the GPO. You can use comments and labels to identify known good versions and when specific changes were made.
 
@@ -529,11 +529,11 @@ After editing and deploying a GPO, you may discover that recent changes to the G
     **Note**  
     To verify that the version that has been redeployed is the version intended, examine a difference report for the two versions. In the **History** window for the GPO, select the two versions, right-click them, point to **Difference**, and then click either **HTML Report** or **XML Report**.
 
-     
+     
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md
index 1a83ba048e..d593fc9011 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-30.md
@@ -56,7 +56,7 @@ Computers on which you want to install AGPM must meet the following requirements
 **Note**  
 If you have AGPM 2.5 installed and are upgrading from Windows Server® 2003 to Windows Server 2008 or Windows Vista® with no service packs installed to Windows Vista with Service Pack 1, you must upgrade the operating system before you can upgrade to AGPM 3.0.
 
- 
+ 
 
 ### AGPM Server requirements
 
@@ -105,7 +105,7 @@ Before you begin this scenario, create four user accounts. During the scenario,
 **Note**  
 **Link GPOs** permission is assigned to members of Domain Administrators and Enterprise Administrators by default. To assign **Link GPOs** permission to additional users or groups (such as accounts with the roles of AGPM Administrator or Approver), click the node for the domain and then click the **Delegation** tab, select **Link GPOs**, click **Add**, and select users or groups to which to assign the permission.
 
- 
+ 
 
 ## Steps for installing and configuring AGPM
 
@@ -153,7 +153,7 @@ In this step, you install AGPM Server on the member server or domain controller
     **Caution**  
     Do not modify settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing so can prevent the AGPM Service from starting. For information on how to modify settings for the service, see Help for Advanced Group Policy Management.
 
-     
+     
 
 ### Step 2: Install AGPM Client
 
@@ -220,12 +220,12 @@ As an AGPM Administrator (Full Control), you delegate domain-level access to GPO
 **Note**  
 You can also delegate access at the GPO level rather than the domain level. For details, see Help for Advanced Group Policy Management.
 
- 
+ 
 
 **Important**  
 You should restrict membership in the Group Policy Creator Owners group, so it cannot be used to circumvent AGPM management of access to GPOs. (In the **Group Policy Management Console**, click **Group Policy Objects** in the forest and domain in which you want to manage GPOs, click **Delegation**, and then configure the settings to meet the needs of your organization.)
 
- 
+ 
 
 **To delegate access to all GPOs throughout a domain**
 
@@ -348,31 +348,31 @@ In this step, you act as an Approver, creating reports and analyzing the setting
 
 **To review settings in the GPO**
 
-1.  On a computer on which you have installed AGPM Client, log on with a user account that has been assigned the role of Approver in AGPM. (Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.)
+1. On a computer on which you have installed AGPM Client, log on with a user account that has been assigned the role of Approver in AGPM. (Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.)
 
-2.  Open the e-mail inbox for the account and note that you have received an e-mail message from the AGPM alias with an Editor's request to deploy a GPO.
+2. Open the e-mail inbox for the account and note that you have received an e-mail message from the AGPM alias with an Editor's request to deploy a GPO.
 
-3.  In the **Group Policy Management Console** tree, click **Change Control** in the forest and domain in which you want to manage GPOs.
+3. In the **Group Policy Management Console** tree, click **Change Control** in the forest and domain in which you want to manage GPOs.
 
-4.  On the **Contents** tab in the details pane, click the **Pending** tab.
+4. On the **Contents** tab in the details pane, click the **Pending** tab.
 
-5.  Double-click **MyGPO** to display its history.
+5. Double-click **MyGPO** to display its history.
 
-6.  Review the settings in the most recent version of MyGPO:
+6. Review the settings in the most recent version of MyGPO:
 
-    1.  In the **History** window, right-click the GPO version with the most recent timestamp, click **Settings**, and then click **HTML Report** to display a summary of the GPO's settings.
+   1.  In the **History** window, right-click the GPO version with the most recent timestamp, click **Settings**, and then click **HTML Report** to display a summary of the GPO's settings.
 
-    2.  In the Web browser, click **show all** to display all of the settings in the GPO. Close the browser.
+   2.  In the Web browser, click **show all** to display all of the settings in the GPO. Close the browser.
 
-7.  Compare the most recent version of MyGPO to the first version checked in to the archive:
+7. Compare the most recent version of MyGPO to the first version checked in to the archive:
 
-    1.  In the **History** window, click the GPO version with the most recent time stamp. Press CTRL and click the oldest GPO version for which the **Computer Version** is not **\***.
+   1. In the **History** window, click the GPO version with the most recent time stamp. Press CTRL and click the oldest GPO version for which the **Computer Version** is not **\\***.
 
-    2.  Click the **Differences** button. The **Account Policies/Password Policy** section is highlighted in green and preceded by **\[+\]**, indicating that this setting is configured only in the latter version of the GPO.
+   2. Click the **Differences** button. The **Account Policies/Password Policy** section is highlighted in green and preceded by **\[+\]**, indicating that this setting is configured only in the latter version of the GPO.
 
-    3.  Click **Account Policies/Password Policy**. The **Minimum password length** setting is also highlighted in green and preceded by **\[+\]**, indicating that it is configured only in the latter version of the GPO.
+   3. Click **Account Policies/Password Policy**. The **Minimum password length** setting is also highlighted in green and preceded by **\[+\]**, indicating that it is configured only in the latter version of the GPO.
 
-    4.  Close the Web browser.
+   4. Close the Web browser.
 
 **To deploy the GPO to the production environment**
 
@@ -501,7 +501,7 @@ Occasionally you may discover after deleting a GPO that it is still needed. In t
     **Note**  
     Restoring a GPO to the archive does not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO as in [Step 3: Review and deploy a GPO](#bkmk-manage3).
 
-     
+     
 
 After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a problem. In this step, you act as an Approver to roll back to a previous version of the GPO. You can roll back to any version in the history of the GPO. You can use comments and labels to identify known good versions and when specific changes were made.
 
@@ -518,11 +518,11 @@ After editing and deploying a GPO, you may discover that recent changes to the G
     **Note**  
     To verify that the version that has been redeployed is the version intended, examine a difference report for the two versions. In the **History** window for the GPO, select the two versions, right-click them, point to **Difference**, and then click either **HTML Report** or **XML Report**.
 
-     
+     
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
index 465392169b..dc69096e0f 100644
--- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
+++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md
@@ -60,7 +60,7 @@ If you have AGPM 2.5 installed and are upgrading from Windows Server® 2003 to
 
 If you have AGPM 3.0 installed, you do not have to upgrade the operating system before you upgrade to AGPM 4.0
 
- 
+ 
 
 In a mixed environment that includes both newer and older operating systems, there are some limitations to functionality, as indicated in the following table.
 
@@ -101,7 +101,7 @@ In a mixed environment that includes both newer and older operating systems, the
 
 
 
- 
+ 
 
 ### AGPM Server requirements
 
@@ -162,7 +162,7 @@ Before you begin this scenario, create four user accounts. During the scenario,
 **Note**  
 **Link GPOs** permission is assigned to members of Domain Administrators and Enterprise Administrators by default. To assign **Link GPOs** permission to additional users or groups (such as accounts that have the roles of AGPM Administrator or Approver), click the node for the domain and then click the **Delegation** tab, select **Link GPOs**, click **Add**, and select users or groups to which you want to assign the permission.
 
- 
+ 
 
 ## Steps for installing and configuring AGPM
 
@@ -222,7 +222,7 @@ In this step, you install AGPM Server on the member server or domain controller
     **Caution**  
     Do not change settings for the AGPM Service through **Administrative Tools** and **Services** in the operating system. Doing this can prevent the AGPM Service from starting. For information about how to change settings for the service, see Help for Advanced Group Policy Management.
 
-     
+     
 
 ### Step 2: Install AGPM Client
 
@@ -289,12 +289,12 @@ As an AGPM Administrator (Full Control), you delegate domain-level access to GPO
 **Note**  
 You can also delegate access at the GPO level instead of the domain level. For more information, see Help for Advanced Group Policy Management.
 
- 
+ 
 
 **Important**  
 You should restrict membership in the Group Policy Creator Owners group so that it cannot be used to circumvent AGPM management of access to GPOs. (In the **Group Policy Management Console**, click **Group Policy Objects** in the forest and domain in which you want to manage GPOs, click **Delegation**, and then configure the settings to meet the needs of your organization.)
 
- 
+ 
 
 **To delegate access to all GPOs throughout a domain**
 
@@ -417,31 +417,31 @@ In this step, you act as an Approver, creating reports and analyzing the setting
 
 **To review settings in the GPO**
 
-1.  On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.
+1. On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.
 
-2.  Open the e-mail inbox for the account and notice that you have received an e-mail message from the AGPM alias with an Editor's request to deploy a GPO.
+2. Open the e-mail inbox for the account and notice that you have received an e-mail message from the AGPM alias with an Editor's request to deploy a GPO.
 
-3.  In the **Group Policy Management Console** tree, click **Change Control** in the forest and domain in which you want to manage GPOs.
+3. In the **Group Policy Management Console** tree, click **Change Control** in the forest and domain in which you want to manage GPOs.
 
-4.  On the **Contents** tab in the details pane, click the **Pending** tab.
+4. On the **Contents** tab in the details pane, click the **Pending** tab.
 
-5.  Double-click **MyGPO** to display its history.
+5. Double-click **MyGPO** to display its history.
 
-6.  Review the settings in the most recent version of MyGPO:
+6. Review the settings in the most recent version of MyGPO:
 
-    1.  In the **History** window, right-click the GPO version with the most recent time stamp, click **Settings**, and then click **HTML Report** to display a summary of the GPO's settings.
+   1.  In the **History** window, right-click the GPO version with the most recent time stamp, click **Settings**, and then click **HTML Report** to display a summary of the GPO's settings.
 
-    2.  In the Web browser, click **show all** to display all the settings in the GPO. Close the browser.
+   2.  In the Web browser, click **show all** to display all the settings in the GPO. Close the browser.
 
-7.  Compare the most recent version of MyGPO to the first version checked in to the archive:
+7. Compare the most recent version of MyGPO to the first version checked in to the archive:
 
-    1.  In the **History** window, click the GPO version with the most recent time stamp. Press CTRL and then click the oldest GPO version for which the **Computer Version** is not **\***.
+   1. In the **History** window, click the GPO version with the most recent time stamp. Press CTRL and then click the oldest GPO version for which the **Computer Version** is not **\\***.
 
-    2.  Click the **Differences** button. The **Account Policies/Password Policy** section is highlighted in green and preceded by **\[+\]**. This indicates that the setting is configured only in the latter version of the GPO.
+   2. Click the **Differences** button. The **Account Policies/Password Policy** section is highlighted in green and preceded by **\[+\]**. This indicates that the setting is configured only in the latter version of the GPO.
 
-    3.  Click **Account Policies/Password Policy**. The **Minimum password length** setting is also highlighted in green and preceded by **\[+\]**, indicating that it is configured only in the latter version of the GPO.
+   3. Click **Account Policies/Password Policy**. The **Minimum password length** setting is also highlighted in green and preceded by **\[+\]**, indicating that it is configured only in the latter version of the GPO.
 
-    4.  Close the Web browser.
+   4. Close the Web browser.
 
 **To deploy the GPO to the production environment**
 
@@ -570,7 +570,7 @@ Occasionally you may discover after you delete a GPO that it is still needed. In
     **Note**  
     Restoring a GPO to the archive does not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO as in [Step 3: Review and deploy a GPO](#bkmk-manage3).
 
-     
+     
 
 After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a problem. In this step, you act as an Approver to roll back to an earlier version of the GPO. You can roll back to any version in the history of the GPO. You can use comments and labels to identify known good versions and when specific changes were made.
 
@@ -587,11 +587,11 @@ After editing and deploying a GPO, you may discover that recent changes to the G
     **Note**  
     To verify that the version that was redeployed is the version intended, examine a difference report for the two versions. In the **History** window for the GPO, select the two versions, right-click them, point to **Difference**, and then click either **HTML Report** or **XML Report**.
 
-     
+     
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/technical-overview-of-agpm.md b/mdop/agpm/technical-overview-of-agpm.md
index 516d253320..9f7a7d14d8 100644
--- a/mdop/agpm/technical-overview-of-agpm.md
+++ b/mdop/agpm/technical-overview-of-agpm.md
@@ -101,7 +101,7 @@ Table 1 describes both the items that AGPM installs or creates and the parts of
 
 
 
- 
+ 
 
 ### Additional references
 
@@ -119,7 +119,7 @@ The gpostate.xml file records the state of each GPO in the archive. The file is
 **Caution**  
 Do not manually edit gpostate.xml or the GPOs the archive contains. This information is provided only to enhance understanding of the AGPM archive. Instead, use the AGPM snap-in to change GPOs.
 
- 
+ 
 
 When AGPM creates the archive, it gives Full Control to SYSTEM, Administrators, and the AGPM Service Account (specified in the setup of AGPM Server). Changing permissions by using the AGPM user interface on the AGPM snap-in does not alter permissions on the archive, because the AGPM Service Account performs all operations on behalf of the logged-on user.
 
@@ -261,22 +261,22 @@ AGPM gives AGPM Administrators the flexibility to configure permissions at a mor
 
 
 
- 
+ 
 
 **Note**  
 **Export GPO** and **Import GPO** permissions are not available in AGPM 3.0 or 2.5.
 
 The ability to delegate access to GPOs in the production environment for a domain and the ability to limit the number of GPO versions stored are not available in AGPM 2.5.
 
- 
+ 
 
 ### Additional references
 
 For information about what tasks can be performed by Group Policy administrators assigned a particular role or about which permissions are required to perform a specific task, see the [Operations Guide for AGPM](https://go.microsoft.com/fwlink/?LinkId=160061).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/template-commands-agpm30ops.md b/mdop/agpm/template-commands-agpm30ops.md
index 66f215dc18..d0d078ee41 100644
--- a/mdop/agpm/template-commands-agpm30ops.md
+++ b/mdop/agpm/template-commands-agpm30ops.md
@@ -30,7 +30,7 @@ Because a template cannot be altered, templates have no history. However, like a
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 Right-clicking the **Group Policy Objects** list on this tab displays a shortcut menu, including whichever of the following options are applicable.
 
@@ -56,7 +56,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Reports
 
@@ -84,7 +84,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Template management
 
@@ -116,7 +116,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Miscellaneous
 
@@ -144,7 +144,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ### Additional references
 
@@ -154,9 +154,9 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 -   [Performing Reviewer Tasks](performing-reviewer-tasks-agpm30ops.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/template-commands-agpm40.md b/mdop/agpm/template-commands-agpm40.md
index cbeea91b27..ab77542a14 100644
--- a/mdop/agpm/template-commands-agpm40.md
+++ b/mdop/agpm/template-commands-agpm40.md
@@ -30,7 +30,7 @@ Because a template cannot be altered, templates have no history. However, like a
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 Right-clicking the **Group Policy Objects** list on this tab displays a shortcut menu, including whichever of the following options are applicable.
 
@@ -56,7 +56,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Reports
 
@@ -84,7 +84,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Template management
 
@@ -116,7 +116,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Miscellaneous
 
@@ -144,7 +144,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ### Additional references
 
@@ -154,9 +154,9 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 -   [Performing Reviewer Tasks](performing-reviewer-tasks-agpm40.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/templates-tab.md b/mdop/agpm/templates-tab.md
index e781c75a4b..6c6a7e617d 100644
--- a/mdop/agpm/templates-tab.md
+++ b/mdop/agpm/templates-tab.md
@@ -30,7 +30,7 @@ Because a template cannot be altered, templates have no history. However, like a
 **Note**  
 A template is an uneditable, static version of a GPO for use as a starting point for creating new, editable GPOs.
 
- 
+ 
 
 Right-clicking the **Group Policy Objects** list on this tab displays a shortcut menu, including whichever of the following options are applicable.
 
@@ -56,7 +56,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Reports
 
@@ -84,7 +84,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Template management
 
@@ -116,7 +116,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ## Miscellaneous
 
@@ -144,7 +144,7 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 
 
- 
+ 
 
 ### Additional references
 
@@ -154,9 +154,9 @@ Right-clicking the **Group Policy Objects** list on this tab displays a shortcut
 
 -   [Performing Reviewer Tasks](performing-reviewer-tasks.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/agpm/using-a-test-environment.md b/mdop/agpm/using-a-test-environment.md
index 49a3f57e3e..0b9b47d7e4 100644
--- a/mdop/agpm/using-a-test-environment.md
+++ b/mdop/agpm/using-a-test-environment.md
@@ -28,11 +28,11 @@ Before you request that a Group Policy Object (GPO) be deployed to the productio
 **Note**  
 You can also import a GPO from the production environment of the domain. For more information, see [Import a GPO from Production](import-a-gpo-from-production-agpm40-ed.md).
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
index 247e642cfd..44b77a218d 100644
--- a/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
+++ b/mdop/appv-v4/about-app-v-package-accelerators--app-v-46-sp1-.md
@@ -22,14 +22,14 @@ You can use App-V Package Accelerators to automatically sequence large, complex
 **Note**  
 In some cases, you are prompted to install an application locally to the computer running the App-V Sequencer before you can use the Package Accelerator. If you have to install an application, you must install the application to the application’s default location. This installation is not monitored by App-V Sequencer. When the App-V Package Accelerator is created, the author of the Package Accelerator determines whether to install an application locally is required.
 
- 
+ 
 
 App-V Sequencer extracts the required files from the App-V Package Accelerator and associated installation media to create a virtual package without having to monitor the installation of the application.
 
 **Important**  
 Disclaimer: The Microsoft Application Virtualization Sequencer does not give you any license rights to the software application you are using to create a Package Accelerator. You must abide by all end user license terms for such application. It is your responsibility to make sure the software application’s license terms allow you to create a Package Accelerator using Application Virtualization Sequencer.
 
- 
+ 
 
 App-V Package Accelerators and project templates differ from each other. Package Accelerators are application-specific. Project templates enable users to save commonly used settings specific to an organization and apply them to multiple applications. You can also create project templates at the command prompt, while in contrast, you must use the App-V Sequencer console to create Package Accelerators. Additionally, creating a package by using a Package Accelerator and applying a project template is not supported.
 
@@ -60,9 +60,9 @@ Always save App-V Package Accelerators and any associated installation media in
 
 [How to Apply a Package Accelerator to Create a Virtual Application Package (App-V 4.6 SP1)](how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-application-virtualization-servers.md b/mdop/appv-v4/about-application-virtualization-servers.md
index 3a2fd51e6e..241dbca298 100644
--- a/mdop/appv-v4/about-application-virtualization-servers.md
+++ b/mdop/appv-v4/about-application-virtualization-servers.md
@@ -24,7 +24,7 @@ You can also stream applications to clients from Application Virtualization Stre
 
 You can stream applications to the client directly from a file or disk. Some application virtualization deployment scenarios, which are characterized by low or unreliable connectivity or where bandwidth is limited, are ideally suited for streaming from file or disk.
 
- 
+ 
 
 One or more Application Virtualization Management Servers that share a single data store make up an *Application Virtualization system*.
 
@@ -37,9 +37,9 @@ One or more Application Virtualization Management Servers that share a single da
 
 [How to Set Up Publishing Servers](how-to-set-up-publishing-servers.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
index c1454fd3cc..d11db11a1f 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46-sp2.md
@@ -22,7 +22,7 @@ Microsoft Application Virtualization (App-V) 4.6 SP2 provides several enhanceme
 **Caution**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+ 
 
 **Support for Windows 8 and Windows Server 2012**
 
@@ -61,12 +61,12 @@ Before launching the App-V Sequencer, create the following registry value under
 
 
 
- 
+ 
 
 **Note**  
 On a computer running a 64-bit operating system, create the registry value under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\SystemGuard\\Overrides.
 
- 
+ 
 
 For each OSD-file in your Adobe Reader X package, add the following items under the <POLICIES> element:
 
@@ -98,9 +98,9 @@ App-V 4.6 SP2 includes a rollup of fixes to address issues found since the App
 [App-V 4.6 SP2 Release Notes](https://go.microsoft.com/fwlink/?LinkId=267600)  
 Provides the most up-to-date information about known issues with App-V 4.6 SP2.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-microsoft-application-virtualization-46.md b/mdop/appv-v4/about-microsoft-application-virtualization-46.md
index c7c42a8ff0..394b921628 100644
--- a/mdop/appv-v4/about-microsoft-application-virtualization-46.md
+++ b/mdop/appv-v4/about-microsoft-application-virtualization-46.md
@@ -32,7 +32,7 @@ Microsoft Application Virtualization (App-V) 4.6 provides the following enhancem
 **Note**  
 The App-V Management Server and Streaming Server have not been updated to version 4.6. Until they are updated, use App-V Management Server and Streaming Server 4.5 with the most recent service pack.
 
- 
+ 
 
 ## In This Section
 
@@ -40,9 +40,9 @@ The App-V Management Server and Streaming Server have not been updated to versio
 [App-V 4.6 Release Notes](app-v-46-release-notes.md)  
 Provides the most up-to-date information about known issues with Microsoft Application Virtualization (App-V) 4.6.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-publishing.md b/mdop/appv-v4/about-publishing.md
index bdf72b3860..54ba36cfd3 100644
--- a/mdop/appv-v4/about-publishing.md
+++ b/mdop/appv-v4/about-publishing.md
@@ -22,7 +22,7 @@ You can centrally manage publishing applications to the Application Virtualizati
 **Note**  
 Before the client can refresh the publishing information, the client must know about the Application Virtualization Management Server. You configure the client with the necessary information about the server when you install the client.
 
- 
+ 
 
 When a client contacts the server for application publishing information, the server provides the client with the list of applications that the user has permission to access and the location of the corresponding Open Software Descriptor (OSD) files. The server also provides the relevant information about icons, file type associations, and shortcuts.
 
@@ -33,9 +33,9 @@ When a client contacts the server for application publishing information, the se
 
 [About Application Virtualization Applications](about-application-virtualization-applications.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-sequencing-phases.md b/mdop/appv-v4/about-sequencing-phases.md
index 675b66bd7e..78f1f65733 100644
--- a/mdop/appv-v4/about-sequencing-phases.md
+++ b/mdop/appv-v4/about-sequencing-phases.md
@@ -26,7 +26,7 @@ The four phases to sequencing an application and creating a virtual application
     **Important**  
     To view the advanced options select **Show Advanced Monitoring Options** on the **Package Information** page.
 
-     
+     
 
 2.  **Launch phase**—During the launch phase, you can specify any required file associations and security descriptors that should be configured with the package. You should open the application as many times as necessary to ensure application functionality and stability.
 
@@ -39,9 +39,9 @@ The four phases to sequencing an application and creating a virtual application
 
 [Application Virtualization Sequencer](application-virtualization-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-the-application-virtualization-sequencer.md b/mdop/appv-v4/about-the-application-virtualization-sequencer.md
index 8a06d64d81..139afed1b7 100644
--- a/mdop/appv-v4/about-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/about-the-application-virtualization-sequencer.md
@@ -22,7 +22,7 @@ The Microsoft Application Virtualization (App-V) Sequencer monitors and records
 **Important**  
 To run a virtual application package the target computer must be running the appropriate version of the App-V client.
 
- 
+ 
 
 Virtual application packages run on target computers without interacting with the underlying operating system on the target computer because each application runs in a virtual environment and is isolated from other applications that are installed or running on the target computer. This isolation can reduce application conflicts and can help decrease the required amount of application pre-deployment testing.
 
@@ -83,16 +83,16 @@ The App-V Sequencer runs all services detected at sequencing time using the Loca
 **Important**  
 You should always save virtual application packages in a secure location.
 
- 
+ 
 
 ## Related topics
 
 
 [Application Virtualization Sequencer Overview](application-virtualization-sequencer-overview.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-the-deployment-tab.md b/mdop/appv-v4/about-the-deployment-tab.md
index bb104b5b19..ecd0dce407 100644
--- a/mdop/appv-v4/about-the-deployment-tab.md
+++ b/mdop/appv-v4/about-the-deployment-tab.md
@@ -50,16 +50,15 @@ Use the **Server URL** controls to specify the virtual application server config
 
          Hostname
          
 
          Enables you to select the virtual application server or the load balancer in front of a group of virtual application servers that will stream the software package to an Application Virtualization Desktop Client. You must complete this item to create a sequenced application package, but you can change from the default %SFT_SOFTGRIDSERVER% environment variable to the actual hostname or IP address of a virtual application server.
          
 
          
-Note  
-
          If you choose not to specify a static hostname or IP address, on each Application Virtualization Desktop Client you must set up an environment variable called SFT_SOFTGRIDSERVER. Its value must be the hostname or IP address of the virtual application server or load balancer that is this client's source of applications. You should make this environment variable a system variable rather than a user variable. Any Application Virtualization Desktop Client session that is running on this computer during your assignment of this variable must be closed and then opened so that the resumed session will be aware of its new application source.
          
+Note
          If you choose not to specify a static hostname or IP address, on each Application Virtualization Desktop Client you must set up an environment variable called SFT_SOFTGRIDSERVER. Its value must be the hostname or IP address of the virtual application server or load balancer that is this client's source of applications. You should make this environment variable a system variable rather than a user variable. Any Application Virtualization Desktop Client session that is running on this computer during your assignment of this variable must be closed and then opened so that the resumed session will be aware of its new application source.
          
 
          
 
          
- 
+
 
          
 
 
 
          Port
          
-
          Enables you to specify the port on which the virtual application server or the load balancer will listen for an Application Virtualization Desktop Client's request for the package. This information is required to create a package, but you can change it. The default port is 554.
          
+
          Enables you to specify the port on which the virtual application server or the load balancer will listen for an Application Virtualization Desktop Client's request for the package. This information is required to create a package, but you can change it. The default port is 554.
          
 
 
 
          Path
          
@@ -68,7 +67,7 @@ Use the **Server URL** controls to specify the virtual application server config
 
 
 
- 
+
 
 ## Operating Systems
 
@@ -98,7 +97,7 @@ Use the **Operating Systems** controls to specify the application's operating sy
 
 
 
- 
+
 
 ## Output Options
 
@@ -121,7 +120,7 @@ Use the **Output Options** controls to specify the output options for the applic
 
          Compression Algorithm
          
 
          Use to select the method for compressing the SFT file for streaming across a network. Select one of the following compression methods:
          
 
            
-
          • Compressed—Specifies that the SFT file be compressed in the [ZLIB](https://go.microsoft.com/fwlink/?LinkId=111475) format.
            • 
+
          • Compressed—Specifies that the SFT file be compressed in the ZLIB format.
            • 
 
          • Not Compressed—The default; specifies that the SFT file not be compressed.
            • 
 
          
 
@@ -136,7 +135,7 @@ Use the **Output Options** controls to specify the output options for the applic
 
 
 
- 
+
 
 ## Related topics
 
@@ -145,9 +144,9 @@ Use the **Output Options** controls to specify the output options for the applic
 
 [Sequencer Console](sequencer-console.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/about-the-properties-tab.md b/mdop/appv-v4/about-the-properties-tab.md
index eaca0ea4c3..60f67d1be8 100644
--- a/mdop/appv-v4/about-the-properties-tab.md
+++ b/mdop/appv-v4/about-the-properties-tab.md
@@ -69,7 +69,7 @@ Specifies the size of the primary and secondary feature blocks into which the SF
 **Note**  
 After the initial package has been created, the block size value is not changeable.
 
- 
+ 
 
 ## Related topics
 
@@ -78,9 +78,9 @@ After the initial package has been created, the block size value is not changeab
 
 [Sequencer Console](sequencer-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-the-virtual-registry-tab.md b/mdop/appv-v4/about-the-virtual-registry-tab.md
index f896c8b733..71e0e3aa94 100644
--- a/mdop/appv-v4/about-the-virtual-registry-tab.md
+++ b/mdop/appv-v4/about-the-virtual-registry-tab.md
@@ -24,9 +24,9 @@ You can also choose to ignore the hosting system’s keys by selecting **Overrid
 The changes to the virtual registry **Settings** tab affect applications that are part of the specific sequenced application package, but they do not affect the operation of other applications that are streamed to or locally installed on the Application Virtualization Desktop Client.
 
 **Note**  
-  Exercise caution when changing virtual registry keys and values. Changing these keys and values might render your sequenced application package inoperable.
+  Exercise caution when changing virtual registry keys and values. Changing these keys and values might render your sequenced application package inoperable.
 
- 
+ 
 
 The left pane of the **Virtual Registry** tab displays the full list of virtual registries created during the sequencing of an application.
 
@@ -52,9 +52,9 @@ Displays the file attributes.
 
 [Sequencer Console](sequencer-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/about-using-the-sequencer-command-line.md b/mdop/appv-v4/about-using-the-sequencer-command-line.md
index 87c841e9a1..844d28f414 100644
--- a/mdop/appv-v4/about-using-the-sequencer-command-line.md
+++ b/mdop/appv-v4/about-using-the-sequencer-command-line.md
@@ -26,7 +26,7 @@ You can use the command line to create sequenced application packages. Using the
 **Important**  
 Sequencing at the command prompt allows for default sequencing only. If you need to change default sequencing parameters, you must either manually modify a sequenced application package or re-sequence the application.
 
- 
+ 
 
 All subsequent modifications to existing sequenced application packages must be made using the sequencing wizard.
 
@@ -48,9 +48,9 @@ To sequence an application by using the command prompt, the following conditions
 
 [How to Manage Virtual Applications Using the Command Line](how-to-manage-virtual-applications-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/add-app.md b/mdop/appv-v4/add-app.md
index 8f842a5d13..56e1ff83ee 100644
--- a/mdop/appv-v4/add-app.md
+++ b/mdop/appv-v4/add-app.md
@@ -60,7 +60,7 @@ Adds an application record.
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -77,21 +77,21 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 **Note**  
 The resulting name of the application will be taken from the OSD file and not from the name provided in APP:<application>.
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
index 2cd1f7d042..055f74d65d 100644
--- a/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
+++ b/mdop/appv-v4/antivirus-running-dialog-box--app-v-46-sp1-.md
@@ -26,16 +26,16 @@ Use the following procedure to stop the antivirus software from running during s
     **Important**  
     Remember to restart the antivirus software when you have finished sequencing the application.
 
-     
+     
 
 ## Related topics
 
 
 [Dialog Boxes (AppV 4.6 SP1)](dialog-boxes--appv-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-45-sp2-release-notes.md b/mdop/appv-v4/app-v-45-sp2-release-notes.md
index 7c07e37579..dc5d8fafe0 100644
--- a/mdop/appv-v4/app-v-45-sp2-release-notes.md
+++ b/mdop/appv-v4/app-v-45-sp2-release-notes.md
@@ -22,7 +22,7 @@ To search these Release Notes, press CTRL+F.
 **Important**  
 Read these Release Notes thoroughly before you install the Microsoft Application Virtualization Management System. These Release Notes contain information that you need to successfully install the Application Virtualization Management System. These Release Notes contain information that is not available in the product documentation. If there is a discrepancy between these Release Notes and other Application Virtualization Management System documentation, the latest change should be considered authoritative.
 
- 
+ 
 
 For updated information about known issues, please visit the Microsoft TechNet Library at [App-V 4.5 SP2 Release Notes](https://go.microsoft.com/fwlink/?LinkId=184640) (https://go.microsoft.com/fwlink/?LinkId=184640).
 
@@ -84,7 +84,7 @@ Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client fo
 
 -   This step is not required if you are upgrading and have previously installed Dw20shared.msi.
 
- 
+ 
 
 ### Improving performance when sequencing the .NET Framework
 
@@ -212,9 +212,9 @@ Microsoft, Active Directory, ActiveSync, MS-DOS, Windows, Windows Server, and W
 
 All other trademarks are property of their respective owners.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-46-release-notes.md b/mdop/appv-v4/app-v-46-release-notes.md
index 6304282f67..efa16e1ff9 100644
--- a/mdop/appv-v4/app-v-46-release-notes.md
+++ b/mdop/appv-v4/app-v-46-release-notes.md
@@ -22,7 +22,7 @@ To search these Release Notes, press CTRL+F.
 **Important**  
 Read these Release Notes thoroughly before you install the Microsoft Application Virtualization (App-V) Management System. These Release Notes contain information that you need to successfully install Application Virtualization (App-V) 4.6. This document contains information that is not available in the product documentation. If there is a discrepancy between these Release Notes and other App-V documentation, the latest change should be considered authoritative.
 
- 
+ 
 
 ## Protect Against Security Vulnerabilities and Viruses
 
@@ -43,7 +43,7 @@ WORKAROUND   Open the old package with either the App-V 4.5 SP1 Sequencer or
 **Note**  
 Alternatively, at the command prompt, the App-V Sequencer can generate the new .msi file by using the */OPEN* and */MSI* parameters, for example, `SFTSequencer /Open:”package.sprj” /MSI`. For more information, see [How to Upgrade a Virtual Application by Using the Command Line](how-to-upgrade-a-virtual-application-by-using-the-command-line.md).
 
- 
+ 
 
 ### Release Notes Copyright Information
 
@@ -59,9 +59,9 @@ Microsoft, Active Directory, ActiveSync, ActiveX, Excel, SQL Server, Windows, Wi
 
 All other trademarks are property of their respective owners.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-46-sp1-release-notes.md b/mdop/appv-v4/app-v-46-sp1-release-notes.md
index 375172fe50..09ea6abd40 100644
--- a/mdop/appv-v4/app-v-46-sp1-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp1-release-notes.md
@@ -22,7 +22,7 @@ To search these Release Notes, press CTRL+F.
 **Important**  
 Read these Release Notes thoroughly before you install the Microsoft Application Virtualization (App-V) Management System. These Release Notes contain information that helps you successfully install Application Virtualization (App-V) 4.6 SP1. This document contains information that is not available in the product documentation. If there is a difference between these Release Notes and other App-V documentation, the latest change should be considered authoritative.
 
- 
+ 
 
 ## Protect Against Security Vulnerabilities and Viruses
 
@@ -98,9 +98,9 @@ Microsoft, Active Directory, ActiveSync, ActiveX, Excel, SQL Server, Windows, Wi
 
 All other trademarks are property of their respective owners.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-46-sp2-release-notes.md b/mdop/appv-v4/app-v-46-sp2-release-notes.md
index f66b783829..9da44bdde6 100644
--- a/mdop/appv-v4/app-v-46-sp2-release-notes.md
+++ b/mdop/appv-v4/app-v-46-sp2-release-notes.md
@@ -36,7 +36,7 @@ We are interested in your feedback on App-V 4.6 SP2. You can send your feedbac
 **Note**  
 This email address is not a support channel, but your feedback will help us to plan future changes for our documentation and product releases.
 
- 
+ 
 
 For the latest information about MDOP and additional learning resources, see the [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) page.
 
@@ -66,7 +66,7 @@ fsutil 8dot3name set Q: 0
 **Note**  
 You do not need to change this setting on the App-V client because the App-V file system properly handles short paths on Windows 8 or Windows Server 2012.
 
- 
+ 
 
 ###  App-V does not override the default handler for file type or protocol associations on Windows 8
 
@@ -104,9 +104,9 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win
 
 [About Microsoft Application Virtualization 4.6 SP2](about-microsoft-application-virtualization-46-sp2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-client-registry-values-sp1.md b/mdop/appv-v4/app-v-client-registry-values-sp1.md
index 46d0383bf2..59e5ac9ae5 100644
--- a/mdop/appv-v4/app-v-client-registry-values-sp1.md
+++ b/mdop/appv-v4/app-v-client-registry-values-sp1.md
@@ -17,12 +17,12 @@ ms.date: 08/30/2016
 # App-V Client Registry Values
 
 
-The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. You can gather some useful information about the client if you understand the format of data in the registry. You can also configure many client actions by changing registry entries. This topic lists all the Application Virtualization (App-V) client registry keys and explains their uses.
+The Microsoft Application Virtualization (App-V) client stores its configuration in the registry. You can gather some useful information about the client if you understand the format of data in the registry. You can also configure many client actions by changing registry entries. This topic lists all the Application Virtualization (App-V) client registry keys and explains their uses.
 
-**Important**  
+**Important**  
 On a computer running a 64-bit operating system, the keys and values described in the following sections will be under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\Client.
 
- 
+
 
 ## Configuration Key
 
@@ -52,45 +52,44 @@ The following table provides information about the registry values associated wi
 
          Do not modify.
          
 
 
-
          Version 
          
-
          String 
          
-
          4.5.0.xxx 
          
-
          Do not modify. 
          
+
          Version 
          
+
          String 
          
+
          4.5.0.xxx 
          
+
          Do not modify. 
          
 
 
-
          Drivers 
          
-
          String 
          
-
          Sftfs.sys 
          
+
          Drivers 
          
+
          String 
          
+
          Sftfs.sys 
          
 
          If this key value is present, it contains the name of the driver that caused a stop error the last time the core was starting. After you have fixed the stop error, you must delete this key value so that sftlist can start.
          
 
 
-
          InstallPath 
          
-
          String 
          
+
          InstallPath 
          
+
          String 
          
 
          Default=C:\Program Files\Microsoft Application Virtualization Client
          
-
          The location where the client is installed. Do not modify. 
          
+
          The location where the client is installed. Do not modify. 
          
 
 
-
          LogFileName 
          
-
          String 
          
+
          LogFileName 
          
+
          String 
          
 
          Default=CSIDL_COMMON_APPDATA\Microsoft\Application Virtualization Client\sftlog.txt
          
 
          The path and name for the client log file.
          
 
          
-Note  
-
          If you are running an earlier version than App-V 4.6, SP1 and you modify the log file name or location, you must restart the sftlist service for the change to take effect.
          
+Note
          If you are running an earlier version than App-V 4.6, SP1 and you modify the log file name or location, you must restart the sftlist service for the change to take effect.
          
 
          
 
          
- 
+
 
          
 
          
 
 
-
          LogMinSeverity 
          
-
          DWORD 
          
+
          LogMinSeverity 
          
+
          DWORD 
          
 
          Default=4, Informational
          
 
          Controls which messages are written to the log. The value indicates a threshold of what is logged—everything less than or equal to that value is logged. For example, a value of 0x3 (Warning) indicates that Warnings (0x3), Errors (0x2), and Critical Errors (0x1) are logged.
          
 
          Value Range: 0x0 = None, 0x1 = Critical, 0x2 = Error, 0x3 = Warning, 0x4 = Information (Default), 0x5 = Verbose.
          
 
          The log level is configurable from the Application Virtualization (App-V) client console and from the command prompt. At a command prompt, the command sftlist.exe /verboselog will increase the log level to verbose. For more information on command-line details see
          
-
          https://go.microsoft.com/fwlink/?LinkId=141467https://go.microsoft.com/fwlink/?LinkId=141467
          
+
          https://go.microsoft.com/fwlink/?LinkId=141467https://go.microsoft.com/fwlink/?LinkId=141467
          
 
          .
          
 
 
@@ -131,31 +130,31 @@ The following table provides information about the registry values associated wi
 
          ApplicationSourceRoot
          
 
          String
          
 
          rtsps://mainserver:322/prodapps
          
-
          https://mainserver:443/prodapps
          
-
          file://\\uncserver\share\prodapps
          
-
          file://\\uncserver\share
          
+
          https://mainserver:443/prodapps
          
+
          file://\uncserver\share\prodapps
          
+
          file://\uncserver\share
          
 
          Enables an administrator or electronic software distribution (ESD) system to ensure application loading is performed according to the topology management scheme. Use this key value to override the OSD CODEBASE for the HREF element (for example, the source location) for an application. Application Source Root supports URLs and Universal Naming Convention (UNC) path formats.
          
-
          The correct format for the URL path is protocol://servername:[port][/path][/], where port and path are optional. If a port is not specified, the default port for the protocol is used. Only the protocol://server:port portion of the OSD URL is replaced. 
          
-
          The correct format for the UNC path is \\computername\sharefolder\[folder][\], where folder is optional. The computer name can be a fully qualified domain name (FQDN) or an IP address, and sharefolder can be a drive letter. Only the \\computername\sharefolder or drive letter portion of the OSD path is replaced. 
          
+
          The correct format for the URL path is protocol://servername:[port][/path][/], where port and path are optional. If a port is not specified, the default port for the protocol is used. Only the protocol://server:port portion of the OSD URL is replaced. 
          
+
          The correct format for the UNC path is \computername\sharefolder[folder][], where folder is optional. The computer name can be a fully qualified domain name (FQDN) or an IP address, and sharefolder can be a drive letter. Only the \computername\sharefolder or drive letter portion of the OSD path is replaced. 
          
 
 
 
          OSDSourceRoot
          
 
          String
          
-
          \\computername\sharefolder\resource
          
-
          \\computername\content
          
+
          \computername\sharefolder\resource
          
+
          \computername\content
          
 
          C:\foldername
          
-
          http://computername/productivity/
          
-
          https://computername/productivity/
          
+
          http://computername/productivity/
          
+
          https://computername/productivity/
          
 
          Enables an administrator to specify a source location for OSD file retrieval for a sequenced application package during publication. Acceptable formats for the OSDSourceRoot include UNC paths and URLs (http or https).
          
 
 
 
          IconSourceRoot
          
 
          String
          
-
          \\computername\sharefolder\resource
          
-
          \\computername\content
          
+
          \computername\sharefolder\resource
          
+
          \computername\content
          
 
          C:\foldername
          
-
          http://computername/productivity/
          
-
          https://computername/productivity/
          
+
          http://computername/productivity/
          
+
          https://computername/productivity/
          
 
          Enables an administrator to specify a source location for icon file retrieval for a sequenced application package during publication. Acceptable formats for the IconSourceRoot include UNC paths and URLs (http or https).
          
 
 
@@ -189,89 +188,89 @@ The following table provides information about the registry values associated wi
 
          Restart the sftlist service for the change to take effect.
          
 
 
-
          UserDataDirectory 
          
-
          String 
          
+
          UserDataDirectory 
          
+
          String 
          
 
          %APPDATA%
          
 
          Location where the icon cache and user settings are stored.
          
 
 
-
          GlobalDataDirectory 
          
-
          String 
          
-
          C:\Users\Public\Documents 
          
+
          GlobalDataDirectory 
          
+
          String 
          
+
          C:\Users\Public\Documents 
          
 
          Directory to use for global App-V data, including caches for OSD files, icon files, shortcut information, and SystemGuard resources such as .ini files.
          
 
 
-
          AllowCrashes 
          
-
          DWORD 
          
-
          0 or 1 
          
+
          AllowCrashes 
          
+
          DWORD 
          
+
          0 or 1 
          
 
          Default=0: A value of 0 means that the client tries to catch internal program exceptions so that other user applications can recover and continue when a crash happens. A value of 1 means that the client allows the internal program exceptions to occur so that they can be captured in a debugger.
          
 
 
-
          CoreInternalTimeout 
          
-
          DWORD 
          
+
          CoreInternalTimeout 
          
+
          DWORD 
          
 
          60
          
-
          Time-out in seconds for internal IPC requests between core and front-end. Do not modify. 
          
+
          Time-out in seconds for internal IPC requests between core and front-end. Do not modify. 
          
 
 
-
          DefaultSuiteCombineTime 
          
-
          DWORD 
          
+
          DefaultSuiteCombineTime 
          
+
          DWORD 
          
 
          10
          
-
          This value is used to indicate how soon after being started that a program can shut down and not generate any error messages when another application in the same suite is running. 
          
+
          This value is used to indicate how soon after being started that a program can shut down and not generate any error messages when another application in the same suite is running. 
          
 
 
-
          SerializedSuiteLaunchTimeout 
          
-
          DWORD 
          
+
          SerializedSuiteLaunchTimeout 
          
+
          DWORD 
          
 
          Default=60000
          
-
          Defines how long in milliseconds the client will wait as it tries to serialize program starts in the same suite. If the client times out, the program start will continue but it will not be serialized. 
          
+
          Defines how long in milliseconds the client will wait as it tries to serialize program starts in the same suite. If the client times out, the program start will continue but it will not be serialized. 
          
 
 
-
          ScriptTimeout 
          
-
          DWORD 
          
+
          ScriptTimeout 
          
+
          DWORD 
          
 
          300
          
-
          Default time-out in seconds for scripts in OSD file if WAIT=TRUE. You can specify per-script time-outs with TIMEOUT instead of WAIT. A value of 0 means no wait, and 0xFFFFFFFF means wait forever. 
          
+
          Default time-out in seconds for scripts in OSD file if WAIT=TRUE. You can specify per-script time-outs with TIMEOUT instead of WAIT. A value of 0 means no wait, and 0xFFFFFFFF means wait forever. 
          
 
 
-
          LaunchRecordLogPath 
          
-
          String 
          
+
          LaunchRecordLogPath 
          
+
          String 
          
 
          
 
          If, under either HKLM or HKCU, this value contains a valid path to a log file, SFTTray will write to this log when programs start, shut down, fail to launch, and enter or exit disconnected mode.
          
 
 
-
          LaunchRecordMask 
          
-
          DWORD 
          
+
          LaunchRecordMask 
          
+
          DWORD 
          
 
          0x1A (26) log launch errors and disconnected mode entry and exit activity.
          
 
          0x1F (31) logs everything.
          
-
          0x0 (0) logs nothing. 
          
+
          0x0 (0) logs nothing. 
          
 
          Specifies which of the five events are logged (bitmask values):
          
 
          1 for program starts
          
 
          2 for launch failure errors
          
 
          4 for shutdowns
          
 
          8 for entering disconnected mode
          
 
          16 for exiting disconnected mode to reconnect to a server
          
-
          Add any combination of those numbers to turn on the respective messages. Defaults to 0x1F if not in registry. 
          
+
          Add any combination of those numbers to turn on the respective messages. Defaults to 0x1F if not in registry. 
          
 
 
-
          LaunchRecordWriteTimeout 
          
-
          DWORD 
          
+
          LaunchRecordWriteTimeout 
          
+
          DWORD 
          
 
          Default=3000
          
 
          Specifies in milliseconds how long the tray will wait when trying to write to the launch record log if another process is using it.
          
 
 
-
          ImportSearchPath 
          
-
          String 
          
-
          d:\files\;C:\documents and settings\user1\SFTs 
          
+
          ImportSearchPath 
          
+
          String 
          
+
          d:\files;C:\documents and settings\user1\SFTs 
          
 
          A semicolon delimited list of up to five directories to search for portable SFT files before prompting the user to select a directory. Trailing backslash in paths is optional. This value is not present by default and must be set manually.
          
 
 
 
          UserImportPath
          
-
          String 
          
-
          D:\SFTs\ 
          
+
          String 
          
+
          D:\SFTs\ 
          
 
          Valid only under HKCU. The last location the user browsed to while finding a SFT file for package import. Set automatically if the SFT is found successfully. This is used on successive imports when trying to automatically locate SFT files.
          
 
 
 
 
- 
+
 
 ## Shared Key
 
@@ -287,29 +286,29 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Shared key control
 
 
 
-Name 
-Type 
-Data (Examples) 
-Description 
+Name 
+Type 
+Data (Examples) 
+Description 
 
 
 
 
-
          DumpPath 
          
-
          String 
          
-
          Default=C:\ 
          
-
          Default path to create dump files when generating a minidump on an exception. This defaults to C:\ if not specified. The Client installer sets this key to the <App Virtualization global data directory>\Dumps. The Sequencer installer sets this key to the installation directory. 
          
+
          DumpPath 
          
+
          String 
          
+
          Default=C:\ 
          
+
          Default path to create dump files when generating a minidump on an exception. This defaults to C:\ if not specified. The Client installer sets this key to the <App Virtualization global data directory>\Dumps. The Sequencer installer sets this key to the installation directory. 
          
 
 
-
          DumpPathSizeLimit 
          
-
          DWORD 
          
+
          DumpPathSizeLimit 
          
+
          DWORD 
          
 
          1000
          
 
          Specifies the maximum total amount of disk space in megabytes that can be used to store minidumps. Default = 1000 MB.
          
 
 
 
 
- 
+
 
 ## Network Key
 
@@ -325,10 +324,10 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Network ke
 
 
 
-Name 
-Type 
-Data (Examples) 
-Description 
+Name 
+Type 
+Data (Examples) 
+Description 
 
 
 
@@ -339,8 +338,8 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Network ke
 
          Enables or disables offline mode. If set to 0, the client will not communicate with App-V Management Servers or publishing servers. In disconnected operations, the client can start a loaded application even when it is not connected to an App-V Management Server. In offline mode, the client does not attempt to connect to an App-V Management Server or publishing server. You must allow disconnected operations to be able to work offline. Default value is 1 enabled (online), and 0 is disabled (offline).
          
 
 
-
          AllowDisconnectedOperation 
          
-
          DWORD 
          
+
          AllowDisconnectedOperation 
          
+
          DWORD 
          
 
          Default=1
          
 
          Enables or disables disconnected operation. Default value is 1 enabled, and 0 is disabled. When disconnected operations are enabled, the App-V client can start a loaded application even when it is not connected to an App-V Management Server.
          
 
@@ -348,12 +347,12 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Network ke
 
          FastConnectTimeout
          
 
          DWORD
          
 
          Default=1000
          
-
          This value specifies the TCP connect time-out in milliseconds to determine when to go into disconnected operations mode. This value can be used to override the default ConnectTimeout of 20 seconds (App-V connect time-out for network transactions) or the system’s TCP time-out of approximately 25 seconds. This brings the client into disconnected operations mode quickly. Applied on the next connect.
          
+
          This value specifies the TCP connect time-out in milliseconds to determine when to go into disconnected operations mode. This value can be used to override the default ConnectTimeout of 20 seconds (App-V connect time-out for network transactions) or the system’s TCP time-out of approximately 25 seconds. This brings the client into disconnected operations mode quickly. Applied on the next connect.
          
 
 
 
          LimitDisconnectedOperation
          
 
          DWORD
          
-
          Default=1 
          
+
          Default=1 
          
 
          Applicable only if AllowDisconnectedOperation is 1, enabled. This value determines whether there will be a time limit for how long the client will be allowed to operate in disconnected operations. 1=limited. 0=unlimited.
          
 
 
@@ -407,7 +406,7 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Network ke
 
 
 
- 
+
 
 ## Http Key
 
@@ -423,10 +422,10 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Network\\H
 
 
 
-Name 
-Type 
-Data (Examples) 
-Description 
+Name 
+Type 
+Data (Examples) 
+Description 
 
 
 
@@ -445,7 +444,7 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Network\\H
 
 
 
- 
+
 
 ## File System Key
 
@@ -461,53 +460,53 @@ The values that are contained under the HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsof
 
 
 
-Name 
-Type 
-Data (Examples) 
-Description 
+Name 
+Type 
+Data (Examples) 
+Description 
 
 
 
 
-
          FileSize 
          
-
          DWORD 
          
+
          FileSize 
          
+
          DWORD 
          
 
          4096
          
-
          Maximum size in megabytes of file system cache file. If you change this value in the registry, you must set State to 0 and reboot. 
          
+
          Maximum size in megabytes of file system cache file. If you change this value in the registry, you must set State to 0 and reboot. 
          
 
 
-
          FileName 
          
-
          String 
          
-
          C:\Users\Public\Documents\SoftGrid Client\sftfs.fsd 
          
-
          Location of file system cache file. If you change this value in the registry, you must either leave FileSize the same and reboot or set State to 0 and reboot. 
          
+
          FileName 
          
+
          String 
          
+
          C:\Users\Public\Documents\SoftGrid Client\sftfs.fsd 
          
+
          Location of file system cache file. If you change this value in the registry, you must either leave FileSize the same and reboot or set State to 0 and reboot. 
          
 
 
-
          DriveLetter 
          
-
          String 
          
-
          Q: 
          
-
          Drive where App-V file system will be mounted, if it is available. This value is set either by the listener or the installer, and it is read by the file system. 
          
+
          DriveLetter 
          
+
          String 
          
+
          Q: 
          
+
          Drive where App-V file system will be mounted, if it is available. This value is set either by the listener or the installer, and it is read by the file system. 
          
 
 
-
          State 
          
-
          DWORD 
          
-
          0x100 
          
-
          State of file system. Set to 0 and reboot to completely clear the file system cache. 
          
+
          State 
          
+
          DWORD 
          
+
          0x100 
          
+
          State of file system. Set to 0 and reboot to completely clear the file system cache. 
          
 
 
-
          FileSystemStorage 
          
-
          String 
          
-
          C:\Profiles\Joe\SG 
          
-
          Path for symlinks, set under HKCU. Do not modify (use data directory under Configuration to change). 
          
+
          FileSystemStorage 
          
+
          String 
          
+
          C:\Profiles\Joe\SG 
          
+
          Path for symlinks, set under HKCU. Do not modify (use data directory under Configuration to change). 
          
 
 
-
          GlobalFileSystemStorage 
          
-
          String 
          
-
          C:\Users\Public\Documents\SoftGrid Client\AppFS Storage 
          
-
          Path for global file system data. Do not modify. 
          
+
          GlobalFileSystemStorage 
          
+
          String 
          
+
          C:\Users\Public\Documents\SoftGrid Client\AppFS Storage 
          
+
          Path for global file system data. Do not modify. 
          
 
 
-
          MaxPercentToLockInCache 
          
-
          DWORD 
          
-
          Default=90 
          
+
          MaxPercentToLockInCache 
          
+
          DWORD 
          
+
          Default=90 
          
 
          Specifies the maximum percentage of the file system cache file that can be locked. Do not modify.
          
 
 
@@ -525,19 +524,19 @@ The values that are contained under the HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsof
 
 
 
- 
+
 
 ## Permissions Key
 
 
-To help to prevent users from making mistakes, administrators can use the HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Permissions key to control access to some actions for non-administrative users—for example, to prevent users from accidentally unloading programs. Users with administrative rights can give themselves any of these permissions. On shared systems, such as a Remote Desktop Session Host (RD Session Host) server (formerly Terminal Server) system, be careful when granting additional permissions to users because some of these permissions would enable users to control the applications used by all users on the system. Possible values for these settings are 1 (allow) and 0 (disallow).
+To help to prevent users from making mistakes, administrators can use the HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Permissions key to control access to some actions for non-administrative users—for example, to prevent users from accidentally unloading programs. Users with administrative rights can give themselves any of these permissions. On shared systems, such as a Remote Desktop Session Host (RD Session Host) server (formerly Terminal Server) system, be careful when granting additional permissions to users because some of these permissions would enable users to control the applications used by all users on the system. Possible values for these settings are 1 (allow) and 0 (disallow).
 
 The Permissions key settings control all interfaces that enable the named actions. This includes the Options Dialog, SFTTray, and SFTMime. These settings do not affect administrators. The following table provides information about the registry values associated with the Permissions key.
 
-Name 
-Type 
-Data (Examples) 
-Description 
+Name 
+Type 
+Data (Examples) 
+Description 
 ChangeFSDrive
 
 DWORD
@@ -570,21 +569,21 @@ Default=0
 
 A value of 1 allows users to add applications explicitly. This does not affect applications that are added through publishing refresh nor does it prevent users from starting (and thereby implicitly adding) applications that have not already been added. Values are 0 or 1.
 
-LoadApp 
+LoadApp 
 
-DWORD 
+DWORD 
 
 0
 
-Does not allow a user to load an application. This is the default for RD Session Hosts. If you are a mobile user, you might want to fully load your applications in the cache to use them during disconnected operation or offline mode. To stream applications from the App-V Management Server or the App-V Streaming Server, you must be connected to a server to load applications.
+Does not allow a user to load an application. This is the default for RD Session Hosts. If you are a mobile user, you might want to fully load your applications in the cache to use them during disconnected operation or offline mode. To stream applications from the App-V Management Server or the App-V Streaming Server, you must be connected to a server to load applications.
 
 1
 
-Allows a user to load an application. This is the default for Windows desktops. 
+Allows a user to load an application. This is the default for Windows desktops. 
 
-UnloadApp 
+UnloadApp 
 
-DWORD 
+DWORD 
 
 0
 
@@ -592,43 +591,43 @@ Does not allow a user to unload an application. When you load or unload a packag
 
 1
 
-Allows a user to unload an application. 
+Allows a user to unload an application. 
 
-LockApp 
+LockApp 
 
-DWORD 
+DWORD 
 
 0
 
-Does not allow a user to lock and unlock an application. This is the default for RD Session Hosts. A locked application cannot be removed from the cache to make room for new applications. To remove a locked application from the App-V Desktop or Client for Remote Desktop Services (formerly Terminal Services) cache, you must unlock it.
+Does not allow a user to lock and unlock an application. This is the default for RD Session Hosts. A locked application cannot be removed from the cache to make room for new applications. To remove a locked application from the App-V Desktop or Client for Remote Desktop Services (formerly Terminal Services) cache, you must unlock it.
 
 1
 
-Allows a user to lock and unlock an application. This is the default for Windows Desktops. 
+Allows a user to lock and unlock an application. This is the default for Windows Desktops. 
 
-ManageTypes 
+ManageTypes 
 
-DWORD 
+DWORD 
 
 0
 
-Does not allow a user to add, edit, or remove file type associations for that User alone. This is the default for RD Session Hosts. 
+Does not allow a user to add, edit, or remove file type associations for that User alone. This is the default for RD Session Hosts. 
 
 1
 
-Allows a user to add, edit, and remove file type associations for that user only and not globally. This is the default for Windows Desktops. 
+Allows a user to add, edit, and remove file type associations for that user only and not globally. This is the default for Windows Desktops. 
 
-RefreshServer 
+RefreshServer 
 
-DWORD 
+DWORD 
 
 0
 
-Does not allow a user to trigger a refresh of MIME settings. This is the default for RD Session Hosts. 
+Does not allow a user to trigger a refresh of MIME settings. This is the default for RD Session Hosts. 
 
 1
 
-Enables a user to trigger a refresh of MIME settings. This is the default for Windows Desktops. 
+Enables a user to trigger a refresh of MIME settings. This is the default for Windows Desktops. 
 
 UpdateOSDFile
 
@@ -638,17 +637,17 @@ Default= 0
 
 A value of 1 enables a user to use a modified OSD file.
 
-ImportApp 
+ImportApp 
 
-DWORD 
+DWORD 
 
 0
 
-Does not allow a user to import applications into cache. The difference between Load and Import is that when a Load is triggered, the client gets the package from the currently configured location contained in the OSD, ASR, or Override URL. When using Import, a location to get the package from must be specified. 
+Does not allow a user to import applications into cache. The difference between Load and Import is that when a Load is triggered, the client gets the package from the currently configured location contained in the OSD, ASR, or Override URL. When using Import, a location to get the package from must be specified. 
 
 1
 
-Allows a user to import applications into cache. 
+Allows a user to import applications into cache. 
 
 ChangeRefreshSettings
 
@@ -714,7 +713,7 @@ DWORD
 
 A value of 1 allows the users to select to run the client in Offline Mode. In Offline Mode, the Application Virtualization client can start a loaded application even when it is not connected to an Application Virtualization Server.
 
- 
+
 
 ## Custom Settings
 
@@ -730,24 +729,24 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\CustomSett
 
 
 
-Name 
-Type 
-Data (Examples) 
-Description 
+Name 
+Type 
+Data (Examples) 
+Description 
 
 
 
 
-
          TrayErrorDelay 
          
-
          DWORD 
          
-
          Default=30 
          
-
          Time in seconds that the Application Virtualization notification area will display error messages like "Launch failed". Minimum value of 1. 
          
+
          TrayErrorDelay 
          
+
          DWORD 
          
+
          Default=30 
          
+
          Time in seconds that the Application Virtualization notification area will display error messages like "Launch failed". Minimum value of 1. 
          
 
 
-
          TraySuccessDelay 
          
-
          DWORD 
          
-
          Default=10 
          
-
          Time in seconds that the appvmed notification area will display success messages like "Word launched" or "Excel shut down". If 0, those messages will be suppressed. 
          
+
          TraySuccessDelay 
          
+
          DWORD 
          
+
          Default=10 
          
+
          Time in seconds that the appvmed notification area will display success messages like "Word launched" or "Excel shut down". If 0, those messages will be suppressed. 
          
 
 
 
          TrayVisibility
          
@@ -772,7 +771,7 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\CustomSett
 
 
 
- 
+
 
 ## Reporting Settings
 
@@ -788,10 +787,10 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Reporting
 
 
 
-Name 
-Type 
-Data (Examples) 
-Description 
+Name 
+Type 
+Data (Examples) 
+Description 
 
 
 
@@ -810,16 +809,16 @@ The HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Reporting
 
 
 
- 
+
 
 ## Related topics
 
 
 [Application Virtualization Client Reference](application-virtualization-client-reference.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/app-v-desktop-client-security.md b/mdop/appv-v4/app-v-desktop-client-security.md
index 4ad4b67eef..8b1261715e 100644
--- a/mdop/appv-v4/app-v-desktop-client-security.md
+++ b/mdop/appv-v4/app-v-desktop-client-security.md
@@ -22,7 +22,7 @@ The App-V Desktop Client provides many security enhancements that were not avail
 **Note**  
 When you install the App-V Desktop Client on a computer, the software defaults to the most secure settings. However, when upgrading, the previous settings of the client persist.
 
- 
+ 
 
 By default, the App-V Desktop Client is configured only with the permissions required to allow a non-administrative user to perform a publishing refresh and stream applications. Additional security enhancements provided in the App-V Desktop Client include the following:
 
@@ -44,12 +44,12 @@ After you install the Desktop Client, you can configure other security settings
 **Important**  
 Carefully consider the consequences of changing access rights, especially on systems that are shared by multiple users, such as Terminal Servers.
 
- 
+ 
 
 **Note**  
 If users in the environment have local administrator privileges for their computers, the permissions are ignored.
 
- 
+ 
 
 ### ADM Template
 
@@ -58,7 +58,7 @@ Microsoft Application Virtualization (App-V) introduces an ADM Template that you
 **Important**  
 When using the ADM Template, remember that the settings are Group Policy preference settings and not fully managed Group Policies.
 
- 
+ 
 
 For a full description of the ADM Template, the specific settings, and guidance to successfully deploy clients in your environment, see the App-V ADM Template white paper at [https://go.microsoft.com/fwlink/LinkId=122063](https://go.microsoft.com/fwlink/?LinkId=122063).
 
@@ -67,9 +67,9 @@ For a full description of the ADM Template, the specific settings, and guidance
 
 If your organization does not require users to open applications directly from an OSD file, you can enhance security by removing the file type associations on the client. Remove the `HKEY_CURRENT_USERS` keys for OSD and `Softgird.osd.file` by using the registry editor. You can put this process into a logon script or into a post-installation script to automate these changes.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-installation-checklist.md b/mdop/appv-v4/app-v-installation-checklist.md
index fc6726368b..4b2e5c573d 100644
--- a/mdop/appv-v4/app-v-installation-checklist.md
+++ b/mdop/appv-v4/app-v-installation-checklist.md
@@ -33,43 +33,43 @@ The following checklist is intended to provide a high-level list of items to con
 
 
 
          Install the App-V Management Server. If you are installing the Management Web Service, Management Console, or the Data Store on different servers, you can use the custom installation option.
          
-
          [How to Install Application Virtualization Management Server](how-to-install-application-virtualization-management-server.md)
          
+
          How to Install Application Virtualization Management Server
          
 
 
 
          Install the App-V Management Web Service. (Optional ¹)
          
-
          [How to Install the Management Web Service](how-to-install-the-management-web-service.md)
          
+
          How to Install the Management Web Service
          
 
 
 
          Install the App-V Management Console. (Optional ¹)
          
-
          [How to Install the Management Console](how-to-install-the-management-console.md)
          
+
          How to Install the Management Console
          
 
 
 
          Install the App-V Data Store. (Optional ¹)
          
-
          [How to Install a Database](how-to-install-a-database.md)
          
+
          How to Install a Database
          
 
 
 
          Install the App-V client.
          
-
          [How to Manually Install the Application Virtualization Client](how-to-manually-install-the-application-virtualization-client.md)
          
+
          How to Manually Install the Application Virtualization Client
          
 
 
 
          Install the App-V Sequencer.
          
-
          [How to Install the Application Virtualization Sequencer](how-to-install-the-application-virtualization-sequencer.md)
          
+
          How to Install the Application Virtualization Sequencer
          
 
 
 
          Install the App-V Streaming Server. (This is optional and required only if you are installing the Streaming Server).
          
-
          [How to Install the Application Virtualization Streaming Server](how-to-install-the-application-virtualization-streaming-server.md)
          
+
          How to Install the Application Virtualization Streaming Server
          
 
 
 
          Create Content directories on the servers that will be used for streaming applications to users’ computers.
          
-
          [How to Configure the Application Virtualization Management Servers](how-to-configure-the-application-virtualization-management-servers.md)
          
-
          [How to Configure the Application Virtualization Streaming Servers](how-to-configure-the-application-virtualization-streaming-servers.md)
          
-
          [How to Configure the Server for IIS](how-to-configure-the-server-for-iis.md)
          
-
          [How to Configure the File Server](how-to-configure-the-file-server.md)
          
+
          How to Configure the Application Virtualization Management Servers
          
+
          How to Configure the Application Virtualization Streaming Servers
          
+
          How to Configure the Server for IIS
          
+
          How to Configure the File Server
          
 
 
 
 
- 
+ 
 
 ¹ This is required only if you are installing the App-V Management Web Service, Management Console, or the Data Store on a different computer.
 
@@ -80,9 +80,9 @@ The following checklist is intended to provide a high-level list of items to con
 
 [App-V Postinstallation Checklist](app-v-postinstallation-checklist.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
index a2bb838966..be861b5d2c 100644
--- a/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
+++ b/mdop/appv-v4/app-v-interoperability-with-windows-applocker.md
@@ -22,7 +22,7 @@ Version 4.5 SP1 of the Microsoft Application Virtualization (App-V) client suppo
 **Note**  
 Windows AppLocker must first be enabled before configuring Windows AppLocker rules for virtual applications. For more information about enabling Windows AppLocker, [Windows AppLocker](https://go.microsoft.com/fwlink/?LinkId=156732) (https://go.microsoft.com/fwlink/?LinkId=156732).
 
- 
+ 
 
 ## Configuring Windows AppLocker Rules for Virtual Applications
 
@@ -31,9 +31,9 @@ Local administrators can create Windows AppLocker rules that restrict the runnin
 
 When you browse to find a directory path or specific file for which you want to create a rule, you can access the App-V drive by using the path to the hidden share. For example, you can browse to \\\\localhost\\Q$, where the App-V drive is drive Q. However, to create the rule, you must edit the path to remove the reference to \\\\localhost\\Q$ and use Q:\\ instead. You must start each application on the reference computer to access the application’s files, and administrative rights are required to browse to \\\\localhost\\Q$.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-postinstallation-checklist.md b/mdop/appv-v4/app-v-postinstallation-checklist.md
index b3bac26db3..87b30551fd 100644
--- a/mdop/appv-v4/app-v-postinstallation-checklist.md
+++ b/mdop/appv-v4/app-v-postinstallation-checklist.md
@@ -33,37 +33,37 @@ The following checklist provides a high-level list of items to consider and outl
 
 
 
          Create firewall exceptions for the App-V Management Server or Streaming Server services.
          
-
          [Configuring the Firewall for the App-V Servers](configuring-the-firewall-for-the-app-v-servers.md)
          
+
          Configuring the Firewall for the App-V Servers
          
 
 
 
          Verify that the App-V system is functioning correctly by publishing, streaming, and testing the default application.
          
-
          [How to Install and Configure the Default Application](how-to-install-and-configure-the-default-application.md)
          
+
          How to Install and Configure the Default Application
          
 
 
 
          Configure the App-V Client to use the App-V Streaming Server or other server for streaming by means of the ApplicationSourceRoot, IconSourceRoot, and OSDSourceRoot settings.
          
-
          [How to Configure the Client for Application Package Retrieval](how-to-configure-the-client-for-application-package-retrieval.md)
          
+
          How to Configure the Client for Application Package Retrieval
          
 
 
 
          Understand how to use the .msi file version of sequenced application packages for offline deployment.
          
-
          [How to Publish a Virtual Application on the Client](how-to-publish-a-virtual-application-on-the-client.md)
          
+
          How to Publish a Virtual Application on the Client
          
 
 
 
          (Optional) Configure SQL Server database mirroring for the App-V database.
          
-
          [How to Configure Microsoft SQL Server Mirroring Support for App-V](how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md)
          
+
          How to Configure Microsoft SQL Server Mirroring Support for App-V
          
 
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Application Virtualization Deployment and Upgrade Checklists](application-virtualization-deployment-and-upgrade-checklists.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/app-v-pre-installation-checklist.md b/mdop/appv-v4/app-v-pre-installation-checklist.md
index f1ebaf80dc..c426c83566 100644
--- a/mdop/appv-v4/app-v-pre-installation-checklist.md
+++ b/mdop/appv-v4/app-v-pre-installation-checklist.md
@@ -33,35 +33,34 @@ The following checklist is intended to provide a high-level list of items to con
 
 
 
          Ensure your computing environment meets the supported configurations required for App-V.
          
-
          [Application Virtualization Deployment Requirements](application-virtualization-deployment-requirements.md)
          
+
          Application Virtualization Deployment Requirements
          
 
 
 
          Configure the necessary Active Directory groups and accounts.
          
-
          [Configuring Prerequisite Groups in Active Directory for App-V](configuring-prerequisite-groups-in-active-directory-for-app-v.md)
          
+
          Configuring Prerequisite Groups in Active Directory for App-V
          
 
 
 
          Configure the Internet Information Services (IIS) settings on the server that is running IIS.
          
-
          [How to Configure Windows Server 2008 for App-V Management Servers](how-to-configure-windows-server-2008-for-app-v-management-servers.md)
          
+
          How to Configure Windows Server 2008 for App-V Management Servers
          
 
 
 
          Configure the server that is running IIS to be trusted for delegation.
          
 
          
-Note  
-
          This is required only if you are installing the App-V Management Server by using a distributed system architecture, that is, if you install the App-V Management Console, the Management Web Service, and the database on different computers.
          
+Note
          This is required only if you are installing the App-V Management Server by using a distributed system architecture, that is, if you install the App-V Management Console, the Management Web Service, and the database on different computers.
          
 
          
 
          
- 
+
 
          
-
          [How to Configure the Server to be Trusted for Delegation](how-to-configure-the-server-to-be-trusted-for-delegation.md)
          
+
          How to Configure the Server to be Trusted for Delegation
          
 
 
 
          Install Microsoft SQL Server 2008.
          
-
          [Install SQL Server 2008](https://go.microsoft.com/fwlink/?LinkId=181924) (https://go.microsoft.com/fwlink/?LinkId=181924).
          
+
          Install SQL Server 2008 (https://go.microsoft.com/fwlink/?LinkId=181924).
          
 
 
 
 
- 
+
 
 ## Related topics
 
@@ -70,9 +69,9 @@ The following checklist is intended to provide a high-level list of items to con
 
 [App-V Installation Checklist](app-v-installation-checklist.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/app-v-upgrade-checklist.md b/mdop/appv-v4/app-v-upgrade-checklist.md
index 57b5302ede..fcabc76d01 100644
--- a/mdop/appv-v4/app-v-upgrade-checklist.md
+++ b/mdop/appv-v4/app-v-upgrade-checklist.md
@@ -17,7 +17,7 @@ ms.date: 08/30/2016
 # App-V Upgrade Checklist
 
 
-Before trying to upgrade to Microsoft Application Virtualization (App-V) 4.5 or later versions, any version earlier than App-V 4.1 must be upgraded to App-V 4.1. You should plan to upgrade clients first, and then upgrade the server components. App-V clients that have been upgraded to App-V 4.5 continue to work with App-V servers that have not yet been upgraded. Earlier versions of the client are not supported on servers that have been upgraded to App-V 4.5.
+Before trying to upgrade to Microsoft Application Virtualization (App-V) 4.5 or later versions, any version earlier than App-V 4.1 must be upgraded to App-V 4.1. You should plan to upgrade clients first, and then upgrade the server components. App-V clients that have been upgraded to App-V 4.5 continue to work with App-V servers that have not yet been upgraded. Earlier versions of the client are not supported on servers that have been upgraded to App-V 4.5.
 
 @@ -33,64 +33,63 @@ Before trying to upgrade to Microsoft Application Virtualization (App-V) 4.5 or
 
-
+
-
+
-
+
-
+
-
+
          
 

 
          
 
          Upgrade the App-V clients.
          [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md)
          How to Upgrade the Application Virtualization Client
          		
 
          
 
          
 
          Upgrade the App-V servers and database.
          
 
          
-Important  
-
          If you have more than one server sharing access to the App-V database, all those servers must be taken offline while the database is being upgraded. You should follow your regular business practices for the database upgrade, but we recommend that you test the database upgrade by using a backup copy of the database first on a test server. Then, you should select one of the servers for the first upgrade, which will upgrade the database schema. After the production database has been successfully upgraded, you can upgrade the App-V software on the other servers.
          
+Important
          If you have more than one server sharing access to the App-V database, all those servers must be taken offline while the database is being upgraded. You should follow your regular business practices for the database upgrade, but we recommend that you test the database upgrade by using a backup copy of the database first on a test server. Then, you should select one of the servers for the first upgrade, which will upgrade the database schema. After the production database has been successfully upgraded, you can upgrade the App-V software on the other servers.
          
 
          
 
          
- 
+
 
          [How to Upgrade the Servers and System Components](how-to-upgrade-the-servers-and-system-components.md)
          How to Upgrade the Servers and System Components
          		
 
          
 
          
 
          Upgrade the App-V Management Web Service.
          
 
          This step applies only if the Management Web Service is on a separate server, which would require that you run the server installer program on that separate server to upgrade the Management Web service. Otherwise, the previous server upgrade step will automatically upgrade the Management Web Service.
          [How to Upgrade the Servers and System Components](how-to-upgrade-the-servers-and-system-components.md)
          How to Upgrade the Servers and System Components
          		
 
          
 
          
 
          Upgrade the App-V Management Console.
          
 
          This step applies only if the Management Console is on a separate computer, which would require that you run the server installer program on that separate computer to upgrade the console. Otherwise, the previous server upgrade step will upgrade the Management Console.
          [How to Upgrade the Servers and System Components](how-to-upgrade-the-servers-and-system-components.md)
          How to Upgrade the Servers and System Components
          		
 
          
 
          
 
          Upgrade the App-V Sequencer.
          [How to Upgrade the Application Virtualization Sequencer](how-to-upgrade-the-application-virtualization-sequencer.md)
          How to Upgrade the Application Virtualization Sequencer
          		
 
          
           
 
          
 
- 
+
 
 ## Additional Upgrade Considerations
 
 
--   Any virtual application packages sequenced in version 4.2 will not have to be sequenced again for use with version 4.5. However, you should consider upgrading the virtual packages to the Microsoft Application Virtualization 4.5 format if you want to apply default access control lists (ACLs) or generate a Windows Installer file. This is a simple process and requires only that the existing virtual application package be opened and saved with the App-V 4.5 Sequencer. This can be automated by using the App-VSequencer command-line interface. For more information, see [How to Create or Upgrade Virtual Applications Using the App-V Sequencer](how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md)
+-   Any virtual application packages sequenced in version 4.2 will not have to be sequenced again for use with version 4.5. However, you should consider upgrading the virtual packages to the Microsoft Application Virtualization 4.5 format if you want to apply default access control lists (ACLs) or generate a Windows Installer file. This is a simple process and requires only that the existing virtual application package be opened and saved with the App-V 4.5 Sequencer. This can be automated by using the App-VSequencer command-line interface. For more information, see [How to Create or Upgrade Virtual Applications Using the App-V Sequencer](how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md)
 
--   One of the features of the 4.5 Sequencer is the ability to create Windows Installer (.msi) files as control points for virtual application package interoperability with electronic software distribution (ESD) systems, such as Microsoft System Center Configuration Manager 2007. Previous Windows Installer files created with the MSI tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 client that is subsequently upgraded to App-V 4.5 will continue to work, although they cannot be installed on the App-V 4.5 client. However, they cannot be removed or upgraded unless they are upgraded in the App-V 4.5 Sequencer. The original App-V package earlier than 4.5 has to be opened in the App-V 4.5 Sequencer and then saved as a Windows Installer File.
+-   One of the features of the 4.5 Sequencer is the ability to create Windows Installer (.msi) files as control points for virtual application package interoperability with electronic software distribution (ESD) systems, such as Microsoft System Center Configuration Manager 2007. Previous Windows Installer files created with the MSI tool for Application Virtualization that were installed on a App-V 4.1 or 4.2 client that is subsequently upgraded to App-V 4.5 will continue to work, although they cannot be installed on the App-V 4.5 client. However, they cannot be removed or upgraded unless they are upgraded in the App-V 4.5 Sequencer. The original App-V package earlier than 4.5 has to be opened in the App-V 4.5 Sequencer and then saved as a Windows Installer File.
 
-    **Note**  
-    If the App-V 4.2 Client has already been upgraded to App-V 4.5, it is possible to script a workaround to preserve the version 4.2 packages on version 4.5 clients and allow them to be managed. This script must copy two files, msvcp71.dll and msvcr71.dll, to the App-V installation folder and set the following registry key values under the registry key:\[HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Configuration\]:
+    **Note**  
+    If the App-V 4.2 Client has already been upgraded to App-V 4.5, it is possible to script a workaround to preserve the version 4.2 packages on version 4.5 clients and allow them to be managed. This script must copy two files, msvcp71.dll and msvcr71.dll, to the App-V installation folder and set the following registry key values under the registry key:\[HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\Client\\Configuration\]:
 
     "ClientVersion"="4.2.1.20"
 
     "GlobalDataDirectory"="C:\\\\Documents and Settings\\\\All Users\\\\Documents\\\\" (a globally writeable location)
 
-     
+
 
 -   Windows Installer files generated by the App-V 4.5 Sequencer display the error message "This package requires Microsoft Application Virtualization Client 4.5 or later" when trying to run them on an App-V 4.6 Client. Open the old package with either the App-V 4.5 SP1 Sequencer or the App-V 4.6 Sequencer and generate a new .msi file for the package.
 
--   Any version 4.2 reports that were created and saved will be overwritten when the server is upgraded to version 4.5. If you have to keep these reports, you must save a backup copy of the SftMMC.msc file located in the SoftGrid Management Console folder on the server and use that copy to replace the new SftMMC.msc that is installed during the upgrade.
+-   Any version 4.2 reports that were created and saved will be overwritten when the server is upgraded to version 4.5. If you have to keep these reports, you must save a backup copy of the SftMMC.msc file located in the SoftGrid Management Console folder on the server and use that copy to replace the new SftMMC.msc that is installed during the upgrade.
 
 -   For additional information about upgrading from previous versions, see [Upgrading to Microsoft Application Virtualization 4.5 FAQ](https://go.microsoft.com/fwlink/?LinkId=120358) (https://go.microsoft.com/fwlink/?LinkId=120358).
 
-## App-V 4.6 Client Package Support
+## App-V 4.6 Client Package Support
 
 
-You can deploy packages created in previous versions of App-V to App-V 4.6 clients. However, you must modify the associated .osd file so that it includes the appropriate operating system and chip architecture information. The following values can be used:
+You can deploy packages created in previous versions of App-V to App-V 4.6 clients. However, you must modify the associated .osd file so that it includes the appropriate operating system and chip architecture information. The following values can be used:
 
 @@ -138,16 +137,16 @@ You can deploy packages created in previous versions of App-V to App-V 4.6 cli
 
          
 

 
          
 
- 
 
-To run a newly created 32-bit package, you must sequence the application on a computer running a 32-bit operating system with the App-V 4.6 Sequencer installed. After you have sequenced the application, in the Sequencer console, click the **Deployment** tab and then specify the appropriate operating system and chip architecture as required.
 
-**Important**  
-Applications sequenced on a computer running a 64-bit operating system must be deployed to computers running a 64-bit operating system. New 32-bit packages created by using the App-V 4.6 Sequencer do not run on computers running the App-V 4.5 client.
+To run a newly created 32-bit package, you must sequence the application on a computer running a 32-bit operating system with the App-V 4.6 Sequencer installed. After you have sequenced the application, in the Sequencer console, click the **Deployment** tab and then specify the appropriate operating system and chip architecture as required.
 
- 
+**Important**  
+Applications sequenced on a computer running a 64-bit operating system must be deployed to computers running a 64-bit operating system. New 32-bit packages created by using the App-V 4.6 Sequencer do not run on computers running the App-V 4.5 client.
 
-To run new 64-bit packages on the App-V 4.6 Client, you must sequence the application on a computer running the App-V 4.6 Sequencer and that is running a 64-bit operating system. After you have sequenced the application, in the Sequencer console, click the **Deployment** tab, and then specify the appropriate operating system and chip architecture as required.
+
+
+To run new 64-bit packages on the App-V 4.6 Client, you must sequence the application on a computer running the App-V 4.6 Sequencer and that is running a 64-bit operating system. After you have sequenced the application, in the Sequencer console, click the **Deployment** tab, and then specify the appropriate operating system and chip architecture as required.
 
 The following table lists which client versions will run packages created by using the various versions of the sequencer.
 
@@ -162,36 +161,36 @@ The following table lists which client versions will run packages created by usi
 
 
 
-Sequenced by using the App-V 4.2 Sequencer
-Sequenced by using the App-V 4.5 Sequencer
-Sequenced by using the 32-bit App-V 4.6 Sequencer
-Sequenced by using the 64-bit App-V 4.6 Sequencer
+Sequenced by using the App-V 4.2 Sequencer
+Sequenced by using the App-V 4.5 Sequencer
+Sequenced by using the 32-bit App-V 4.6 Sequencer
+Sequenced by using the 64-bit App-V 4.6 Sequencer
 
 
 
 
-
          4.2 Client
          
+
          4.2 Client
          
 
          Yes
          
 
          No
          
 
          No
          
 
          No
          
 
 
-
          4.5 Client ¹
          
+
          4.5 Client ¹
          
 
          Yes
          
 
          Yes
          
 
          No
          
 
          No
          
 
 
-
          4.6 Client (32-bit)
          
+
          4.6 Client (32-bit)
          
 
          Yes
          
 
          Yes
          
 
          Yes
          
 
          No
          
 
 
-
          4.6 Client (64-bit)
          
+
          4.6 Client (64-bit)
          
 
          Yes
          
 
          Yes
          
 
          Yes
          
@@ -200,13 +199,13 @@ The following table lists which client versions will run packages created by usi
 
 
 
- 
 
-¹Applies to all versions of the App-V 4.5 client, including App-V 4.5, App-V 4.5 CU1, and App-V 4.5 SP1.
 
- 
-
- 
+¹Applies to all versions of the App-V 4.5 client, including App-V 4.5, App-V 4.5 CU1, and App-V 4.5 SP1.
+
+
+
+
 
 
 
diff --git a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
index 75ec7ccebc..e11246cb72 100644
--- a/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/application-virtualization-client-hardware-and-software-requirements.md
@@ -27,7 +27,7 @@ The following list includes the recommended minimum hardware and software requir
 **Note**  
 The Application Virtualization (App-V) Desktop Client requires no additional processor or RAM resources beyond the requirements of the host operating system.
 
- 
+ 
 
 ### Hardware Requirements
 
@@ -85,8 +85,8 @@ The hardware requirements are applicable to all versions.
 
 
 The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first.
--   **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).
- -   **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266).
+- **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).
+  -   **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266).
 
 For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed.
 
@@ -136,19 +136,19 @@ The Application Virtualization (App-V) 4.6 Desktop Client supports x86 and x64 S
 
 The following software prerequisites are installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, the following products must be installed first.
 
--   **Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).
+-   Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)—For more information about installing Microsoft Visual C++ 2005 SP1 Redistributable Package (x86), see Microsoft Visual C++ 2005 SP1 Redistributable Package (x86) (https://go.microsoft.com/fwlink/?LinkId=119961). For version 4.5 SP2 of the App-V client, download Vcredist_x86.exe from Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update (https://go.microsoft.com/fwlink/?LinkId=169360).
 
--   **Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)**—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see [Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)](https://go.microsoft.com/fwlink/?LinkId=63266) (https://go.microsoft.com/fwlink/?LinkId=63266).
+-   Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)—For more information about installing Microsoft Core XML Services (MSXML) 6.0 SP1 (x86), see Microsoft Core XML Services (MSXML) 6.0 SP1 (x86) (https://go.microsoft.com/fwlink/?LinkId=63266).
 
--   **Microsoft Application Error Reporting**—The installation program for this software is included in the **Support\\Watson** folder in the self-extracting archive file.
+-   Microsoft Application Error Reporting—The installation program for this software is included in the Support\Watson folder in the self-extracting archive file.
 
 For the Application Virtualization (App-V) 4.6 Desktop Client, the following additional software prerequisite is installed automatically if you are using the Setup.exe method. If you are using the Setup.msi installation program, you must also install with the other prerequisites listed.
 
--   **Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)**—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=150700) (https://go.microsoft.com/fwlink/?LinkId=150700).
+-   Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)—For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) (https://go.microsoft.com/fwlink/?LinkId=150700).
 
 ## Application Virtualization Client for Remote Desktop Services
 
-Following are the recommended hardware and software requirements for the Application Virtualization Client for Remote Desktop Services. The requirements are listed first for appv461\_3, followed by the requirements for versions that preceded App-V 4.6 SP2.
+Following are the recommended hardware and software requirements for the Application Virtualization Client for Remote Desktop Services. The requirements are listed first for appv461_3, followed by the requirements for versions that preceded App-V 4.6 SP2.
 
 The Application Virtualization (App-V) Client for Remote Desktop Services requires no additional processor or RAM resources beyond the requirements of the host operating system.
 
diff --git a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
index 2bb49ee5ac..5934984a4d 100644
--- a/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
+++ b/mdop/appv-v4/application-virtualization-client-installer-command-line-parameters.md
@@ -19,12 +19,12 @@ ms.date: 08/30/2016
 
 The following table lists all available Microsoft Application Virtualization Client installer command-line parameters, their values, and a brief description of each parameter. Parameters are case-sensitive and must be entered as all-uppercase letters. All parameter values must be enclosed in double quotes.
 
-**Note**  
--   For App-V version 4.6, command-line parameters cannot be used during a client upgrade.
+**Note**  
+-   For App-V version 4.6, command-line parameters cannot be used during a client upgrade.
 
 -   The *SWICACHESIZE* and *MINFREESPACEMB* parameters cannot be combined on the command line. If both are used, the *SWICACHESIZE* parameter will be ignored.
 
- 
+
 
 @@ -59,14 +59,13 @@ The following table lists all available Microsoft Application Virtualization Cli
 
          A URL has several parts:
          <protocol>://<server>:<port>/<path>/<?query><#fragment>
          A UNC path has three parts:
          
-
          \\<computername>\<share folder>\<resource>
          
+
          &lt;computername>&lt;share folder>&lt;resource>
          If the APPLICATIONSOURCEROOT parameter is specified on a client, the client will break the URL or UNC path from an OSD file into its constituent parts and replace the OSD sections with the corresponding APPLICATIONSOURCEROOT sections.
          
-Important  
-
          Be sure to use the correct format when using file:// with a UNC path. The correct format is file://\\<server>\<share>.
          
+Important
          Be sure to use the correct format when using file:// with a UNC path. The correct format is file://&lt;server>&lt;share>.
          
 
          
- 
+
 
          
@@ -77,13 +76,12 @@ The following table lists all available Microsoft Application Virtualization Cli
 
          A URL has several parts:
          <protocol>://<server>:<port>/<path>/<?query><#fragment>
          A UNC path has three parts:
          
-
          \\<computername>\<share folder>\<resource>
          
+
          &lt;computername>&lt;share folder>&lt;resource>
          
-Important  
-
          Be sure to use the correct format when using a UNC path. Acceptable formats are \\<server>\<share> or <drive letter>:\<folder>.
          
+Important
          Be sure to use the correct format when using a UNC path. Acceptable formats are &lt;server>&lt;share> or <drive letter>:&lt;folder>.
          
 
          
- 
+
 
          
@@ -94,13 +92,12 @@ The following table lists all available Microsoft Application Virtualization Cli
 
          A URL has several parts:
          <protocol>://<server>:<port>/<path>/<?query><#fragment>
          A UNC path has three parts:
          
-
          \\<computername>\<share folder>\<resource>
          
+
          &lt;computername>&lt;share folder>&lt;resource>
          
-Important  
-
          Be sure to use the correct format when using a UNC path. Acceptable formats are \\<server>\<share> or <drive letter>:\<folder>.
          
+Important
          Be sure to use the correct format when using a UNC path. Acceptable formats are &lt;server>&lt;share> or <drive letter>:&lt;folder>.
          
 
          
- 
+
 
          
@@ -111,11 +108,10 @@ The following table lists all available Microsoft Application Virtualization Cli
 
@@ -144,20 +139,18 @@ The following table lists all available Microsoft Application Virtualization Cli
 
        • NONE—No auto-loading, regardless of what triggers might be set.
        • ALL—If any AutoLoad trigger is enabled, all packages are automatically loaded, whether or not they have ever been launched.
          
 
          
-Note  
-
          This setting is configured for individual packages by using the SFTMIME ADD PACKAGE and CONFIGURE PACKAGE commands. For more information about these commands, see [SFTMIME Command Reference](sftmime--command-reference.md).
          
+Note
          This setting is configured for individual packages by using the SFTMIME ADD PACKAGE and CONFIGURE PACKAGE commands. For more information about these commands, see SFTMIME Command Reference.
          
 
          
 
          
- 
+
 
        • PREVUSED—If any AutoLoad trigger is enabled, load only the packages where at least one application in the package has been previously used (that is, launched or precached).
          • 
-Note  
-
          When you install the App-V client to use a read-only cache, (for example, as a VDI server implementation), you must set the AUTOLOADTARGET parameter to NONE to prevent the client from trying to update applications in the read-only cache.
          
+Note
          When you install the App-V client to use a read-only cache, (for example, as a VDI server implementation), you must set the AUTOLOADTARGET parameter to NONE to prevent the client from trying to update applications in the read-only cache.
          
 
          
- 
+
 
          
@@ -217,7 +210,7 @@ The following table lists all available Microsoft Application Virtualization Cli
 
-
@@ -286,19 +279,18 @@ The following table lists all available Microsoft Application Virtualization Cli
 
          
 

 
 
 
 
 
 
 
          
 
 
 
 
 
          
 
          
 
 
 
 
 
          
 
          The AutoLoad triggers that define the events that initiate auto-loading of applications. AutoLoad implicitly uses background streaming to enable the application to be fully loaded into cache.
          
 
          The primary feature block will be loaded as quickly as possible. Remaining feature blocks will be loaded in the background to enable foreground operations, such as user interaction with applications, to take priority and provide optimal performance.
          
 
          
-Note  
-
          The AUTOLOADTARGET parameter determines which applications are auto-loaded. By default, packages that have been used are auto-loaded unless AUTOLOADTARGET is set.
          
+Note
          The AUTOLOADTARGET parameter determines which applications are auto-loaded. By default, packages that have been used are auto-loaded unless AUTOLOADTARGET is set.
          
 
          
 
          
- 
+
 
          
 
          Each parameter affects loading behavior as follows:
          
 
            
@@ -126,11 +122,10 @@ The following table lists all available Microsoft Application Virtualization Cli
 
            The three values can be combined. In the following example, AutoLoad triggers are enabled both at user login and when publishing refresh occurs:
            
 
            AUTOLOADONLOGIN AUTOLOADONREFRESH
            
 
            
-Note  
-
            If the client is configured with these values at first install, Autoload will not be triggered until the next time the user logs off and logs back on.
            
+Note
            If the client is configured with these values at first install, Autoload will not be triggered until the next time the user logs off and logs back on.
            
 
            
 
            
- 
+
 
          		
 
          
 
          
 
 
 
 
 
 
          
 
          
 
          SWIPUBSVRHOST
          		
 
          IP address|host name
          Specifies either the IP address of the Application Virtualization Server or a host name of the server that resolves into the server's IP address; required when SWIPUBSVRDISPLAY is used.
          
+
          Specifies either the IP address of the Application Virtualization Server or a host name of the server that resolves into the server's IP address; required when SWIPUBSVRDISPLAY is used.
          
 
          Example: SWIPUBSVRHOST="SERVER01"
          		
 
          
 
          [0|1]
          		
 
          Used when you have applied registry settings prior to deploying a client—for example, by using Group Policy. When a client is deployed, set this parameter to a value of 1 so that it will not overwrite the registry settings.
          
 
          
-Important  
-
          If set to a value of 1, the following client installer command-line parameters are ignored:
          
+Important
          If set to a value of 1, the following client installer command-line parameters are ignored:
          
 
          SWICACHESIZE, MINFREESPACEMB, ALLOWINDEPENDENTFILESTREAMING, APPLICATIONSOURCEROOT, ICONSOURCEROOT, OSDSOURCEROOT, SYSTEMEVENTLOGLEVEL, SWIGLOBALDATA, DOTIMEOUTMINUTES, SWIFSDRIVE, AUTOLOADTARGET, AUTOLOADTRIGGERS, and SWIUSERDATA.
          
-
          For further information about setting these values after installation, see “How to Configure the App-V Client Registry Settings by Using the Command Line” in the Application Virtualization (App-V) Operations Guide ([https://go.microsoft.com/fwlink/?LinkId=122939](https://go.microsoft.com/fwlink/?LinkId=122939)).
          
+
          For further information about setting these values after installation, see “How to Configure the App-V Client Registry Settings by Using the Command Line” in the Application Virtualization (App-V) Operations Guide (https://go.microsoft.com/fwlink/?LinkId=122939).
          
 
          
 
          
- 
+
 
          		
 
          
           
 
          
 
- 
+
 
 ## Related topics
 
@@ -309,9 +301,9 @@ The following table lists all available Microsoft Application Virtualization Cli
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/application-virtualization-properties-general-tab.md b/mdop/appv-v4/application-virtualization-properties-general-tab.md
index 6b66e5fa66..31bfb94c4b 100644
--- a/mdop/appv-v4/application-virtualization-properties-general-tab.md
+++ b/mdop/appv-v4/application-virtualization-properties-general-tab.md
@@ -40,7 +40,7 @@ Select the level from the drop-down list. The default level is **Warning**.
 **Note**  
 The **System Log Level** setting controls the level of messages sent to the system event log. The logged messages are identical to the messages that get logged to the client event log, but they are stored in a different location that does not have the space limitations of the client event log. Because the system event log does not have space limitations, it is ideally suited for situations where verbose logging is necessary.
 
- 
+ 
 
 **Global Data Directory**  
 Enter or browse to the location of the directory of the log file. The default locations are as follows:
@@ -57,9 +57,9 @@ Enter or browse to the location of the directory where user-specific data is sto
 
 [Client Management Console: Application Virtualization Properties](client-management-console-application-virtualization-properties.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
index b658320309..22cdebc6e0 100644
--- a/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/application-virtualization-sequencer-hardware-and-software-requirements.md
@@ -22,7 +22,7 @@ This topic describes the minimum recommended hardware and software requirements
 **Important**  
 You must run the App-V sequencer (**SFTSequencer.exe**) using an account that has administrator privileges because of the changes the sequencer makes to the local system. These changes can include writing files to the **C:\\Program Files** directory, making registry changes, starting and stopping services, updating security descriptors for files, and changing permissions.
 
- 
+ 
 
 Before you install the Sequencer and after you sequence each application, you must restore a clean operating system image to the sequencing computer. You can use one of the following methods to restore the computer running the Sequencer:
 
@@ -47,7 +47,7 @@ The requirements are listed first for Microsoft Application Virtualization (App-
     **Note**  
     Sequencing requires heavy disk usage. A fast disk speed can decrease the sequencing time.
 
-     
+     
 
 ### Software Requirements for App-V 4.6 SP2
 
@@ -96,12 +96,12 @@ The following list outlines the supported operating systems for running the App-
 
 
 
- 
+ 
 
 **Note**  
 The Application Virtualization (App-V) 4.6 SP2 Sequencer supports 32-bit and 64-bit versions of these operating systems.
 
- 
+ 
 
 You should configure computers running the Sequencer with the same applications that are installed on targeted computers.
 
@@ -146,14 +146,14 @@ The following list outlines the supported operating systems for running the Sequ
 
 
 
- 
+ 
 
 ¹Supported for App-V 4.5 with SP1 or SP2, and App-V 4.6 only
 
 **Note**  
 The Application Virtualization (App-V) 4.6 Sequencer supports 32-bit and 64-bit versions of these operating systems.
 
- 
+ 
 
 You should configure computers running the Sequencer with the same applications that are installed on targeted computers.
 
@@ -202,12 +202,12 @@ You should configure computers running the Sequencer with the same applications
 
 
 
- 
+ 
 
 **Note**  
 Application Virtualization (App-V) 4.6 SP2 for Remote Desktop Services supports 32-bit and 64-bit versions of these operating systems.
 
- 
+ 
 
 ### Software Requirements for Remote Desktop Services for Versions that Precede App-V 4.6 SP2
 
@@ -254,12 +254,12 @@ Application Virtualization (App-V) 4.6 SP2 for Remote Desktop Services supports
 
 
 
- 
+ 
 
 **Note**  
 Application Virtualization (App-V) 4.6 SP2 for Remote Desktop Services supports 32-bit and 64-bit versions of these operating systems.
 
- 
+ 
 
 ## Related topics
 
@@ -272,9 +272,9 @@ Application Virtualization (App-V) 4.6 SP2 for Remote Desktop Services supports
 
 [How to Upgrade the Application Virtualization Sequencer](how-to-upgrade-the-application-virtualization-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
index f778765055..bea986ef57 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-advanced-options-page.md
@@ -41,16 +41,15 @@ Use the **Advanced Options** page of the Application Virtualization (App-V) Sequ
 
        • 64 KB
          • 
 
        
 
        
-Note  
-
        When you select a block size, consider the size of the SFT file and your network bandwidth. A file with a smaller block size takes longer to stream over the network but is less bandwidth-intensive. Files with larger block sizes might stream faster, but they use more network bandwidth. Through experimentation, you can discover the optimum block size for streaming applications on your network.
        
+Note
        When you select a block size, consider the size of the SFT file and your network bandwidth. A file with a smaller block size takes longer to stream over the network but is less bandwidth-intensive. Files with larger block sizes might stream faster, but they use more network bandwidth. Through experimentation, you can discover the optimum block size for streaming applications on your network.
        
 
        
 
        
- 
+
 
        
 
 
 
        Enable Microsoft Update During Monitoring
        
-
        Enables installation of Microsoft Updates during the Sequencing Wizard's monitoring phase.
        
+
        Enables installation of Microsoft Updates during the Sequencing Wizard's monitoring phase.
        
 
 
 
        Rebase DLLs
        
@@ -58,11 +57,11 @@ Use the **Advanced Options** page of the Application Virtualization (App-V) Sequ
 
 
 
        Back
        
-
        Accesses the Sequencing Wizard's previous page.
        
+
        Accesses the Sequencing Wizard's previous page.
        
 
 
 
        Next
        
-
        Accesses the Sequencing Wizard's next page.
        
+
        Accesses the Sequencing Wizard's next page.
        
 
 
 
        Cancel
        
@@ -71,7 +70,7 @@ Use the **Advanced Options** page of the Application Virtualization (App-V) Sequ
 
 
 
- 
+
 
 \[Template Token Value\]
 
@@ -112,7 +111,7 @@ Use the **Advanced Options** page of the App-V Sequencing Wizard to specify adva
 
 
 
- 
+
 
 \[Template Token Value\]
 
@@ -121,9 +120,9 @@ Use the **Advanced Options** page of the App-V Sequencing Wizard to specify adva
 
 [Sequencing Wizard](sequencing-wizard.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
index 81c5439dc4..cab2f6fa85 100644
--- a/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
+++ b/mdop/appv-v4/application-virtualization-sequencing-wizard-monitor-installation-page.md
@@ -35,31 +35,29 @@ Use the **Monitor Installation** page of the Application Virtualization Sequenci
 
        Begin Monitoring
        
 
        Starts the monitoring of the sequencing process.
        
 
        
-Note  
-
        The Sequencer will minimize so that you can run your application's installer, except on Vista.
        
+Note
        The Sequencer will minimize so that you can run your application's installer, except on Vista.
        
 
        
 
        
- 
+
 
        
 
 
 
        Stop Monitoring
        
 
        Stops the monitoring of the sequencing process.
        
 
        
-Note  
-
        The Stop Monitoring button is displayed only after the monitoring process starts.
        
+Note
        The Stop Monitoring button is displayed only after the monitoring process starts.
        
 
        
 
        
- 
+
 
        
 
 
 
        Back
        
-
        Accesses the Sequencing Wizard's previous page.
        
+
        Accesses the Sequencing Wizard's previous page.
        
 
 
 
        Next
        
-
        Accesses the Sequencing Wizard's next page.
        
+
        Accesses the Sequencing Wizard's next page.
        
 
 
 
        Cancel
        
@@ -68,7 +66,7 @@ Use the **Monitor Installation** page of the Application Virtualization Sequenci
 
 
 
- 
+
 
 \[Template Token Value\]
 
@@ -109,7 +107,7 @@ Use the **Monitor Installation** page of the App-V sequencing wizard to monitor
 
 
 
- 
+
 
 \[Template Token Value\]
 
@@ -118,9 +116,9 @@ Use the **Monitor Installation** page of the App-V sequencing wizard to monitor
 
 [Sequencing Wizard](sequencing-wizard.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
index e1dd5d1a06..fd47fcd34c 100644
--- a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
+++ b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md
@@ -55,7 +55,7 @@ For load from file package delivery, the server delivers the entire virtualized
 **Note**  
 For each delivery method, the initial virtual application delivery process and the virtual application update process are the same; the updated virtual application package replaces the original application package.
 
- 
+ 
 
 The following table compares the advantages and disadvantages of each package delivery method.
 
@@ -98,7 +98,7 @@ The following table compares the advantages and disadvantages of each package de
 
 
 
- 
+ 
 
 ## Server-Related Protocols and External Components
 
@@ -157,7 +157,7 @@ The following table lists the server types that can be used in an Application Vi
 
 
 
- 
+ 
 
 ## Related topics
 
@@ -168,9 +168,9 @@ The following table lists the server types that can be used in an Application Vi
 
 [How to Install the Servers and System Components](how-to-install-the-servers-and-system-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/application-virtualization-system-requirements.md b/mdop/appv-v4/application-virtualization-system-requirements.md
index c2b13d450d..0688d51f04 100644
--- a/mdop/appv-v4/application-virtualization-system-requirements.md
+++ b/mdop/appv-v4/application-virtualization-system-requirements.md
@@ -89,7 +89,7 @@ The following list includes the minimum recommended hardware and software requir
 
 
 
- 
+ 
 
 ¹Applies to App-V 4.5 SP1 and SP2 only.
 
@@ -163,7 +163,7 @@ The following list includes the minimum recommended hardware and software requir
 
 
 
- 
+ 
 
 ¹Applies to App-V 4.5 SP1 and SP2 only.
 
@@ -243,7 +243,7 @@ The following list includes the minimum recommended hardware and software requir
 
 
 
- 
+ 
 
 ¹Applies to App-V 4.5 SP1 and SP2 only.
 
@@ -327,7 +327,7 @@ The following list includes the minimum recommended hardware and software requir
 
 
 
- 
+ 
 
 ¹Applies to App-V 4.5 SP1 and SP2 only.
 
@@ -338,7 +338,7 @@ The following list includes the minimum recommended hardware and software requir
     **Important**  
     The minimum requirement is .NET Framework 2.0 SP2 if you must install App-V hotfix KB980850 or subsequent App-V hotfixes on the computer that is running the App-V Management Console.
 
-     
+     
 
 ## Related topics
 
@@ -353,9 +353,9 @@ The following list includes the minimum recommended hardware and software requir
 
 [How to Upgrade the Servers and System Components](how-to-upgrade-the-servers-and-system-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/applications-licenses-node.md b/mdop/appv-v4/applications-licenses-node.md
index 716dc4bbf5..e41472ad97 100644
--- a/mdop/appv-v4/applications-licenses-node.md
+++ b/mdop/appv-v4/applications-licenses-node.md
@@ -28,7 +28,7 @@ The **Applications Licenses** node is one level below the Application Virtualiza
 **Note**  
 You can combine concurrent and named licenses for the same application.
 
- 
+ 
 
 Right-click the **Applications Licenses** node to display a pop-up menu that contains the following elements.
 
@@ -116,9 +116,9 @@ Displays the help system for the Application Virtualization Server Management Co
 
 [Server Management Console: Application Licenses Node](server-management-console-application-licenses-node.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/applications-results-pane-columns.md b/mdop/appv-v4/applications-results-pane-columns.md
index a2e1bb086b..763e99c393 100644
--- a/mdop/appv-v4/applications-results-pane-columns.md
+++ b/mdop/appv-v4/applications-results-pane-columns.md
@@ -22,7 +22,7 @@ The **Results** pane of the **Applications** node in the Application Virtualizat
 **Note**  
 You can add or remove columns by right-clicking in the **Results** pane, selecting **View**, and then selecting **Add/Remove Columns**.
 
- 
+ 
 
 The list can be sorted by any column. Columns that contain dates and times are sorted in chronological order, not alphabetical. For columns that contain a mix of dates and times and text, dates and times are considered to come before any other text.
 
@@ -127,9 +127,9 @@ The application version.
 
 [Application Virtualization Client Management Console Reference](application-virtualization-client-management-console-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
index 18e320f75c..98700d6626 100644
--- a/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
+++ b/mdop/appv-v4/best-practices-for-the-application-virtualization-sequencer-sp1.md
@@ -68,7 +68,7 @@ The following best practices should be considered when sequencing a new applicat
     **Note**  
     If you are running App-V 4.6 SP1 you do not need to sequence to a directory that follows the 8.3 naming convention.
 
-     
+     
 
 -   **Sequence to a unique directory that follows the 8.3 naming convention.**
 
@@ -95,9 +95,9 @@ The following best practices should be considered when sequencing a new applicat
 
 [Planning for Application Virtualization System Deployment](planning-for-application-virtualization-system-deployment.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/command-line-errors.md b/mdop/appv-v4/command-line-errors.md
index 6689d0460b..4acd9ab657 100644
--- a/mdop/appv-v4/command-line-errors.md
+++ b/mdop/appv-v4/command-line-errors.md
@@ -22,7 +22,7 @@ Use the following list of errors to identify the reasons why command-line sequen
 **Note**  
 More than one error might be displayed when sequencing. Furthermore, the error code displayed might be the sum of two error codes. For example, if the */InstallPath* and */OutputFile* parameters are missing, the Microsoft System Center Application Virtualization Sequencer will return 96—the sum of the two error codes.
 
- 
+ 
 
 01  
 There is an unspecified error.
@@ -64,7 +64,7 @@ The sequenced application package cannot be saved.
 The specified package name (/PACKAGENAME) is not valid.
 
 8192  
-The specified block size (/BLOCKSIZE*)* is not valid.
+The specified block size (/BLOCKSIZE) is not valid.
 
 16384  
 The specified compression type (/COMPRESSION) is not valid.
@@ -91,9 +91,9 @@ The package name was not specified.
 
 [Command-Line Parameters](command-line-parameters.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/command-line-parameters.md b/mdop/appv-v4/command-line-parameters.md
index 6e2dff3b8e..b404816379 100644
--- a/mdop/appv-v4/command-line-parameters.md
+++ b/mdop/appv-v4/command-line-parameters.md
@@ -34,7 +34,7 @@ Use to specify the path and file name of the SPRJ file that will be generated.
 **Important**  
 The */OUTPUTFILE* parameter is not available when opening a package that you do not intend to upgrade.
 
- 
+ 
 
 */FULLLOAD* or */F*  
 Use to specify whether to put everything in the primary feature block.
@@ -87,9 +87,9 @@ Specifies the directory on the sequencing computer where the files associated wi
 
 [How to Upgrade a Package Using the Open Package Command](how-to-upgrade-a-package-using-the-open-package-command.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
index 3fd924773b..5c2c349db4 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-app-v-management-server-or-streaming-server.md
@@ -22,12 +22,12 @@ After you complete the certificate provisioning process and change the private k
 **Note**  
 Select the certificate that was configured for App-V if there is more than one certificate provisioned for this server.
 
- 
+ 
 
 **Important**  
 When upgrading from version  4.2 to version  4.5, the setup has an option for **Use enhanced security**; however, selecting this option will not disable streaming over RTSP. You must use the Management Console to disable RTSP after installation.
 
- 
+ 
 
 Select the TCP port that the service will use for client communications. The default port is TCP 322; however, you can change the port to a custom port for your environment.
 
@@ -51,9 +51,9 @@ For more detailed information about configuring certificates with the SAN attrib
 
 [How to Modify Private Key Permissions to Support Management Server or Streaming Server](how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
index 65e80a70a6..2a4167506b 100644
--- a/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
+++ b/mdop/appv-v4/configuring-certificates-to-support-secure-streaming.md
@@ -35,7 +35,7 @@ The scenarios for obtaining and installing a certificate for App-V are as follow
     **Note**  
     If you need to obtain a certificate from a third-party CA, follow the documentation available on that CA’s Web site.
 
-     
+     
 
 If a PKI infrastructure has been deployed, consult with the PKI administrators to acquire a certificate that complies with the requirements described in this topic. If a PKI infrastructure is not available, use a third-party CA to obtain a valid certificate.
 
@@ -47,9 +47,9 @@ For step-by-step guidance for obtaining and installing a certificate, see .
 
@@ -41,9 +41,9 @@ App-V can use IIS servers to support different infrastructure configurations. Fo
 
 [How to Install and Configure the App-V Management Console for a More Secure Environment](how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/configuring-iis-for-secure-streaming.md b/mdop/appv-v4/configuring-iis-for-secure-streaming.md
index 3f3e7c2588..7257a99ab0 100644
--- a/mdop/appv-v4/configuring-iis-for-secure-streaming.md
+++ b/mdop/appv-v4/configuring-iis-for-secure-streaming.md
@@ -26,7 +26,7 @@ If you want to stream applications from a file server, you should enhance the se
 
 -   For Windows Server 2008, 
 
- 
+ 
 
 ## MIME Types
 
@@ -55,9 +55,9 @@ To create an SPN, run `setspn.exe` from a command prompt while logged in as a me
 
 [Configuring Management or Streaming Server for Secure Communications Post-Installation](configuring-management-or-streaming-server-for-secure-communications-post-installation.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/create-package-page--app-v-46-sp1.md b/mdop/appv-v4/create-package-page--app-v-46-sp1.md
index 39e886c400..11e4b06c98 100644
--- a/mdop/appv-v4/create-package-page--app-v-46-sp1.md
+++ b/mdop/appv-v4/create-package-page--app-v-46-sp1.md
@@ -33,16 +33,16 @@ Select the **Compress Package** check box to compress the package, which can hel
 **Note**  
 If the original package size is more than 4 GB and compressed, by default, the checkbox is checked and cannot be changed. If the original package is compressed and less than 4 GB, the check box is checked, but can be cleared.
 
- 
+ 
 
 ## Related topics
 
 
 [Sequencer Wizard - Package Accelerator (AppV 4.6 SP1)](sequencer-wizard---package-accelerator--appv-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/delete-package.md b/mdop/appv-v4/delete-package.md
index 4e7a870a04..b5f9062d59 100644
--- a/mdop/appv-v4/delete-package.md
+++ b/mdop/appv-v4/delete-package.md
@@ -52,7 +52,7 @@ Removes a package record and the applications associated with it.
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -69,23 +69,23 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 **Important**  
 The DELETE PACKAGE command always performs a global delete of the package and deletes only global file types and shortcuts.
 
 If the package is global, this command must be run as local Administrator; otherwise, only **DeleteApp** permission is needed.
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/delete-server.md b/mdop/appv-v4/delete-server.md
index ca8f118cc5..4f021d2a66 100644
--- a/mdop/appv-v4/delete-server.md
+++ b/mdop/appv-v4/delete-server.md
@@ -22,7 +22,7 @@ Removes a publishing server.
 **Note**  
 This command does not remove any applications or packages published to the client by the server. For each application, use the SFTMIME **CLEAR APP** command followed by the **DELETE PACKAGE** command to completely remove those applications and packages from the client.
 
- 
+ 
 
 `SFTMIME DELETE SERVER:server-name [/LOG log-pathname | /CONSOLE | /GUI]`
 
@@ -57,7 +57,7 @@ This command does not remove any applications or packages published to the clien
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -74,16 +74,16 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/determine-your-streaming-method.md b/mdop/appv-v4/determine-your-streaming-method.md
index f338a6e5f8..290ebfd16b 100644
--- a/mdop/appv-v4/determine-your-streaming-method.md
+++ b/mdop/appv-v4/determine-your-streaming-method.md
@@ -22,14 +22,14 @@ The first time that a user double-clicks the icon that has been placed on a comp
 **Note**  
 *Streaming* is the term used to describe the process of obtaining content from a sequenced application package, starting with the primary feature block and then obtaining additional blocks as needed.
 
- 
+ 
 
 The streaming source location is usually a server that is accessible by the user’s computer; however, some electronic distribution systems, such as Microsoft System Center Configuration Manager, can distribute the SFT file to the user’s computer and then stream the virtual application package locally from that computer’s cache.
 
 **Note**  
 A streaming source location for virtual packages can be set up on a computer that is not a server. This is especially useful in a small branch office that has no server.
 
- 
+ 
 
 The streaming sources that can be used to store sequenced applications are described in the following table.
 
@@ -60,7 +60,7 @@ The streaming sources that can be used to store sequenced applications are descr
 
          
 
        • No active upgrade
          • 
 
        
-
        [How to Configure the File Server](how-to-configure-the-file-server.md)
        
+
        How to Configure the File Server
        
 
 
 
        IIS server
        
@@ -76,7 +76,7 @@ The streaming sources that can be used to store sequenced applications are descr
 
      • Need to manage IIS
        • 
 
      • No active upgrade
        • 
 
      
-
      [How to Configure the Server for IIS](how-to-configure-the-server-for-iis.md)
      
+
      How to Configure the Server for IIS
      
 
 
 
      Application Virtualization Streaming Server
      
@@ -90,12 +90,12 @@ The streaming sources that can be used to store sequenced applications are descr
 
    • Dual infrastructure
      • 
 
    • Server administration requirement
      • 
 
    
-
    [How to Configure the Application Virtualization Management Servers](how-to-configure-the-application-virtualization-management-servers.md)
    
+
    How to Configure the Application Virtualization Management Servers
    
 
 
 
 
- 
+ 
 
 ## Related topics
 
@@ -106,9 +106,9 @@ The streaming sources that can be used to store sequenced applications are descr
 
 [Determine Your Publishing Method](determine-your-publishing-method.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
index 3fed5fca24..51c635b149 100644
--- a/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
+++ b/mdop/appv-v4/electronic-software-distribution-based-scenario-overview.md
@@ -22,7 +22,7 @@ If you plan to use an electronic software distribution (ESD) solution to deploy
 **Important**  
 Whichever ESD solution you use, you must be familiar with the requirements of your particular solution. If you are using System Center Configuration Manager 2007 R2 or later, see the System Center Configuration Manager documentation at .
 
- 
+ 
 
 Using an existing ESD system provides you with the following benefits:
 
@@ -75,9 +75,9 @@ For more detailed information about the preceding streaming methods, see [Determ
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/exclusion-item-dialog-box.md b/mdop/appv-v4/exclusion-item-dialog-box.md
index b0eb2f90d3..3038ca2a54 100644
--- a/mdop/appv-v4/exclusion-item-dialog-box.md
+++ b/mdop/appv-v4/exclusion-item-dialog-box.md
@@ -22,7 +22,7 @@ Use the **Exclusion Item** dialog box to assign or change a mapping rule and to
 **Important**  
 Adding files from an excluded directory to the virtual files system is not supported.
 
- 
+ 
 
 **Exclude Path**  
 Use to specify variable name that the Application Virtualization Sequencer will exclude if encountered while parsing virtual file system items or virtual registry items.
@@ -41,9 +41,9 @@ Use to select the mapping rules the Application Virtualization Sequencer will ap
 
 [Sequencer Dialog Boxes](sequencer-dialog-boxes.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/file-type-association-results-pane-columns.md b/mdop/appv-v4/file-type-association-results-pane-columns.md
index 8f52fc81c5..553b985e35 100644
--- a/mdop/appv-v4/file-type-association-results-pane-columns.md
+++ b/mdop/appv-v4/file-type-association-results-pane-columns.md
@@ -22,7 +22,7 @@ In the Application Virtualization Client Management Console, the **Results** pan
 **Note**  
 You can add or remove a column simply by right-clicking in the **Results** pane, selecting **View**, then selecting **Add/Remove Columns**.
 
- 
+ 
 
 The list can be sorted by any of the columns. Columns that contain dates and times are sorted in chronological order, not alphabetical. For columns that contain a mix of dates and times and text, dates and times are considered to come before any other text.
 
@@ -86,9 +86,9 @@ The perceived type or blank.
 
 [File Type Association Results Pane](file-type-association-results-pane.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-add-a-package-version.md b/mdop/appv-v4/how-to-add-a-package-version.md
index a3f7d10fd5..b2aba5778b 100644
--- a/mdop/appv-v4/how-to-add-a-package-version.md
+++ b/mdop/appv-v4/how-to-add-a-package-version.md
@@ -22,7 +22,7 @@ In the Application Virtualization Server Management Console, when you resequence
 **Note**  
 When you upgrade a package with a new version, you can leave the existing version in place or delete it and leave only the newest one. You might want to leave the old version in place for compatibility with legacy documents or so that you can test the new version before making it available to all users.
 
- 
+ 
 
 **To add a package version**
 
@@ -47,9 +47,9 @@ When you upgrade a package with a new version, you can leave the existing versio
 
 [How to Manage Packages in the Server Management Console](how-to-manage-packages-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-add-a-package.md b/mdop/appv-v4/how-to-add-a-package.md
index e11b12017a..4e55ae9e08 100644
--- a/mdop/appv-v4/how-to-add-a-package.md
+++ b/mdop/appv-v4/how-to-add-a-package.md
@@ -38,7 +38,7 @@ It is recommended that you import applications instead of adding them manually.
 
     In dialog boxes that refer to Virtual Application Servers, you must use a network location, such as the server's static host name or IP address, that your users can access. The application's Open Software Descriptor (OSD) file can replace the placeholder variable *%SFT\_SOFTGRIDSERER%* with the server's static host name or IP address. If you leave the placeholder variable, you must set this variable on each client computer that will access that server. Set a User or System variable on each computer for SFT\_SOFTGRIDSERVER. The variable value must be the server's static host name or IP address. If you set a variable, exit the Client session, log out of and back into Microsoft Windows, and then restart the session on each computer that had a session running and had the variable set.
 
-     
+     
 
 4.  Click **Next**.
 
@@ -47,7 +47,7 @@ It is recommended that you import applications instead of adding them manually.
     **Note**  
     If you are managing applications on a remote server, in the next dialog box, type only the path of the file relative to the server's content root.
 
-     
+     
 
 ## Related topics
 
@@ -56,9 +56,9 @@ It is recommended that you import applications instead of adding them manually.
 
 [How to Manage Packages in the Server Management Console](how-to-manage-packages-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-add-a-server.md b/mdop/appv-v4/how-to-add-a-server.md
index 5ec5731ad3..4649e67c3f 100644
--- a/mdop/appv-v4/how-to-add-a-server.md
+++ b/mdop/appv-v4/how-to-add-a-server.md
@@ -22,7 +22,7 @@ To help you manage your Application Virtualization Management Servers more effic
 **Note**  
 All servers in a server group must be connected to the same data store.
 
- 
+ 
 
 **To add a server to a group**
 
@@ -51,9 +51,9 @@ All servers in a server group must be connected to the same data store.
 
 [How to Remove a Server](how-to-remove-a-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-add-an-administrator-group.md b/mdop/appv-v4/how-to-add-an-administrator-group.md
index f0af936e2b..193e0366bd 100644
--- a/mdop/appv-v4/how-to-add-an-administrator-group.md
+++ b/mdop/appv-v4/how-to-add-an-administrator-group.md
@@ -28,14 +28,14 @@ From the **Administrators** node of the Application Virtualization Server Manage
     **Important**  
     When completing the **Select Groups** dialog box, you might see the **Multiple Names Found** dialog box, which can display multiple group names. To add more than one group at a time, press **Ctrl** and click the name of each group you want to add. Click **OK** to exit the **Multiple Names Found** dialog box.
 
-     
+     
 
 3.  Click **OK**.
 
     **Note**  
     To add administrator groups to the Application Virtualization Management Server, you must have system administrator or security administrator privileges on the associated data store. If you attempt to create a group without sufficient privileges, the system generates an error message.
 
-     
+     
 
 ## Related topics
 
@@ -44,9 +44,9 @@ From the **Administrators** node of the Application Virtualization Server Manage
 
 [How to Delete an Administrator Group](how-to-delete-an-administrator-group.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
index 2c8c075c8d..c1ecf63c7e 100644
--- a/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md
@@ -19,77 +19,79 @@ ms.date: 06/16/2016
 
 You can use App-V Package Accelerators to automatically generate a new virtual application package. For more information about Package Accelerators, see [About App-V Package Accelerators (App-V 4.6 SP1)](about-app-v-package-accelerators--app-v-46-sp1-.md).
 
-**Important**  
+**Important**  
 Disclaimer: The Application Virtualization Sequencer does not give you any license rights to the software application you are using to create a Package Accelerator. You must abide by all end user license terms for such application. It is your responsibility to make sure the software application’s license terms allow you to create a Package Accelerator using Application Virtualization Sequencer.
 
- 
 
-**Note**  
+
+**Note**  
 Before starting this procedure, copy the required Package Accelerator locally to the computer running the App-V Sequencer. You should also copy all required installation files for the package to a local directory on the computer running the Sequencer. This is the directory that you have to specify in step 5 of this procedure.
 
- 
+
 
 Use the following procedure to create a virtual application package by using a Package Accelerator.
 
 **To create a virtual application package by using an App-V Package Accelerator**
 
-1.  To start the App-V Sequencer, on the computer that is running the App-V Sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+1. To start the App-V Sequencer, on the computer that is running the App-V Sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
 
-2.  To start the **Create New Package Wizard**, click **Create a New Virtual Application Package**. To create the package, select the **Create Package using a Package Accelerator** check box, and then click **Next**.
+2. To start the **Create New Package Wizard**, click **Create a New Virtual Application Package**. To create the package, select the **Create Package using a Package Accelerator** check box, and then click **Next**.
 
-3.  On the **Select Package Accelerator** page, to specify the Package Accelerator that will be used to create the new virtual application package, click **Browse** to locate the Package Accelerator that you want to use. Click **Next**.
+3. On the **Select Package Accelerator** page, to specify the Package Accelerator that will be used to create the new virtual application package, click **Browse** to locate the Package Accelerator that you want to use. Click **Next**.
 
-    **Important**  
-    If the publisher of the Package Accelerator cannot be verified and does not contain a valid digital signature, in the **Security Warning** dialog box, you must confirm that you trust the source of the Package Accelerator before you click **Run**.
+   **Important**  
+   If the publisher of the Package Accelerator cannot be verified and does not contain a valid digital signature, in the **Security Warning** dialog box, you must confirm that you trust the source of the Package Accelerator before you click **Run**.
 
-     
 
-4.  On the **Guidance** page, review the publishing guidance information displayed in the information pane. The information displayed was added when the Package Accelerator was created and contains information about creating and publishing the package. To export the guidance information to a text (.txt) file, click **Export** and specify the location where the file should be saved, and then click **Next**.
 
-5.  On the **Select Installation Files** page, to create a local folder that contains all required installation files for the package, click **Make New Folder** and specify where the folder should be saved. You must also specify a name to be assigned to the folder. You must then copy all required installation files to the location that you specified. If the folder that contains the installation files already exists on the computer running the Sequencer, click **Browse** to select the folder.
+4. On the **Guidance** page, review the publishing guidance information displayed in the information pane. The information displayed was added when the Package Accelerator was created and contains information about creating and publishing the package. To export the guidance information to a text (.txt) file, click **Export** and specify the location where the file should be saved, and then click **Next**.
 
-    Alternatively, if you have already copied the installation files to a directory on this computer, click **Make New Folder**, browse to the folder that contains the installation files, and then click **Next**.
+5. On the **Select Installation Files** page, to create a local folder that contains all required installation files for the package, click **Make New Folder** and specify where the folder should be saved. You must also specify a name to be assigned to the folder. You must then copy all required installation files to the location that you specified. If the folder that contains the installation files already exists on the computer running the Sequencer, click **Browse** to select the folder.
 
-    **Note**  
-    You can specify the following types of supported installation files:
+   Alternatively, if you have already copied the installation files to a directory on this computer, click **Make New Folder**, browse to the folder that contains the installation files, and then click **Next**.
 
-    -   Windows Installer files(**.msi**
+   **Note**  
+   You can specify the following types of supported installation files:
 
-    -   .cab files
+   -   Windows Installer files(**.msi**
 
-    -   Compressed files with a .zip file name extension
+   -   .cab files
 
-    -   The actual application files
+   -   Compressed files with a .zip file name extension
 
-    The following file types are not supported: **.msp** and**.exe** files. If you specify an **.exe** file you must extract the installation files manually.
+   -   The actual application files
 
-     
+   The following file types are not supported: **.msp** and.exe files. If you specify an **.exe** file you must extract the installation files manually.
 
-    If the Package Accelerator requires an application be installed prior to applying the Package Accelerator and you have installed the application, on the **Local Installation** page, select the check box **I have installed all applications**, and then click **Next**.
 
-6.  On the **Package Name** page, specify a name that will be associated with the package. The name specified identifies the package in the App-V Management Console. Click **Next**.
 
-7.  On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package you are creating. To confirm the location where the package is created, review the information displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
+~~~
+If the Package Accelerator requires an application be installed prior to applying the Package Accelerator and you have installed the application, on the **Local Installation** page, select the check box **I have installed all applications**, and then click **Next**.
+~~~
 
-    To create the package, click **Create**. After the package has been created, click **Next**.
+6. On the **Package Name** page, specify a name that will be associated with the package. The name specified identifies the package in the App-V Management Console. Click **Next**.
 
-8.  On the **Configure Software** page, to enable the Sequencer to configure the applications contained in the package, select **Configure Software**. This step is useful for configuring any associated tasks that must be completed to run the application on target computers, such as configuring any associated license agreements.
+7. On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package you are creating. To confirm the location where the package is created, review the information displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
 
-    If you select **Configure Software**, the following items are configured by the Sequencer as part of this step:
+   To create the package, click **Create**. After the package has been created, click **Next**.
 
-    -   **Load Package**. The Sequencer loads the files associated with the package. It can take several seconds to up to an hour to decode the package.
+8. On the **Configure Software** page, to enable the Sequencer to configure the applications contained in the package, select **Configure Software**. This step is useful for configuring any associated tasks that must be completed to run the application on target computers, such as configuring any associated license agreements.
 
-    -   **Run Each Program**. Optionally run the programs contained in the package. This step is helpful for completing any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
+   If you select **Configure Software**, the following items are configured by the Sequencer as part of this step:
 
-    -   **Save Package**. The Sequencer saves the package.
+   -   **Load Package**. The Sequencer loads the files associated with the package. It can take several seconds to up to an hour to decode the package.
 
-    -   **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
+   -   **Run Each Program**. Optionally run the programs contained in the package. This step is helpful for completing any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
 
-    If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
+   -   **Save Package**. The Sequencer saves the package.
 
-9.  On the **Completion** page, after you have reviewed the information displayed in the **Virtual Application Package Report** pane, click **Close**.
+   -   **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
 
-    The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about modifying a package, see [How to Modify an Existing Virtual Application Package (App-V 4.6 SP1)](how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md).
+   If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
+
+9. On the **Completion** page, after you have reviewed the information displayed in the **Virtual Application Package Report** pane, click **Close**.
+
+   The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about modifying a package, see [How to Modify an Existing Virtual Application Package (App-V 4.6 SP1)](how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md).
 
 ## Related topics
 
@@ -98,9 +100,9 @@ Use the following procedure to create a virtual application package by using a P
 
 [How to Create App-V Package Accelerators (App-V 4.6 SP1)](how-to-create-app-v-package-accelerators--app-v-46-sp1-.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
index 6a76dbab6d..4ac9accd65 100644
--- a/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-apply-an-app-v-project-template--app-v-46-sp1-.md
@@ -22,7 +22,7 @@ You can use an App-V project template to apply common settings associated with a
 **Note**  
 You can only apply an App-V project template when you are creating a new virtual application package. Applying project templates to existing virtual application packages is not supported. Additionally, you cannot use a project template in conjunction with a Package Accelerator.
 
- 
+ 
 
 For more information about creating App-V project templates, see [How to Create an App-V Project Template (App-V 4.6 SP1)](how-to-create-an-app-v-project-template--app-v-46-sp1-.md).
 
@@ -43,9 +43,9 @@ For more information about creating App-V project templates, see [How to Create
 
 [How to Create an App-V Project Template (App-V 4.6 SP1)](how-to-create-an-app-v-project-template--app-v-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
index 13693fd880..ae25bdef3b 100644
--- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
+++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-vista.md
@@ -22,7 +22,7 @@ Use the following procedure to configure the App-V Desktop Client for proper Win
 **Note**  
 This procedure must be completed on each non-domain joined computer. Depending on the number of non-domain joined computers in your environment, this could be a very tedious operation. You can use scripts and the command-line interface for Credential Manager to help administrators automate this process.
 
- 
+ 
 
 **To assign the proper credentials for App-V clients running Windows Vista**
 
@@ -51,9 +51,9 @@ This procedure must be completed on each non-domain joined computer. Depending o
 
 [How to Assign the Proper Credentials for Windows XP](how-to-assign--the-proper-credentials-for-windows-xp.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
index 62ecfffa26..2d0a95bbfd 100644
--- a/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
+++ b/mdop/appv-v4/how-to-assign--the-proper-credentials-for-windows-xp.md
@@ -22,7 +22,7 @@ Use the following procedure to configure the App-V Desktop Client for proper Win
 **Note**  
 After finishing this procedure, the non-domain joined client can perform a publishing refresh without being joined to a domain.
 
- 
+ 
 
 **To assign the proper credentials for App-V clients running Windows XP**
 
@@ -49,9 +49,9 @@ After finishing this procedure, the non-domain joined client can perform a publi
 
 [How to Assign the Proper Credentials for Windows Vista](how-to-assign--the-proper-credentials-for-windows-vista.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
index 892b2f1d91..ffb07d7155 100644
--- a/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
+++ b/mdop/appv-v4/how-to-associate-an-application-with-a-license-group.md
@@ -22,7 +22,7 @@ You can enforce licensing restrictions on an application by associating the appl
 **Important**  
 One or more application license groups must exist for you to associate an application with a license group.
 
- 
+ 
 
 **To associate an application with a license group**
 
@@ -35,9 +35,9 @@ One or more application license groups must exist for you to associate an applic
 4.  Click **OK**.
 
     **Note**  
-       You can alter the **Properties** tab of one application at a time.
+       You can alter the **Properties** tab of one application at a time.
 
-     
+     
 
 ## Related topics
 
@@ -48,9 +48,9 @@ One or more application license groups must exist for you to associate an applic
 
 [How to Manage Reports in the Server Management Console](how-to-manage-reports-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-branch-a-package.md b/mdop/appv-v4/how-to-branch-a-package.md
index 0a8725cbdb..52221d9dd2 100644
--- a/mdop/appv-v4/how-to-branch-a-package.md
+++ b/mdop/appv-v4/how-to-branch-a-package.md
@@ -29,23 +29,25 @@ Use the following procedure to branch a sequenced virtual application package.
 
 3.  To save a copy of the package, in the App-V Sequencer, select **File**, **Save As**. Specify a new, unique name, and specify a new unique package root directory for the copy of the package. Click **Save**.
 
-    **Important**  
+    **Important**  
     You must specify a new package name or you will overwrite the existing version of the package.
 
-     
 
-    The sequencer will automatically generate new GUID files for the new package. The version number associated with the package will also be automatically appended to the OSD file name.
 
-4.  After you save the new version you can apply the required configuration changes and save the associated ICO, OSD, SFT, and SPRJ files to correct location on the Application Virtualization (App-V) server.
+~~~
+The sequencer will automatically generate new GUID files for the new package. The version number associated with the package will also be automatically appended to the OSD file name.
+~~~
+
+4. After you save the new version you can apply the required configuration changes and save the associated ICO, OSD, SFT, and SPRJ files to correct location on the Application Virtualization (App-V) server.
 
 ## Related topics
 
 
 [Tasks for the Application Virtualization Sequencer](tasks-for-the-application-virtualization-sequencer.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-change-package-properties.md b/mdop/appv-v4/how-to-change-package-properties.md
index 8ef8be5842..abe69abeb3 100644
--- a/mdop/appv-v4/how-to-change-package-properties.md
+++ b/mdop/appv-v4/how-to-change-package-properties.md
@@ -24,7 +24,7 @@ If this is the first time the package has been created, you can also change the
 **Note**  
 When selecting a block size, consider the size of the SFT file and your network bandwidth. A file with a smaller block size takes longer to stream over the network, but it is less bandwidth intensive. Files with larger block sizes might stream faster, but they use more network bandwidth. Through experimentation, you can discover the optimum block size for streaming applications on your network.
 
- 
+ 
 
 The remainder of the package properties on the **Properties** tab is automatically generated and cannot be modified on this tab.
 
@@ -53,9 +53,9 @@ The remainder of the package properties on the **Properties** tab is automatical
 
 [Sequencer Console](sequencer-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
index 7ec090fda8..8346a0eb10 100644
--- a/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
+++ b/mdop/appv-v4/how-to-change-the-cache-size-and-the-drive-letter-designation.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 You can change the cache size and drive letter designation directly from the **Application Virtualization** node in the Application Virtualization Client Management Console.
 
-**Note**  
+**Note**  
 After the cache size has been set, it cannot be made smaller.
 
- 
+
 
 **To change the cache size**
 
@@ -30,20 +30,22 @@ After the cache size has been set, it cannot be made smaller.
 
 2.  Select the **File System** tab on the **Properties** dialog box. In the **Client Cache Configuration Settings** section, click one of the following radio buttons to choose how to manage the cache space:
 
-    **Important**  
+    **Important**  
     If you select the **Use free disk space threshold** setting, the value you enter will set the cache size to the total disk size minus the free disk space threshold number you entered. If you then want revert to using the **Use maximum cache size** setting, you must specify a larger number than the existing cache size. Otherwise, the error “New size must be larger than the existing cache size” will appear.
 
-     
 
-    -   **Use maximum cache size**
 
-        Enter a numeric value from 100 to 1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache. The value shown in **Reserved Cache Size** indicates the amount of cache in use.
+~~~
+-   **Use maximum cache size**
 
-    -   **Use free disk space threshold**
+    Enter a numeric value from 100 to 1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache. The value shown in **Reserved Cache Size** indicates the amount of cache in use.
 
-        Enter a numeric value to specify the amount of free disk space, in MB, that the cache must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is unused.
+-   **Use free disk space threshold**
 
-3.  Click **OK** or **Apply** to change the setting.
+    Enter a numeric value to specify the amount of free disk space, in MB, that the cache must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is unused.
+~~~
+
+3. Click **OK** or **Apply** to change the setting.
 
 **To change the drive letter designation**
 
@@ -58,9 +60,9 @@ After the cache size has been set, it cannot be made smaller.
 
 [How to Configure the Client in the Application Virtualization Client Management Console](how-to-configure-the-client-in-the-application-virtualization-client-management-console.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
index c027a3323c..c981b9ffd1 100644
--- a/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
+++ b/mdop/appv-v4/how-to-change-the-log-reporting-levels-and-reset-the-log-files.md
@@ -28,14 +28,14 @@ You can use the following procedure to change the log reporting level from the *
     **Note**  
     If you choose **Verbose** as the logging level, the log files will grow large very quickly. This might inhibit client performance, so best practice is to use this log level only for diagnosing specific problems.
 
-     
+     
 
 3.  On the **General** tab in the **Properties** dialog box, from the **System Log Level** drop-down list, select the desired log level.
 
     **Note**  
     The **System Log Level** setting controls the level of messages sent to the system event log. The logged messages are identical to the messages that get logged to the client event log, but they are stored in a different location.
 
-     
+     
 
 4.  Click **OK** or **Apply** to change the setting.
 
@@ -54,9 +54,9 @@ You can use the following procedure to change the log reporting level from the *
 
 [User Access Permissions in Application Virtualization Client](user-access-permissions-in-application-virtualization-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-change-the-server-cache-size.md b/mdop/appv-v4/how-to-change-the-server-cache-size.md
index 5d7f06ba81..198ee9a625 100644
--- a/mdop/appv-v4/how-to-change-the-server-cache-size.md
+++ b/mdop/appv-v4/how-to-change-the-server-cache-size.md
@@ -22,7 +22,7 @@ You can use the following procedure to change the cache size for any server dire
 **Note**  
 Although you can change the cache size, unless your configuration specifically requires you to change the size, it is recommended that you leave the cache size set to the default values.
 
- 
+ 
 
 **To change the server cache size**
 
@@ -47,9 +47,9 @@ Although you can change the cache size, unless your configuration specifically r
 
 [How to Manage Servers in the Server Management Console](how-to-manage-servers-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
index aa8e62062a..8bfcb4dcb4 100644
--- a/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
+++ b/mdop/appv-v4/how-to-change-the-server-logging-level-and-the-database-parameters.md
@@ -36,7 +36,7 @@ The following logging levels are available:
 **Note**  
 Because of the size of the log file produced when you use **Verbose** mode, the recommendation is that you do not run production servers with this level of logging set.
 
- 
+ 
 
 The database logging parameters determine the database driver type, access credentials, and location of the logging database.
 
@@ -103,7 +103,7 @@ The database logging parameters determine the database driver type, access crede
     
     
 
-     
+     
 
 **To change database log parameters**
 
@@ -132,9 +132,9 @@ The database logging parameters determine the database driver type, access crede
 
 [How to Customize an Application Virtualization System in the Server Management Console](how-to-customize-an-application-virtualization-system-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-change-the-server-port.md b/mdop/appv-v4/how-to-change-the-server-port.md
index 996b9ddaef..3a807f2d68 100644
--- a/mdop/appv-v4/how-to-change-the-server-port.md
+++ b/mdop/appv-v4/how-to-change-the-server-port.md
@@ -34,7 +34,7 @@ From the Application Virtualization Server Management Console, you can use the f
     **Note**  
     The port number can be any value between 1 and 65,535. The default values are 554 for RTSP and 322 for RTSPS.
 
-     
+     
 
 6.  Click **OK** to change the port number.
 
@@ -49,9 +49,9 @@ From the Application Virtualization Server Management Console, you can use the f
 
 [How to Manage Servers in the Server Management Console](how-to-manage-servers-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-change-user-access-permissions.md b/mdop/appv-v4/how-to-change-user-access-permissions.md
index 0813ad7dac..ef7947df2b 100644
--- a/mdop/appv-v4/how-to-change-user-access-permissions.md
+++ b/mdop/appv-v4/how-to-change-user-access-permissions.md
@@ -22,7 +22,7 @@ Use the following procedure to change user access permissions in the Application
 **Note**  
 Before changing users access permissions, ensure that any permissions changes are consistent with the organization's guidelines for granting user access.
 
- 
+ 
 
 **To change user access permissions**
 
@@ -39,9 +39,9 @@ Before changing users access permissions, ensure that any permissions changes ar
 
 [User Access Permissions in Application Virtualization Client](user-access-permissions-in-application-virtualization-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-clear-an-application.md b/mdop/appv-v4/how-to-clear-an-application.md
index 68f018ccf9..c738ca904d 100644
--- a/mdop/appv-v4/how-to-clear-an-application.md
+++ b/mdop/appv-v4/how-to-clear-an-application.md
@@ -22,7 +22,7 @@ You can clear an application from the console directly from the **Results** pane
 **Note**  
 When you clear an application from the console, you can no longer use that application. However, the application remains in cache and is still available to other users on the same system. After a publishing refresh, the cleared applications will again become available to you. If there are multiple applications in a package, the user's settings are not removed until all of the applications are cleared.
 
- 
+ 
 
 **To clear an application from the console**
 
@@ -30,9 +30,9 @@ When you clear an application from the console, you can no longer use that appli
 
 2.  At the confirmation prompt, click **Yes** to remove the application or click **No** to cancel the operation.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
index 3ab7c3694b..801b2d13bc 100644
--- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
+++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md
@@ -20,14 +20,14 @@ ms.date: 08/30/2016
 **Important**  
 You must be running App-V 4.6, SP1 to use this procedure.
 
- 
+ 
 
 You can deploy the App-V client by using a shared cache that is populated with all the applications required for all users. Then you configure the App-V Remote Desktop Services (RDS) Clients to use the same cache file. Users are granted access to specific applications by using the App-V publishing process. Because the cache is already preloaded with all applications, no streaming occurs when a user starts an application. However, the packages used to prepopulate the cache must be put on an App-V server that supports Real Time Streaming Protocol (RTSP) streaming and that grants access permissions to the App-V Clients. If you publish the applications by using an App-V Management Server, you can use it to provide this streaming function.
 
 **Note**  
 The details outlined in these procedures are intended as examples only. You might use different methods to complete the overall process.
 
- 
+ 
 
 ## Deploying the App-V Client in an RDS Scenario
 
@@ -47,77 +47,77 @@ These tasks require careful planning. We recommend that you prepare and document
 **Note**  
 Although you can publish the applications by using several different methods, the following procedures are based on your using an App-V Management Server for publishing.
 
- 
+ 
 
 **To configure the read-only cache for initial deployment**
 
-1.  Set up and configure an App-V Management Server to provide user authentication and publishing support.
+1. Set up and configure an App-V Management Server to provide user authentication and publishing support.
 
-2.  Populate the Content folder of this Management Server with all the application packages required for all users.
+2. Populate the Content folder of this Management Server with all the application packages required for all users.
 
-3.  Set up a staging computer that has the App-V Client installed. Log on to the staging computer by using an account that has access to all applications so that the complete set of applications are published to the computer, and then stream the applications to cache so that they are fully loaded.
+3. Set up a staging computer that has the App-V Client installed. Log on to the staging computer by using an account that has access to all applications so that the complete set of applications are published to the computer, and then stream the applications to cache so that they are fully loaded.
 
-    **Important**  
-    The staging computer must use the same operating system type and system architecture as those used by the VMs on which the App-V Client will run.
+   **Important**  
+   The staging computer must use the same operating system type and system architecture as those used by the VMs on which the App-V Client will run.
 
-     
+     
 
-4.  Restart the staging computer in safe mode to make sure that the drivers are not started, because this would lock the cache file.
+4. Restart the staging computer in safe mode to make sure that the drivers are not started, because this would lock the cache file.
 
-    **Note**  
-    Or, you can stop and disable the Application Virtualization service, and then restart the computer. After the file is copied, remember to enable and start the service again.
+   **Note**  
+   Or, you can stop and disable the Application Virtualization service, and then restart the computer. After the file is copied, remember to enable and start the service again.
 
-     
+     
 
-5.  Copy the Sftfs.fsd cache file to a SAN where all the RDS servers can access it, such as in a shared folder. Set the folder access permissions to Read-only for the group Everyone and to Full Control for administrators who will manage the cache file updates. The location of the cache file can be obtained from the registry AppFS\\FileName.
+5. Copy the Sftfs.fsd cache file to a SAN where all the RDS servers can access it, such as in a shared folder. Set the folder access permissions to Read-only for the group Everyone and to Full Control for administrators who will manage the cache file updates. The location of the cache file can be obtained from the registry AppFS\\FileName.
 
-    **Important**  
-    You must put the FSD file in a location that has the responsiveness and reliability equal to locally attached storage performance, for example, a SAN.
+   **Important**  
+   You must put the FSD file in a location that has the responsiveness and reliability equal to locally attached storage performance, for example, a SAN.
 
-     
+     
 
-6.  Install the App-V RDS Client on each RDS server, and then configure it to use the read-only cache by adding the following registry key values to the AppFS key on the client. The AppFS key is located at HKEY\_LOCAL\_MACHINE\\SOFTWARE\\\]Microsoft\\SoftGrid\\4.5\\Client\\AppFS for 32-bit computers and at HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\Client\\AppFS for 64-bit computers.
+6. Install the App-V RDS Client on each RDS server, and then configure it to use the read-only cache by adding the following registry key values to the AppFS key on the client. The AppFS key is located at HKEY\_LOCAL\_MACHINE\\SOFTWARE\\\]Microsoft\\SoftGrid\\4.5\\Client\\AppFS for 32-bit computers and at HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\Client\\AppFS for 64-bit computers.
 
-    
-    -    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    





    KeyTypeValuePurpose
    FileName
    String
    path of FSD
    Specifies the path of the shared cache file, for example, \\RDSServername\Sharefolder\SFTFS.FSD (Required).
    ReadOnlyFSD
    DWORD
    1
    Configures the client to operate in Read-Only mode. This ensures that the client will not try to stream updates to the package cache. (Required)
    ErrorLogLocation
    String
    path of error log (.etl) file
    Entry used to specify the path of the error log. (Recommended. Use a local path such as C:\Logs\Sftfs.etl).
    
+   
+   +   +   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    





    KeyTypeValuePurpose
    FileName
    String
    path of FSD
    Specifies the path of the shared cache file, for example, \RDSServername\Sharefolder\SFTFS.FSD (Required).
    ReadOnlyFSD
    DWORD
    1
    Configures the client to operate in Read-Only mode. This ensures that the client will not try to stream updates to the package cache. (Required)
    ErrorLogLocation
    String
    path of error log (.etl) file
    Entry used to specify the path of the error log. (Recommended. Use a local path such as C:\Logs\Sftfs.etl).
    
 
-     
+     
 
-7.  Configure each RDS server in the farm to use the publishing server and to use publishing update when users log on. As users log on to the RDS servers, a publishing update cycle occurs and publishes all the applications for which their account is authorized. These applications are run from the shared cache.
+7. Configure each RDS server in the farm to use the publishing server and to use publishing update when users log on. As users log on to the RDS servers, a publishing update cycle occurs and publishes all the applications for which their account is authorized. These applications are run from the shared cache.
 
 **To configure the RDS client for package upgrade**
 
@@ -130,7 +130,7 @@ Although you can publish the applications by using several different methods, th
     **Note**  
     Or, you can first stop and then disable the Application Virtualization service in the Services.msc, and restart the computer. After the file has been copied, remember to enable and start the service again.
 
-     
+     
 
 4.  Copy the Sftfs.fsd cache file to a SAN where all the RDS servers can access it, such as in a shared folder. You can use a different file name, for example, SFTFS\_V2.FSD, to distinguish the new version.
 
@@ -139,7 +139,7 @@ Although you can publish the applications by using several different methods, th
     **Important**  
     You must restart the RDS servers in order to use the updated shared cache file.
 
-     
+     
 
 ## How to Use Symbolic Links when Upgrading the Cache
 
@@ -161,7 +161,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil
     **Note**  
     On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.
 
-     
+     
 
 4.  When you configure the App-V RDS Client, set the AppFS key FILENAME value equal to the UNC path of the FSD file that is using the symbolic link. For example, set the file name to \\\\VDIHostserver\\Symlinkname. When the App-V client first accesses the cache, the symbolic link passes to the client a handle to the cache file. The client continues to use that handle as long as the client is running. The value of the symbolic link can safely be updated even if existing clients have the old shared cache open.
 
@@ -176,9 +176,9 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil
 
 [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
index 169b09a6b0..2ee211e811 100644
--- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
+++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md
@@ -22,7 +22,7 @@ In Microsoft Application Virtualization (App-V) 4.6 the Client supports using a
 **Note**  
 The details outlined in these procedures are intended as examples only. You might use different methods to complete the overall process.
 
- 
+ 
 
 ## Deploying the App-V Client in a VDI Scenario
 
@@ -44,77 +44,77 @@ These tasks require careful planning. We recommend that you prepare and document
 **Note**  
 Although you can publish the applications by using several different methods, the following procedures are based on the use of an App-V Management Server for publishing.
 
- 
+ 
 
 **To configure the read-only cache for initial deployment in a Pooled VM VDI or Static VM VDI scenario**
 
-1.  Set up and configure an App-V Management Server in a VM on the VDI server to provide user authentication and publishing support.
+1. Set up and configure an App-V Management Server in a VM on the VDI server to provide user authentication and publishing support.
 
-2.  Populate the Content folder of this Management Server with all the application packages required for all users.
+2. Populate the Content folder of this Management Server with all the application packages required for all users.
 
-3.  Set up a staging computer that has the App-V Client installed. Log on to the staging computer with an account that has access to all applications so that the complete set of applications are published to the computer, and then stream the applications to cache so that they are fully loaded.
+3. Set up a staging computer that has the App-V Client installed. Log on to the staging computer with an account that has access to all applications so that the complete set of applications are published to the computer, and then stream the applications to cache so that they are fully loaded.
 
-    **Important**  
-    The staging computer must use the same operating system type and system architecture as those used by the VMs on which the App-V Client will run.
+   **Important**  
+   The staging computer must use the same operating system type and system architecture as those used by the VMs on which the App-V Client will run.
 
-     
+     
 
-4.  Restart the staging computer in Safe Mode to ensure the drivers are not started, which would lock the cache file.
+4. Restart the staging computer in Safe Mode to ensure the drivers are not started, which would lock the cache file.
 
-    **Note**  
-    Alternatively, you can stop and disable the Application Virtualization service, and then restart the computer. After the file has been copied, remember to enable and start the service again.
+   **Note**  
+   Alternatively, you can stop and disable the Application Virtualization service, and then restart the computer. After the file has been copied, remember to enable and start the service again.
 
-     
+     
 
-5.  Copy the Sftfs.fsd cache file to the VDI server’s SAN where all the VMs can access it, such as in a shared folder. Set the folder access permissions to Read-only for the group Everyone and to Full Control for administrators who will manage the cache file updates. The location of the cache file can be obtained from the registry AppFS\\FileName.
+5. Copy the Sftfs.fsd cache file to the VDI server’s SAN where all the VMs can access it, such as in a shared folder. Set the folder access permissions to Read-only for the group Everyone and to Full Control for administrators who will manage the cache file updates. The location of the cache file can be obtained from the registry AppFS\\FileName.
 
-    **Important**  
-    You must put the FSD file in a location that has the responsiveness and reliability equivalent to locally attached storage performance, for example, a SAN.
+   **Important**  
+   You must put the FSD file in a location that has the responsiveness and reliability equivalent to locally attached storage performance, for example, a SAN.
 
-     
+     
 
-6.  Install the App-V Desktop Client on the VDI Master VM Image, and then configure it to use the read-only cache by adding the following registry key values to the AppFS key on the client. The AppFS key is located at HKEY\_LOCAL\_MACHINE\\SOFTWARE\\\[Wow6432Node\\\]Microsoft\\SoftGrid\\4.5\\Client\\AppFS.
+6. Install the App-V Desktop Client on the VDI Master VM Image, and then configure it to use the read-only cache by adding the following registry key values to the AppFS key on the client. The AppFS key is located at HKEY\_LOCAL\_MACHINE\\SOFTWARE\\\[Wow6432Node\\\]Microsoft\\SoftGrid\\4.5\\Client\\AppFS.
 
-    
-    -    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    





    KeyTypeValuePurpose
    FileName
    String
    path to FSD
    Specifies the path to the shared cache file, for example, \\VDIServername\Sharefolder\SFTFS.FSD (Required).
    ReadOnlyFSD
    DWORD
    1
    Configures the client to operate in Read-Only mode. This ensures that the client will not attempt to stream updates to the package cache. (Required)
    ErrorLogLocation
    String
    path to error log (.etl) file
    Entry used to specify the path to the error log. (Recommended. Use a local path such as C:\Logs\Sftfs.etl).
    
+   
+   +   +   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    





    KeyTypeValuePurpose
    FileName
    String
    path to FSD
    Specifies the path to the shared cache file, for example, \VDIServername\Sharefolder\SFTFS.FSD (Required).
    ReadOnlyFSD
    DWORD
    1
    Configures the client to operate in Read-Only mode. This ensures that the client will not attempt to stream updates to the package cache. (Required)
    ErrorLogLocation
    String
    path to error log (.etl) file
    Entry used to specify the path to the error log. (Recommended. Use a local path such as C:\Logs\Sftfs.etl).
    
 
-     
+     
 
-7.  Configure the Master VM Image client to use the publishing server and to use publishing refresh at logon. As users log on to the VDI system and their VM is built from the Master VM Image, a publishing refresh cycle occurs and publishes all the applications for which their account is authorized. These applications are run from the shared cache.
+7. Configure the Master VM Image client to use the publishing server and to use publishing refresh at logon. As users log on to the VDI system and their VM is built from the Master VM Image, a publishing refresh cycle occurs and publishes all the applications for which their account is authorized. These applications are run from the shared cache.
 
 **To configure the client for package upgrade in a Pooled VM scenario**
 
@@ -127,7 +127,7 @@ Although you can publish the applications by using several different methods, th
     **Note**  
     Alternatively, you can stop and disable the Application Virtualization service in the Services.msc, and then restart the computer. After the file has been copied, remember to enable and start the service again.
 
-     
+     
 
 4.  Copy the Sftfs.fsd cache file to the VDI server’s SAN where all the VMs can access it, such as in a shared folder. You can use a different filename, for example, SFTFS\_V2.FSD, to distinguish the new version.
 
@@ -144,7 +144,7 @@ Although you can publish the applications by using several different methods, th
     **Note**  
     Alternatively, you can stop and disable the Application Virtualization service in the Services.msc, and then restart the computer. After the file has been copied, remember to enable and start the service again.
 
-     
+     
 
 4.  Copy the Sftfs.fsd cache file to the VDI server’s SAN where all the VMs can access it, such as in a shared folder. You can use a different filename, for example, SFTFS\_V2.FSD, to distinguish the new version.
 
@@ -172,7 +172,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi
     **Note**  
     On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**.
 
-     
+     
 
 4.  When you configure the App-V Desktop Client on the VDI Master VM Image, set the AppFS key FILENAME value equal to the UNC path of the FSD file that is using the symbolic link; for example, set it to \\\\VDIHostserver\\Symlinkname. When the App-V client first accesses the cache, the symbolic link passes to the client a handle to the cache file. The client continues to use that handle as long as the client is running. The value of the symbolic link can safely be updated even if existing clients have the old shared cache open.
 
@@ -187,9 +187,9 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi
 
 [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
index ec60f8bdde..ec3efe7a1a 100644
--- a/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
+++ b/mdop/appv-v4/how-to-configure-management-server-security-post-installation.md
@@ -32,7 +32,7 @@ Use the App-V Management Console to add the certificate and configure the App-V
     **Note**  
     If no certificates are displayed in the wizard, a certificate has not been provisioned or the certificate does meet the requirements of App-V.
 
-     
+     
 
 5.  Click **Next** to continue on to the **Welcome To Certificate Wizard** page.
 
@@ -51,9 +51,9 @@ Use the App-V Management Console to add the certificate and configure the App-V
 
 [Troubleshooting Certificate Permission Issues](troubleshooting-certificate-permission-issues.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
index 54ebda0ffc..978aefac2f 100644
--- a/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-microsoft-sql-server-mirroring-support-for-app-v.md
@@ -19,18 +19,18 @@ ms.date: 08/30/2016
 
 You can use the following procedure to configure your Microsoft Application Virtualization (App-V) environment to use Microsoft SQL Server database mirroring. Configuring database mirroring can help with disaster recovery and failover scenarios. App-V 4.5 SP2 supports all modes of database mirroring currently available for Microsoft SQL Server 2005 and SQL Server 2008.
 
-**Note**  
+**Note**  
 This procedure is written for administrators who are familiar with setting up and configuring SQL Server databases and database mirroring with Microsoft SQL Server, and therefore covers only the specific configuration settings that are unique to App-V.
 
- 
+
 
 **To configure your App-V environment to use Microsoft SQL Server database mirroring**
 
 1.  Set up SQL Server database mirroring of the App-V database following your standard business practices for database mirroring. Use the following links for general information about implementing Microsoft SQL Server database mirroring:
 
-    -   **Microsoft SQL 2005**—[Setting Up Database Mirroring](https://go.microsoft.com/fwlink/?LinkId=187478) (https://go.microsoft.com/fwlink/?LinkId=187478)
+    -   **Microsoft SQL 2005**—[Setting Up Database Mirroring](https://go.microsoft.com/fwlink/?LinkId=187478) (https://go.microsoft.com/fwlink/?LinkId=187478)
 
-    -   **Microsoft SQL 2008**—[Setting Up Database Mirroring](https://go.microsoft.com/fwlink/?LinkId=187477) (https://go.microsoft.com/fwlink/?LinkId=187477)
+    -   **Microsoft SQL 2008**—[Setting Up Database Mirroring](https://go.microsoft.com/fwlink/?LinkId=187477) (https://go.microsoft.com/fwlink/?LinkId=187477)
 
     In addition, you can find Best Practices information in [Database Mirroring Best Practices and Performance Considerations](https://go.microsoft.com/fwlink/?LinkId=190270) (https://go.microsoft.com/fwlink/?LinkId=190270).
 
@@ -42,10 +42,10 @@ This procedure is written for administrators who are familiar with setting up an
 
 5.  Check the registry key **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Softgrid\\4.5\\Server\\SQLServerName** and make sure that it contains only the host name of the SQL Server. If it includes an instance name, for example *serverhostname\\instancename*, the instance name must be removed.
 
-    **Important**  
+    **Important**  
     The App-V Management Server uses the TCP/IP networking library to communicate with the SQL Server when database mirroring is enabled, and therefore instance names cannot be used. The port numbers must be specified in the registry keys instead.
 
-     
+
 
 6.  Check the registry key **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Softgrid\\4.5\\Server\\SQLServerPort** and make sure that it contains the port number that is used for SQL on the SQL Server computer. If you are using a named instance this key value must be set to the port that is used for the named instance.
 
@@ -61,28 +61,30 @@ This procedure is written for administrators who are familiar with setting up an
 
     -   Click the **All** tab, and then select the entry **Failover Partner**. Click **Edit Value**, and then enter the server name of the failover SQL Server. Click **OK**.
 
-    **Important**  
+    **Important**  
     The App-V system uses Kerberos authentication. Therefore, when you configure SQL mirroring where Kerberos Authentication is enabled on the SQL Server and the SQL Server service runs under a domain user account, you must manually configure an SPN. For more information, see “When SQL Service Uses Domain-Based Account” in the article [Configuring App-V Administration for a Distributed Environment](https://go.microsoft.com/fwlink/?LinkId=203186) (https://go.microsoft.com/fwlink/?LinkId=203186).
 
-     
+
 
 10. To verify that database mirroring is running correctly, test the failover and confirm that the App-V Management Server continues to function correctly.
 
-    **Important**  
+    **Important**  
     Proceed with care, and follow your standard business practices to ensure that system operations are not disrupted in the event of a failure.
 
-     
 
-    After the failover has occurred successfully, as verified by using the SQL Server status monitoring information, right-click the **Applications** node in the App-V Management Console, and then select **Refresh**. The list of applications should display normally if the system is working correctly.
+
+~~~
+After the failover has occurred successfully, as verified by using the SQL Server status monitoring information, right-click the **Applications** node in the App-V Management Console, and then select **Refresh**. The list of applications should display normally if the system is working correctly.
+~~~
 
 ## Related topics
 
 
 [How to Perform Administrative Tasks in the Application Virtualization Server Management Console](how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
index a21b2e2aa8..7f8b6db82f 100644
--- a/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
+++ b/mdop/appv-v4/how-to-configure-shortcut-and-file-type-association-behavior-46-only.md
@@ -63,16 +63,16 @@ There are four policy values defined in the following table and these apply to b
 
 
 
- 
+ 
 
 **Note**  
 The text values refer to the values for the XML attributes in the publishing XML file.  You can set these values manually if you have implemented a custom HTTP publishing solution.
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
index 883535f565..150d93d6c9 100644
--- a/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md
@@ -30,7 +30,7 @@ There is also an ADM template that you can use. For more information about the A
 **Caution**  
 Use care when you edit the registry because errors can leave the computer in an unusable state. Be sure to follow your standard business practices that relate to registry edits. Thoroughly test all proposed changes in a test environment before you deploy them to production computers.
 
- 
+ 
 
 ## In This Section
 
@@ -38,7 +38,7 @@ Use care when you edit the registry because errors can leave the computer in an
 **Important**  
 On a 64-bit computer, the keys and values described in the following sections will be under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\Client.
 
- 
+ 
 
 [How to Reset the FileSystem Cache](how-to-reset-the-filesystem-cache.md)  
 Provides the information that is required to reset the FileSystem cache.
@@ -69,9 +69,9 @@ Describes the registry key values that control shortcuts and file type associati
 
 [Application Virtualization Client](application-virtualization-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
index b989effea1..bd27ed1708 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-management-servers.md
@@ -22,7 +22,7 @@ Before virtualized applications can be streamed to the Application Virtualizatio
 **Important**  
 Application Virtualization Servers stream SFT files to the Desktop Client and the Client for Remote Desktop Services using only RTSP or RTSPS protocols. The ICO (icon) file and the OSD (open software descriptor) file can be configured to stream from a different file or HTTP server.
 
- 
+ 
 
 **To configure the Application Virtualization Management Server**
 
@@ -33,7 +33,7 @@ Application Virtualization Servers stream SFT files to the Desktop Client and th
     **Note**  
     During the installation procedure, you specify the location of the \\Content directory on the **Content Path** screen.
 
-     
+     
 
 2.  Navigate to the location that you specified for the \\Content directory, and if necessary, create the directory.
 
@@ -50,9 +50,9 @@ Application Virtualization Servers stream SFT files to the Desktop Client and th
 
 [How to Configure Servers for Server-Based Deployment](how-to-configure-servers-for-server-based-deployment.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
index 06d284e905..9f63f76ebb 100644
--- a/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
+++ b/mdop/appv-v4/how-to-configure-the-application-virtualization-streaming-servers.md
@@ -22,7 +22,7 @@ Before virtual applications can be streamed to the Application Virtualization De
 **Important**  
 Application Virtualization Servers stream SFT files to the Desktop Client and the Client for Remote Desktop Services using only RTSP or RTSPS protocols. The ICO (icon) file and the OSD (open software descriptor) file can be configured to stream from a different file or HTTP server.
 
- 
+ 
 
 **To configure the Application Virtualization Streaming Servers**
 
@@ -47,9 +47,9 @@ Application Virtualization Servers stream SFT files to the Desktop Client and th
 
 [How to Configure the Server for IIS](how-to-configure-the-server-for-iis.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
index 1ad36a95fd..54a3e12931 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-application-package-retrieval.md
@@ -23,12 +23,12 @@ If you want the client to obtain the package content (SFT file) from a local App
 
 You can also configure the OSDSourceRoot and IconSourceRoot registry key values if you want to override those settings in the package manifest file or in the paths sent by a publishing server. The OSDSourceRoot specifies a source location for OSD file retrieval for an application package during publication. The IconSourceRoot specifies a source location for icon retrieval for an application package during publication.
 
-**Note**  
+**Note**  
 -   The IconSourceRoot and OSDSourceRoot settings override the values in the package manifest file, so if you try to deploy a package by using the Windows Installer (.msi) file method, it will also override the values in the package manifest file that is contained within that .msi file.
 
 -   During both the publishing and HTTP(S) streaming operations,App-V 4.5 SP1 clients use the proxy server settings that are configured in Internet Explorer on the user’s computer.
 
- 
+
 
 **To configure the ApplicationSourceRoot registry key value**
 
@@ -40,93 +40,95 @@ You can also configure the OSDSourceRoot and IconSourceRoot registry key values
 
     The correct format for the URL path is **protocol://servername:\[port\]\[/path\]\[/\]**, where **port** and **path** are optional. If **port** is not specified, the default port for the protocol is used. Only the **protocol://server:port** portion of the OSD URL is replaced.
 
-    **Important**  
+    **Important**  
     Environment variables are not supported in the ApplicationSourceRoot definition.
 
-     
 
-    The following table lists examples of acceptable URL and UNC path formats.
 
-    
-    -    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    





    ApplicationSourceRootOSD File HREF PathResultComments
    rtsps://mainserver:322
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps/productivity/office2k3.sft?customer=seq
    https://mainserver:443/prodapps
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    https://mainserver:443/prodapps/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps
    rtsp://%SFT_APPVSERVER%:554/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322
    \\uncserver\share\productivity\office2k3.sft
    rtsps://mainserver:322/productivity/office2k3.sft
    ‘\’ converted to ‘/’
    rtsps://mainserver:322
    file://\\uncserver\share\productivity\office2k3.sft
    rtsps://mainserver:322/productivity/office2k3.sft
    ‘\’ converted to ‘/’
    \\uncserver\share
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    \\uncserver\share\productivity\office2k3.sft
    ‘/’ converted to ‘\’ and parameter dropped when converting to UNC path
    \\uncserver\share\prodapps
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    \\uncserver\share\prodapps\productivity\office2k3.sft
    ‘/’ converted to ‘\’ and parameter dropped when converting to UNC path
    M:
    \\uncserver\share\productivity\office2k3.sft
    M:\productivity\office2k3.sft
    M:\prodapps
    \\uncserver\share\productivity\office2k3.sft
    M:\prodapps\productivity\office2k3.sft
    
+~~~
+The following table lists examples of acceptable URL and UNC path formats.
+
+
++++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    





    ApplicationSourceRootOSD File HREF PathResultComments
    rtsps://mainserver:322
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps/productivity/office2k3.sft?customer=seq
    https://mainserver:443/prodapps
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    https://mainserver:443/prodapps/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps
    rtsp://%SFT_APPVSERVER%:554/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322/prodapps/productivity/office2k3.sft?customer=seq
    rtsps://mainserver:322
    \\uncserver\share\productivity\office2k3.sft
    rtsps://mainserver:322/productivity/office2k3.sft
    ‘\’ converted to ‘/’
    rtsps://mainserver:322
    file://\\uncserver\share\productivity\office2k3.sft
    rtsps://mainserver:322/productivity/office2k3.sft
    ‘\’ converted to ‘/’
    \\uncserver\share
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    \\uncserver\share\productivity\office2k3.sft
    ‘/’ converted to ‘\’ and parameter dropped when converting to UNC path
    \\uncserver\share\prodapps
    rtsp://appserver/productivity/office2k3.sft?customer=seq
    \\uncserver\share\prodapps\productivity\office2k3.sft
    ‘/’ converted to ‘\’ and parameter dropped when converting to UNC path
    M:
    \\uncserver\share\productivity\office2k3.sft
    M:\productivity\office2k3.sft
    M:\prodapps
    \\uncserver\share\productivity\office2k3.sft
    M:\prodapps\productivity\office2k3.sft
    
+~~~
+
 
-     
 
 **To configure the OSDSourceRoot value**
 
@@ -157,9 +159,9 @@ You can also configure the OSDSourceRoot and IconSourceRoot registry key values
 
 [How to Configure the App-V Client Registry Settings by Using the Command Line](how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
index de18e02299..08fb9b8dfb 100644
--- a/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
+++ b/mdop/appv-v4/how-to-configure-the-client-for-disconnected-operation-mode.md
@@ -22,7 +22,7 @@ The disconnected operation mode enables the Application Virtualization (App-V) D
 **Important**  
 In a large organization where multiple Remote Desktop Session Host (RD°Session Host) servers (formerly Terminal Servers) are linked in a farm to support many users, using a single App-V Management Server to support the farm represents a single point of failure. To provide high availability to support the RD Session Host farm, consider linking two or more App-V Management Servers to use the same database.
 
- 
+ 
 
 **To enable disconnected operation mode**
 
@@ -59,9 +59,9 @@ In a large organization where multiple Remote Desktop Session Host (RD°Session
 
 [How to Configure the App-V Client Registry Settings by Using the Command Line](how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-client-log-file.md b/mdop/appv-v4/how-to-configure-the-client-log-file.md
index 51957c7d93..20b326dfa4 100644
--- a/mdop/appv-v4/how-to-configure-the-client-log-file.md
+++ b/mdop/appv-v4/how-to-configure-the-client-log-file.md
@@ -40,7 +40,7 @@ You can use the following procedures to configure the Application Virtualization
     **Caution**  
     This registry key value must be set to a value greater than zero to ensure the log file does get reset.
 
-     
+     
 
 **To change the number of backup copies**
 
@@ -93,16 +93,16 @@ You can use the following procedures to configure the Application Virtualization
     
     
 
-     
+     
 
 ## Related topics
 
 
 [How to Configure the App-V Client Registry Settings by Using the Command Line](how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-file-server.md b/mdop/appv-v4/how-to-configure-the-file-server.md
index aeabd48e6a..812c78cb2c 100644
--- a/mdop/appv-v4/how-to-configure-the-file-server.md
+++ b/mdop/appv-v4/how-to-configure-the-file-server.md
@@ -24,7 +24,7 @@ If you are using an Application Virtualization Management Server as a distributi
 **Important**  
 For applications to stream properly to the Application Virtualization Desktop Client and the Client for Remote Desktop Services, the SFT file streams from the content directory on the server where you store the virtual application; the ICO (icon) file and the OSD (open software descriptor) file can be configured to stream from a different server.
 
- 
+ 
 
 **To configure the Application Virtualization file server**
 
@@ -35,14 +35,14 @@ For applications to stream properly to the Application Virtualization Desktop Cl
     **Note**  
     During the installation procedure, you specify the location of the \\Content directory on the **Content Path** screen.
 
-     
+     
 
 2.  Create a \\Content directory, which corresponds to the directory you specified when you installed the server, on each computer that you are using as a file share.
 
     **Important**  
     Configure the Application Virtualization Desktop Clients to stream applications from the computer you are using as a file share rather than from an Application Virtualization Server or IIS server.
 
-     
+     
 
 3.  When the \\Content directory is created, configure this directory as a standard file share.
 
@@ -59,9 +59,9 @@ For applications to stream properly to the Application Virtualization Desktop Cl
 
 [How to Configure the Server for IIS](how-to-configure-the-server-for-iis.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-server-for-iis.md b/mdop/appv-v4/how-to-configure-the-server-for-iis.md
index 8b35940084..76119811be 100644
--- a/mdop/appv-v4/how-to-configure-the-server-for-iis.md
+++ b/mdop/appv-v4/how-to-configure-the-server-for-iis.md
@@ -34,7 +34,7 @@ Before virtual applications can be streamed to the Application Virtualization De
 **Note**  
 If you are using IIS to publish the ICO and OSD files, you must configure a MIME type for OSD=TXT; otherwise, IIS will not serve the ICO and OSD files to clients. If you are using IIS to publish packages (SFT files), you must configure a MIME type for SFT=Binary; otherwise, IIS will not serve the SFT files to clients.
 
- 
+ 
 
 ## Related topics
 
@@ -49,9 +49,9 @@ If you are using IIS to publish the ICO and OSD files, you must configure a MIME
 
 [How to Configure the File Server](how-to-configure-the-file-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
index d8b24baede..04e4ec6328 100644
--- a/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
+++ b/mdop/appv-v4/how-to-configure-the-server-to-be-trusted-for-delegation.md
@@ -22,7 +22,7 @@ When you install the Microsoft Application Virtualization (App-V) Management Ser
 **Note**  
 If you install the App-V Management Server software on a single server and place the data store on a separate server, there is one situation in which you must still configure the server to be trusted for delegation even though the Management Web Service and Management Console are on the same server. This situation occurs if you need to connect to the Management Web Service in the console by using the **Use Alternate Credentials** option.
 
- 
+ 
 
 The type of delegation that you can use depends on the Domain Functional Level that you have configured in your Active Directory Domain Services (AD DS) infrastructure. The following table lists the types of delegation that can be configured for each Domain Functional Level for App-V. Detailed instructions follow the table.
 
@@ -57,7 +57,7 @@ The type of delegation that you can use depends on the Domain Functional Level t
 
 
 
- 
+ 
 
 ¹ Not recommended.
 
@@ -126,9 +126,9 @@ If you are running the Management Web Service on an IIS 7 server, you must compl
 
 3.  Type **appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication -useAppPoolCredentials:true**, and then press ENTER.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
index 9979a50563..59c1e3b44c 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2003-firewall-for-app-v.md
@@ -26,14 +26,14 @@ Use the following procedure to configure the Windows Server 2003 firewall for A
     **Note**  
     If the server has not been configured to run the firewall service before this step, you will be prompted to start the firewall service.
 
-     
+     
 
 2.  If ICO and OSD files are published through SMB, ensure that **File and Printer Sharing** is enabled on the **Exceptions** tab.
 
     **Note**  
     If ICO and OSD files are published through HTTP/HTTPS on the Management Server, you might need to add an exception for HTTP or HTTPS. If the IIS server hosting the ICO and OSD files is hosted on a computer separate from the Management Server, you need to add the exception to that computer. To maximize performance, it is recommended that you host the ICO and OSD files on a separate server from the Management Server.
 
-     
+     
 
 3.  Add a program exception for `sghwdsptr.exe`, which is the Management Server service executable. The default path to this executable is `%ProgramFiles%\Microsoft System Center App Virt Management Server\App Virt Management Server\bin`.
 
@@ -42,7 +42,7 @@ Use the following procedure to configure the Windows Server 2003 firewall for A
 
     The App-V Streaming Server requires a program exception `sglwdsptr.exe` for RTSPS communication. The App-V Streaming Server that uses RTSP for communication also requires a program exception for `sglwsvr.exe`.
 
-     
+     
 
 4.  Ensure that the proper scope is configured for each exception. To reduce risk, remove any computer and strictly limit the IP addresses to which the server will respond.
 
@@ -51,9 +51,9 @@ Use the following procedure to configure the Windows Server 2003 firewall for A
 
 [How to Configure Windows Server 2008 Firewall for App-V](how-to-configure-windows-server-2008-firewall-for-app-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
index 2da29411bd..7578063d2b 100644
--- a/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
+++ b/mdop/appv-v4/how-to-configure-windows-server-2008-firewall-for-app-v.md
@@ -26,7 +26,7 @@ If the Management Server is configured to use RTSP, repeat this procedure to add
 
 The App-V Streaming Server requires the program exception `sglwdsptr.exe` for RTSPS communication. An App-V Streaming Server that uses RTSP for communication also requires a program exception for `sglwsvr.exe`.
 
- 
+ 
 
 **To configure Windows Server 2008 firewall for App-V**
 
@@ -49,9 +49,9 @@ The App-V Streaming Server requires the program exception `sglwdsptr.exe` for RT
 
 [How to Configure Windows Server 2003 Firewall for App-V](how-to-configure-windows-server-2003-firewall-for-app-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
index 63a4b468d3..097bf0d4b7 100644
--- a/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
+++ b/mdop/appv-v4/how-to-connect-to-an-application-virtualization-system.md
@@ -21,49 +21,49 @@ You must connect the Application Virtualization Server Management Console to an
 
 **To connect to an Application Virtualization System**
 
-1.  Right-click the Application Virtualization System node in the **Scope** pane, and select **Connect to Application Virtualization System** from the pop-up menu.
+1. Right-click the Application Virtualization System node in the **Scope** pane, and select **Connect to Application Virtualization System** from the pop-up menu.
 
-    **Note**  
-    There are three components to Application Virtualization server management: the Application Virtualization Management Console, the Management Web Service, and the SQL Datastore. If these components are distributed across different physical machines, you must configure security properly for the components to communicate across the system. For more information, see the following manuals and articles:
+   **Note**  
+   There are three components to Application Virtualization server management: the Application Virtualization Management Console, the Management Web Service, and the SQL Datastore. If these components are distributed across different physical machines, you must configure security properly for the components to communicate across the system. For more information, see the following manuals and articles:
 
-    [How to Configure the Server to be Trusted for Delegation](https://go.microsoft.com/fwlink/?LinkID=166682) (https://go.microsoft.com/fwlink/?LinkID=166682)
+   [How to Configure the Server to be Trusted for Delegation](https://go.microsoft.com/fwlink/?LinkID=166682) (https://go.microsoft.com/fwlink/?LinkID=166682)
 
-    [Planning and Deployment Guide for the Application Virtualization System](https://go.microsoft.com/fwlink/?LinkID=122063) (https://go.microsoft.com/fwlink/?LinkID=122063)
+   [Planning and Deployment Guide for the Application Virtualization System](https://go.microsoft.com/fwlink/?LinkID=122063) (https://go.microsoft.com/fwlink/?LinkID=122063)
 
-    [Operations Guide for the Application Virtualization System](https://go.microsoft.com/fwlink/?LinkID=133129) (https://go.microsoft.com/fwlink/?LinkID=133129)
+   [Operations Guide for the Application Virtualization System](https://go.microsoft.com/fwlink/?LinkID=133129) (https://go.microsoft.com/fwlink/?LinkID=133129)
 
-    [Article 930472](https://go.microsoft.com/fwlink/?LinkId=114647) in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=114647)
+   [Article 930472](https://go.microsoft.com/fwlink/?LinkId=114647) in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=114647)
 
-    [Article 930565](https://go.microsoft.com/fwlink/?LinkId=114648) in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=114648)
+   [Article 930565](https://go.microsoft.com/fwlink/?LinkId=114648) in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=114648)
 
-     
+     
 
-2.  Complete the fields in the **Connect to Application Virtualization System** dialog box:
+2. Complete the fields in the **Connect to Application Virtualization System** dialog box:
 
-    1.  **Web Service Host Name**—Enter the name of the Application Virtualization System to which you want to connect, or enter **localhost** to connect to the local server.
+   1. **Web Service Host Name**—Enter the name of the Application Virtualization System to which you want to connect, or enter **localhost** to connect to the local server.
 
-    2.  **Use Secure Connection**—Select this check box if you want to connect to the server with a secure connection.
+   2. **Use Secure Connection**—Select this check box if you want to connect to the server with a secure connection.
 
-    3.  **Port**—Enter the port number you want to use for the connection. **80** is the default regular port number, and **443** is the secure-port number.
+   3. **Port**—Enter the port number you want to use for the connection. **80** is the default regular port number, and **443** is the secure-port number.
 
-    4.  **Use Current Windows Account**—Select this radio button to use the current Windows account credentials.
+   4. **Use Current Windows Account**—Select this radio button to use the current Windows account credentials.
 
-    5.  **Specify Windows Account**—Select this radio button when you want to connect to the server as a different user.
+   5. **Specify Windows Account**—Select this radio button when you want to connect to the server as a different user.
 
-    6.  **Name**—Enter the name of the new user by using either the *DOMAIN\\username* or the *username@domain* format.
+   6. **Name**—Enter the name of the new user by using either the *DOMAIN\\username* or the username@domain format.
 
-    7.  **Password**—Enter the password that corresponds to the new user.
+   7. **Password**—Enter the password that corresponds to the new user.
 
-3.  Click **OK**.
+3. Click **OK**.
 
 ## Related topics
 
 
 [How to Perform Administrative Tasks in the Application Virtualization Server Management Console](how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-create-a-reportserver.md b/mdop/appv-v4/how-to-create-a-reportserver.md
index 9149a22464..134036f18f 100644
--- a/mdop/appv-v4/how-to-create-a-reportserver.md
+++ b/mdop/appv-v4/how-to-create-a-reportserver.md
@@ -20,9 +20,9 @@ ms.date: 06/16/2016
 The process for creating a report from the Application Virtualization Server Management Console is the same regardless of the report type. When you select a report type, the window displays a brief description of the selected report.
 
 **Note**  
-  When you create a report, you specify the parameters that are used for collecting the data when the report is run. Until you run a report, no data is collected.
+  When you create a report, you specify the parameters that are used for collecting the data when the report is run. Until you run a report, no data is collected.
 
- 
+ 
 
 **To create a report**
 
@@ -51,9 +51,9 @@ The process for creating a report from the Application Virtualization Server Man
 
 [How to Run a Report](how-to-run-a-reportserver.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
index 630562e2a4..55143333bd 100644
--- a/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-create-an-app-v-project-template--app-v-46-sp1-.md
@@ -22,7 +22,7 @@ You can use an App-V project template to save commonly applied settings associat
 **Note**  
 You can only apply an App-V project template when you are creating a new virtual application package. Applying project templates to existing virtual application packages is not supported.
 
- 
+ 
 
 For more information about applying an App-V project template, see [How to Apply an App-V Project Template (App-V 4.6 SP1)](how-to-apply-an-app-v-project-template--app-v-46-sp1-.md).
 
@@ -55,9 +55,9 @@ The following general settings are saved with an App-V project template:
 
 [How to Apply an App-V Project Template (App-V 4.6 SP1)](how-to-apply-an-app-v-project-template--app-v-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
index 30a098576a..522662b28d 100644
--- a/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-create-app-v-package-accelerators--app-v-46-sp1-.md
@@ -21,19 +21,19 @@ You can use App-V Package Accelerators to automatically generate a new virtual a
 
 In some situations, to create the Package Accelerator, you might have to install the application locally on the computer running the Sequencer. First try to create the Package Accelerator by using the installation media, and if there are a number of missing files that are required, install the application locally to the computer running the Sequencer, and then create the Package Accelerator.
 
-**Important**  
+**Important**  
 Before you begin the following procedure, you should do the following:
 
 -   Copy the virtual application package that you must use to create the Package Accelerator locally to the computer running the Sequencer.
 
 -   Copy all required installation files associated with the virtual application package to the computer running the Sequencer.
 
- 
 
-**Important**  
+
+**Important**  
 Disclaimer: The Microsoft Application Virtualization Sequencer does not give you any license rights to the software application you are using to create a Package Accelerator. You must abide by all end user license terms for such application. It is your responsibility to make sure the software application’s license terms allow you to create a Package Accelerator using Application Virtualization Sequencer.
 
- 
+
 
 **To create an App-V Package Accelerator**
 
@@ -43,45 +43,49 @@ Disclaimer: The Microsoft Application Virtualization Sequencer does not give you
 
 3.  On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.sprj file).
 
-    **Tip**  
+    **Tip**  
     Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer.
 
-     
 
-    Click **Next**.
 
-4.  On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
+~~~
+Click **Next**.
+~~~
 
-    **Tip**  
-    Copy the folder that contains the required installation files to the computer running the Sequencer.
+4. On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
 
-     
+   **Tip**  
+   Copy the folder that contains the required installation files to the computer running the Sequencer.
 
-    If the application is already installed on the computer running the Sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
 
-5.  On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
 
-    **Note**  
-    You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
+~~~
+If the application is already installed on the computer running the Sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
+~~~
 
-     
+5. On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
 
-6.  On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the Package Accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
+   **Note**  
+   You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
 
-7.  On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
 
-    If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
 
-8.  On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
+6. On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the Package Accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
 
-9.  On the **Create Package Accelerator** page, to specify where to save the Package Accelerator, click **Browse** and select the directory.
+7. On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
+
+   If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
+
+8. On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
+
+9. On the **Create Package Accelerator** page, to specify where to save the Package Accelerator, click **Browse** and select the directory.
 
 10. On the **Completion** page, to close the **Create Package Accelerator** wizard, click **Close**.
 
-    **Important**  
-    To help ensure that the Package Accelerator is as secure as possible, and so that the publisher can be verified when the Package Accelerator is applied, you should always digitally sign the Package Accelerator.
+   **Important**  
+   To help ensure that the Package Accelerator is as secure as possible, and so that the publisher can be verified when the Package Accelerator is applied, you should always digitally sign the Package Accelerator.
+
 
-     
 
 ## Related topics
 
@@ -89,9 +93,9 @@ Disclaimer: The Microsoft Application Virtualization Sequencer does not give you
 Configuring the Application Virtualization Sequencer (App-V 4.6 SP1)
 [How to Apply a Package Accelerator to Create a Virtual Application Package (App-V 4.6 SP1)](how-to-apply-a-package-accelerator-to-create-a-virtual-application-package---app-v-46-sp1-.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-create-the-package-root-directory.md b/mdop/appv-v4/how-to-create-the-package-root-directory.md
index be6427c1e2..01ba72181f 100644
--- a/mdop/appv-v4/how-to-create-the-package-root-directory.md
+++ b/mdop/appv-v4/how-to-create-the-package-root-directory.md
@@ -30,16 +30,16 @@ After you have created the package root directory, you can begin sequencing appl
     **Important**  
     The name you assign to virtual application files that will be saved in the package root directory should use the 8.3 naming format. The file names should be no longer than 8 characters with a three-character file name extension.
 
-     
+     
 
 ## Related topics
 
 
 [Tasks for the Application Virtualization Sequencer](tasks-for-the-application-virtualization-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
index 47c3340f0e..6b2e6bc05c 100644
--- a/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
+++ b/mdop/appv-v4/how-to-create-the-sequencer-package-root-directory.md
@@ -30,7 +30,7 @@ After you have created the package root directory, you can begin sequencing appl
     **Important**  
     The name you assign to virtual application files that will be saved in the package root directory should use the 8.3 naming format. The file names should be no longer than 8 characters with a three-character file name extension.
 
-     
+     
 
 ## Related topics
 
@@ -41,9 +41,9 @@ After you have created the package root directory, you can begin sequencing appl
 
 [How to Modify the Scratch Directory Location](how-to-modify-the-scratch-directory-location.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-delete-a-package-version.md b/mdop/appv-v4/how-to-delete-a-package-version.md
index df9a0517c4..62137f64ca 100644
--- a/mdop/appv-v4/how-to-delete-a-package-version.md
+++ b/mdop/appv-v4/how-to-delete-a-package-version.md
@@ -22,7 +22,7 @@ From the Application Virtualization Server Management Console, for a package tha
 **Note**  
 When you choose to delete a version, a confirmation box reminds you that client computers might still be using it. You should advise users to exit and unload any applications before you remove a version that is in use.
 
- 
+ 
 
 **To delete a package version**
 
@@ -37,7 +37,7 @@ When you choose to delete a version, a confirmation box reminds you that client
     **Note**  
     If you have users in disconnected operation, their applications will be replaced with the new versions the next time they connect to the servers. After you are sure all users have updated applications, you can delete old versions.
 
-     
+     
 
 ## Related topics
 
@@ -46,9 +46,9 @@ When you choose to delete a version, a confirmation box reminds you that client
 
 [How to Manage Packages in the Server Management Console](how-to-manage-packages-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-delete-a-packageserver.md b/mdop/appv-v4/how-to-delete-a-packageserver.md
index 7ce829a0c2..c63d2eaf35 100644
--- a/mdop/appv-v4/how-to-delete-a-packageserver.md
+++ b/mdop/appv-v4/how-to-delete-a-packageserver.md
@@ -22,7 +22,7 @@ You can use the following procedure to delete a package, including all versions
 **Important**  
 When you choose to delete a package, a confirmation box reminds you that this action deletes all its versions. The server will no longer be able to stream the application.
 
- 
+ 
 
 **To delete a package**
 
@@ -39,9 +39,9 @@ When you choose to delete a package, a confirmation box reminds you that this ac
 
 [How to Manage Packages in the Server Management Console](how-to-manage-packages-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
index 032fc4c7ec..21e583e5b2 100644
--- a/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-delete-all-virtual-applications-by-using-the-command-line.md
@@ -22,7 +22,7 @@ You can use the following procedure to delete all virtual applications from a sp
 **Note**  
 When all applications are deleted from a package, the Application Virtualization (App-V) Client also deletes the package.
 
- 
+ 
 
 **To delete all applications**
 
@@ -33,7 +33,7 @@ When all applications are deleted from a package, the Application Virtualization
     **Note**  
     When all applications are deleted from a package, the Application Virtualization (App-V) Client also deletes the package.
 
-     
+     
 
 ## Related topics
 
@@ -42,9 +42,9 @@ When all applications are deleted from a package, the Application Virtualization
 
 [How to Remove a Package by Using the Command Line](how-to-remove-a-package-by-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-delete-an-application-server.md b/mdop/appv-v4/how-to-delete-an-application-server.md
index bae5e498a7..247163a1de 100644
--- a/mdop/appv-v4/how-to-delete-an-application-server.md
+++ b/mdop/appv-v4/how-to-delete-an-application-server.md
@@ -22,7 +22,7 @@ You can delete an application through the Application Virtualization Server Mana
 **Note**  
 If this is the only application in a package, deleting it also removes related package data and file associations.
 
- 
+ 
 
 **To delete an application**
 
@@ -41,9 +41,9 @@ If this is the only application in a package, deleting it also removes related p
 
 [How to Manage Applications in the Server Management Console](how-to-manage-applications-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-delete-an-application.md b/mdop/appv-v4/how-to-delete-an-application.md
index bc88fecdd4..4ac8548398 100644
--- a/mdop/appv-v4/how-to-delete-an-application.md
+++ b/mdop/appv-v4/how-to-delete-an-application.md
@@ -24,7 +24,7 @@ When you delete an application, the selected application will no longer be avail
 
 After a publishing refresh, the deleted applications will again become available to you.
 
- 
+ 
 
 **To delete an application**
 
@@ -32,9 +32,9 @@ After a publishing refresh, the deleted applications will again become available
 
 2.  At the confirmation prompt, click **Yes** to remove the application or click **No** to cancel the operation.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-deny-access-to-an-application.md b/mdop/appv-v4/how-to-deny-access-to-an-application.md
index 285023e7f9..e1a9045654 100644
--- a/mdop/appv-v4/how-to-deny-access-to-an-application.md
+++ b/mdop/appv-v4/how-to-deny-access-to-an-application.md
@@ -32,7 +32,7 @@ Users must be in an application's **Access Permissions** list to load and use th
     **Note**  
     To control access to applications, you can also limit the application licenses. Setting up the proper user groups in Active Directory Domain Services provides the easiest way to grant and deny access to specific sets of users.
 
-     
+     
 
 ## Related topics
 
@@ -43,9 +43,9 @@ Users must be in an application's **Access Permissions** list to load and use th
 
 [How to Manage Applications in the Server Management Console](how-to-manage-applications-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
index 45c70140f6..140d19db20 100644
--- a/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md
@@ -41,31 +41,31 @@ Use the following table to determine which type of application you should sequen
 
 
    Standard
    
 
    Select this option to create a package that contains an application or a suite of applications. You should select this option for most applications that you plan to sequence.
    
-
    [How to Sequence a New Standard Application (App-V 4.6 SP1)](how-to-sequence-a-new-standard-application--app-v-46-sp1-.md)
    
+
    How to Sequence a New Standard Application (App-V 4.6 SP1)
    
 
 
 
    Add-on or Plug-in
    
-
    Select this option to create a package that extends the functionality of a standard application, for example, a plug-in for Microsoft Excel. Additionally, you can use plug-ins for natively installed applications, or another package that is linked by using Dynamic Suite Composition. For more information about Dynamic Suite Composition, see [How To Use Dynamic Suite Composition](https://go.microsoft.com/fwlink/?LinkId=203804) (https://go.microsoft.com/fwlink/?LinkId=203804).
    
-
    [How to Sequence a New Add-on or Plug-in Application (App-V 4.6 SP1)](how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md)
    
+
    Select this option to create a package that extends the functionality of a standard application, for example, a plug-in for Microsoft Excel. Additionally, you can use plug-ins for natively installed applications, or another package that is linked by using Dynamic Suite Composition. For more information about Dynamic Suite Composition, see How To Use Dynamic Suite Composition (https://go.microsoft.com/fwlink/?LinkId=203804).
    
+
    How to Sequence a New Add-on or Plug-in Application (App-V 4.6 SP1)
    
 
 
 
    Middleware
    
-
    Select this option to create a package that is required by a standard application, for example, the Microsoft .NET Framework. Middleware packages are used for linking to other packages by using Dynamic Suite Composition. For more information about Dynamic Suite Composition, see [How To Use Dynamic Suite Composition](https://go.microsoft.com/fwlink/?LinkId=203804) (https://go.microsoft.com/fwlink/?LinkId=203804).
    
-
    [How to Sequence a New Middleware Application (App-V 4.6 SP1)](how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md)
    
+
    Select this option to create a package that is required by a standard application, for example, the Microsoft .NET Framework. Middleware packages are used for linking to other packages by using Dynamic Suite Composition. For more information about Dynamic Suite Composition, see How To Use Dynamic Suite Composition (https://go.microsoft.com/fwlink/?LinkId=203804).
    
+
    How to Sequence a New Middleware Application (App-V 4.6 SP1)
    
 
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Tasks for the Application Virtualization Sequencer (App-V 4.6 SP1)](tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
index 9f3c2aab77..6930a3459d 100644
--- a/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
+++ b/mdop/appv-v4/how-to-edit-an-osd-file-using-a-text-editor.md
@@ -26,7 +26,7 @@ Use the following procedure to edit an Open Software Descriptor (OSD) file by us
     **Note**  
     Before modifying the OSD file, read the schema prescribed by the XSD file in the install directory. Failing to follow this schema might introduce errors that prevent a sequenced application from starting successfully.
 
-     
+     
 
 2.  Edit the OSD file using your XML or ASCII text editor of choice, adhering to the prescribed schema and the following guidelines:
 
@@ -47,9 +47,9 @@ Use the following procedure to edit an Open Software Descriptor (OSD) file by us
 
 [OSD File Elements](osd-file-elements.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-edit-an-osd-file.md b/mdop/appv-v4/how-to-edit-an-osd-file.md
index 79b422fa13..e150953185 100644
--- a/mdop/appv-v4/how-to-edit-an-osd-file.md
+++ b/mdop/appv-v4/how-to-edit-an-osd-file.md
@@ -20,14 +20,14 @@ ms.date: 06/16/2016
 Use the following procedures to modify a sequenced application package's Open Software Descriptor (OSD) file by adding or deleting an element or an attribute.
 
 **Note**  
-  Some elements do not have an attribute, so it is not possible to add an attribute to every element.
+  Some elements do not have an attribute, so it is not possible to add an attribute to every element.
 
- 
+ 
 
 **Important**  
 If you use the OSD editor to change the .sft file name, the HREF attribute of the CODEBASE element in the OSD file, you must use the **Save As** command to save the change to the project files.
 
- 
+ 
 
 **To add an element**
 
@@ -82,9 +82,9 @@ If you use the OSD editor to change the .sft file name, the HREF attribute of th
 
 [Sequencer Console](sequencer-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-grant-access-to-an-application.md b/mdop/appv-v4/how-to-grant-access-to-an-application.md
index 81398a8f93..697afb607b 100644
--- a/mdop/appv-v4/how-to-grant-access-to-an-application.md
+++ b/mdop/appv-v4/how-to-grant-access-to-an-application.md
@@ -36,7 +36,7 @@ As the administrator, you can use the Application Virtualization Server Manageme
     **Note**  
     You must set up your groups in Active Directory Domain Services before you attempt to grant access to applications.
 
-     
+     
 
 ## Related topics
 
@@ -49,9 +49,9 @@ As the administrator, you can use the Application Virtualization Server Manageme
 
 [How to Manually Add an Application](how-to-manually-add-an-application.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-import-an-application.md b/mdop/appv-v4/how-to-import-an-application.md
index dd4f4ceec9..ecaec1c2de 100644
--- a/mdop/appv-v4/how-to-import-an-application.md
+++ b/mdop/appv-v4/how-to-import-an-application.md
@@ -28,11 +28,11 @@ You can use the following procedure to import an application into the cache dire
     **Note**  
     If you have already configured an import search path or if the SFT file is in the same path as the last successful import, step 2 is not required.
 
-     
+     
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-import-an-applicationserver.md b/mdop/appv-v4/how-to-import-an-applicationserver.md
index f00f214802..24b4bce0dd 100644
--- a/mdop/appv-v4/how-to-import-an-applicationserver.md
+++ b/mdop/appv-v4/how-to-import-an-applicationserver.md
@@ -22,7 +22,7 @@ Typically, you import applications to make them available to stream from an Appl
 **Note**  
 To import an application, you must have its sequenced Open Software Descriptor (OSD) file or its Sequencer Project (SPRJ) file available on the server.
 
- 
+ 
 
 When importing an application, you should make sure the server is configured with a value in the **Default Content Path** field on the **General** tab of the **System Options** dialog (accessible by right-clicking the **Application Virtualization System** node in the App-V Server Console). The default content path value defines where the applications will be imported, and during the import process, this value is used to modify the paths defined in the OSD file for the SFT file and for the icon shortcuts. In the OSD file, the path for the SFT file is specified in the CODEBASE HREF entry and the path for the icons is specified in the SHORTCUTS entry.
 
@@ -43,14 +43,14 @@ During the import process, the protocol, server, and, if present, port specified
 
 
 
-
    \\server\content\
    
-
    http://WebServer/myFolder/package.sft
    
-
    \\server\content\myFolder\package.sft
    
+
    \server\content</p>
+
    http://WebServer/myFolder/package.sft
    
+
    \server\content\myFolder\package.sft
    
 
 
 
 
- 
+ 
 
 **To import an application**
 
@@ -71,7 +71,7 @@ During the import process, the protocol, server, and, if present, port specified
     **Note**  
     Applications sequenced with Sequencer 4.0 populate the **File Associations** dialog box when you import or create them through the management console. Applications with previous Sequencer version packages do not.
 
-     
+     
 
 8.  Click **Next**.
 
@@ -92,9 +92,9 @@ During the import process, the protocol, server, and, if present, port specified
 
 [How to Manually Add an Application](how-to-manually-add-an-application.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-a-database.md b/mdop/appv-v4/how-to-install-a-database.md
index 5bf2b0a7bb..884793e4a7 100644
--- a/mdop/appv-v4/how-to-install-a-database.md
+++ b/mdop/appv-v4/how-to-install-a-database.md
@@ -22,7 +22,7 @@ You can use the following procedure to install a database for your server-based
 **Important**  
 To install the database, you must use a network account with the appropriate permissions. If your organization requires that only database administrators are allowed to create and conduct database upgrades, scripts are available that allow this task to be performed.
 
- 
+ 
 
 **To install a database**
 
@@ -41,7 +41,7 @@ To install the database, you must use a network account with the appropriate per
     **Note**  
     If a component is already installed on the computer, by deselecting it on the **Custom Setup** screen it will automatically be uninstalled.
 
-     
+     
 
 7.  On the **Database Server** page, type the passwords, assign an installation path, save the information, and click **Next**.
 
@@ -50,44 +50,44 @@ To install the database, you must use a network account with the appropriate per
     **Note**  
     If error 25109 is displayed when you try to complete this step, you have incorrectly set up the permissions necessary to install the database. For details on setting up the necessary SQL permissions, please see .
 
-     
+     
 
 9.  On the **Directory Server** screen, enter a domain name and credentials that Application Virtualization Servers and the Management Web Service will use to access your domain controller, save this information, and then click **Next**.
 
     **Note**  
     The installation will default to the domain of the current computer.
 
-     
+     
 
 10. On the **Administrator Group** page, enter the name of a group that will have Administrator privileges, save this information, and then click **Next**.
 
     **Note**  
     You can also enter the first few characters of the name of a group that will have Administration privileges, click **Next**, and on the **Select Administrator Group** screen, select the group from the resulting list. Then save this information and click **Next**.
 
-     
+     
 
 11. On the **Default Provider Group** page, enter the complete name of a group that will control access to applications, save this information, and then click **Next**.
 
     **Note**  
     You can also enter the first few characters of the name of a group that will control access to applications, click **Next**, and on the **Select Default Provider Group** screen, select the group in the list. Then save this information and click **Next**.
 
-     
+     
 
 12. On the **Installation Wizard Completed** page, to close the wizard, click **Finish**.
 
     **Important**  
     The installation can take a few minutes to finish. A status message will flash above the Windows desktop notification area, indicating whether the installation succeeded.
 
-     
+     
 
 ## Related topics
 
 
 [How to Install the Servers and System Components](how-to-install-the-servers-and-system-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
index b3a244ce99..83e7e4b7d1 100644
--- a/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
+++ b/mdop/appv-v4/how-to-install-and-configure-the-app-v-management-console-for-a-more-secure-environment.md
@@ -30,7 +30,7 @@ The default installation of the App-V Management Console includes support for se
     **Important**  
     The name provided in the Web Service Host Name must match the common name on the certificate, or the connection will fail.
 
-     
+     
 
 4.  Select the appropriate login credentials, and click **OK**.
 
@@ -39,9 +39,9 @@ The default installation of the App-V Management Console includes support for se
 
 [Configuring Certificates to Support the App-V Web Management Service](configuring-certificates-to-support-the-app-v-web-management-service.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
index d621888eca..c5bb0dbe54 100644
--- a/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
+++ b/mdop/appv-v4/how-to-install-and-configure-the-default-application.md
@@ -36,7 +36,7 @@ Use the following procedures to publish the default application and to stream it
     **Note**  
     You can also use **localhost** for the Web Service Host name if it is installed on the Management Server.
 
-     
+     
 
 6.  In the App-V Management Console, right-click the **Server** node, and click **System Options**.
 
@@ -45,7 +45,7 @@ Use the following procedures to publish the default application and to stream it
     **Important**  
     Use the FQDN for the server name so that the client can resolve the name correctly.
 
-     
+     
 
 8.  In the App-V Management Console, in the navigation pane, expand the **Server** node, and then click **Applications**.
 
@@ -58,7 +58,7 @@ Use the following procedures to publish the default application and to stream it
     **Important**  
     Ensure that the values in both the **OSD Path** and **Icon Path** boxes are in UNC format (for example, \\\\<Server Name>\\Content\\DefaultApp.ico), and point to the Content folder you created when installing the server. Do not use **localhost** or a file path containing a drive letter such as C:\\Program Files\\..\\..\\Content.
 
-     
+     
 
 12. Select the DefaultApp.osd file, and click **Open**.
 
@@ -74,11 +74,11 @@ Use the following procedures to publish the default application and to stream it
 
 18. Locate the line that contains the **HREF** tag, and change it to the following code:
 
-         `CODEBASEHREF=”RTSP://:554/DefaultApp.sft”`
+         `CODEBASEHREF=”RTSP://:554/DefaultApp.sft”`
 
     Or, if you are using RTSPS:
 
-         `CODEBASEHREF=”RTSPS://:322/DefaultApp.sft”`
+         `CODEBASEHREF=”RTSPS://:322/DefaultApp.sft”`
 
 19. Close the DefaultApp.osd file, and save the changes.
 
@@ -95,9 +95,9 @@ Use the following procedures to publish the default application and to stream it
 
 [How to Configure Servers for Server-Based Deployment](how-to-configure-servers-for-server-based-deployment.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
index f857719922..0dd33e3482 100644
--- a/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
+++ b/mdop/appv-v4/how-to-install-application-virtualization-management-server.md
@@ -21,10 +21,10 @@ The Application Virtualization Management Server publishes its applications to c
 
 If you have designated a target computer on the network, with a login account having local Administrator privileges, you can use the following procedure to install the Application Virtualization Management Server and assign it to the appropriate server group.
 
-**Note**  
+**Note**  
 The Installation Wizard can create a server group record, if one does not exist, as well as a record of the Application Virtualization Management Server's membership in this group.
 
- 
+
 
 After you complete the installation process, reboot the server.
 
@@ -42,40 +42,42 @@ After you complete the installation process, reboot the server.
 
 6.  On the **Setup Type** page, select **Custom**. Click **Next**. On the **Custom Setup** page, deselect all Application Virtualization System components except **Application Virtualization Server**, and then click **Next**.
 
-    **Caution**  
+    **Caution**  
     If a component is already installed on the computer, when you deselect it in the **Custom Setup** window, the component is automatically uninstalled.
 
-     
+
 
 7.  On the **Configuration Database** page, select a database server from the list of available servers or add a server by selecting **Use the following host name** and specifying the **Server Name** and **Port Number** data. Click **Next**.
 
-    **Note**  
+    **Note**  
     The Application Virtualization Management Server does not support case sensitive SQL.
 
-     
 
-    If a database is available, click the radio button, select the database from the list, and then click **Next**. Setup will upgrade it to this newer version. If the name does not appear in the list, enter the name in the space provided.
 
-    **Note**  
-    When naming a server, do not use the backslash character (/) in the server name.
+~~~
+If a database is available, click the radio button, select the database from the list, and then click **Next**. Setup will upgrade it to this newer version. If the name does not appear in the list, enter the name in the space provided.
 
-    If you need to install a database, see [How to Install a Database](how-to-install-a-database.md). If you would like to create a new database for this version, select **Create a new database** and specify the name that will be assigned to the new database. You can also specify a new location for the database by selecting the check box and entering the path.
+**Note**  
+When naming a server, do not use the backslash character (/) in the server name.
 
-     
+If you need to install a database, see [How to Install a Database](how-to-install-a-database.md). If you would like to create a new database for this version, select **Create a new database** and specify the name that will be assigned to the new database. You can also specify a new location for the database by selecting the check box and entering the path.
+~~~
 
-8.  On the **Connection Security Mode** page, select the desired certificate from the drop-down list. Click **Next**.
 
-    **Note**  
-    The **Secure Connection Mode** setting requires the server to have a server certificate provisioned to it from a public key infrastructure. If a server certificate is not installed on the server, this option is unavailable and cannot be selected. You must grant the Network Service account read access to the certificate being used.
 
-     
+8. On the **Connection Security Mode** page, select the desired certificate from the drop-down list. Click **Next**.
 
-9.  On the **TCP Port Configuration** page, to use the default port (554), select **Use default port (554)**. To specify a custom port, select **Use custom port** and specify the port number that will be used. Click **Next**.
+   **Note**  
+   The **Secure Connection Mode** setting requires the server to have a server certificate provisioned to it from a public key infrastructure. If a server certificate is not installed on the server, this option is unavailable and cannot be selected. You must grant the Network Service account read access to the certificate being used.
+
+
+
+9. On the **TCP Port Configuration** page, to use the default port (554), select **Use default port (554)**. To specify a custom port, select **Use custom port** and specify the port number that will be used. Click **Next**.
+
+   **Note**  
+   When you install the server in a nonsecure environment, you can use the default port (554) or you can define a custom port.
 
-    **Note**  
-    When you install the server in a nonsecure environment, you can use the default port (554) or you can define a custom port.
 
-     
 
 10. On the **Administrator Group** page, specify the name of the security group authorized to manage this server in **Group Name**. Click **Next**. Confirm the group specified and click **Next**.
 
@@ -83,37 +85,37 @@ After you complete the installation process, reboot the server.
 
 12. On the **Content Path** page, specify the location on the target computer where SFT files will be saved, and then click **Next**.
 
-    **Note**  
-    If the HTTP or RTSP port for the Management Server is already allocated, you will be prompted to choose a new port. Select the desired port, and then click **Next**.
+   **Note**  
+   If the HTTP or RTSP port for the Management Server is already allocated, you will be prompted to choose a new port. Select the desired port, and then click **Next**.
+
 
-     
 
 13. On the **Ready to Install the Program** page, to install the Application Virtualization Management Server, click **Install**.
 
-    **Note**  
-    If error 25120 is displayed when you try to complete this step, you need to enable IIS **Management Scripts and Tools**. To enable this Windows feature, open the **Programs and Features** control panel, select **Turn Windows features on or off**, and navigate to **Internet Information Services.**
+   **Note**  
+   If error 25120 is displayed when you try to complete this step, you need to enable IIS **Management Scripts and Tools**. To enable this Windows feature, open the **Programs and Features** control panel, select **Turn Windows features on or off**, and navigate to **Internet Information Services.**
+
+   Under **Web Management Tools**, enable **IIS Management Scripts and Tools**.
 
-    Under **Web Management Tools**, enable **IIS Management Scripts and Tools**.
 
-     
 
 14. On the **Installation Wizard Completed** screen, to close the wizard, click **Finish**.
 
-    **Important**  
-    The installation can take a few minutes to finish. A status message will flash above the Windows desktop notification area, indicating that the installation succeeded.
+   **Important**  
+   The installation can take a few minutes to finish. A status message will flash above the Windows desktop notification area, indicating that the installation succeeded.
+
+   It is not necessary to reboot the computer when prompted. However, to optimize system performance, a reboot is recommended.
 
-    It is not necessary to reboot the computer when prompted. However, to optimize system performance, a reboot is recommended.
 
-     
 
 ## Related topics
 
 
 [How to Install the Servers and System Components](how-to-install-the-servers-and-system-components.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
index 7593c79ddc..f5b25c5517 100644
--- a/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
+++ b/mdop/appv-v4/how-to-install-the-app-v-client-by-using-setupmsi-new.md
@@ -27,22 +27,22 @@ You can use the following procedures to install the prerequisite software. You c
 **Note**  
 The x86 versions of the following software are required for both x86 and x64 versions of the App-V client.
 
- 
+ 
 
 **To install Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)**
 
-1.  Download the [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) software package from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=119961). \[Template Token Value\] For version 4.5 SP2 and later of the App-V client, download vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).\[Template Token Value\]
+1. Download the [Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=119961) software package from the Microsoft Download Center (). \[Template Token Value\] For version 4.5 SP2 and later of the App-V client, download vcredist\_x86.exe from [Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package ATL Security Update](https://go.microsoft.com/fwlink/?LinkId=169360) (https://go.microsoft.com/fwlink/?LinkId=169360).\[Template Token Value\]
 
-2.  To install silently, use the command-line option “/Q” with vcredist\_x86.exe—for example, **vcredist\_x86.exe /Q**.
+2. To install silently, use the command-line option “/Q” with vcredist\_x86.exe—for example, **vcredist\_x86.exe /Q**.
 
-3.  To install the software by using the vcredist\_x86.msi file, use the command-line option “/C /T:<fullpathtofolder>” to extract the files vcredist.msi and vcredis1.cab from vcredist\_x86.exe to a temporary folder. To install silently, use the command-line option /quiet—for example, **msiexec /i vcredist.msi** /quiet.
+3. To install the software by using the vcredist\_x86.msi file, use the command-line option “/C /T:<fullpathtofolder>” to extract the files vcredist.msi and vcredis1.cab from vcredist\_x86.exe to a temporary folder. To install silently, use the command-line option /quiet—for example, **msiexec /i vcredist.msi** /quiet.
 
 ### To install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)
 
 **Important**  
 For version 4.6 and later of the App-V client, you must also install the Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update.
 
- 
+ 
 
 ****
 
@@ -65,7 +65,7 @@ When installing Microsoft Application Error Reporting, you must use the *APPGUID
 **Important**  
 For App-V 4.6 SP2 and later, you no longer need to install Microsoft Application Error Reporting (dw20shared.msi). App-V now uses Microsoft Error Reporting.
 
- 
+ 
 
 @@ -129,14 +129,14 @@ For App-V 4.6 SP2 and later, you no longer need to install Microsoft Applicati
 
    
 

 
    
 
- 
+ 
 
 ¹ App-V “Languages” release.
 
 **Note**  
 If you need to find the product code, you can use the Orca.exe database editor or a similar tool to examine Windows Installer files to find the value of the *ProductCode* property. For more information about using Orca.exe, see [Windows Installer Development Tools](https://go.microsoft.com/fwlink/?LinkId=150008) (https://go.microsoft.com/fwlink/?LinkId=150008).
 
- 
+ 
 
 ****
 
@@ -144,7 +144,7 @@ If you need to find the product code, you can use the Orca.exe database editor o
 
 2.  To install the software, run the following command:
 
-         **msiexec /i dw20shared.msi APPGUID={valuefromtable} REBOOT=Suppress REINSTALL=ALL REINSTALLMODE=vomus**
+         **msiexec /i dw20shared.msi APPGUID={valuefromtable} REBOOT=Suppress REINSTALL=ALL REINSTALLMODE=vomus**
 
 ## Installing the App-V Client by Using the Setup.msi Program
 
@@ -170,16 +170,16 @@ Use the following procedure to install the App-V client. Ensure that any necessa
 
     -   To turn on installation logging, use the msiexec switch **/l\*v filename.log**.
 
-     
+     
 
 ## Related topics
 
 
 [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
index f046fb2fc9..d9c4fb364b 100644
--- a/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
+++ b/mdop/appv-v4/how-to-install-the-application-virtualization-sequencer.md
@@ -24,7 +24,7 @@ You must have administrative rights on the computer you are using to sequence th
 **Important**  
 After you have sequenced an application, before you can properly sequence a new application you must reinstall the operating system and the Sequencer on the computer you are using to sequence applications.
 
- 
+ 
 
 **To install the Microsoft Application Virtualization Sequencer**
 
@@ -49,9 +49,9 @@ After you have sequenced an application, before you can properly sequence a new
 
 [Application Virtualization Deployment Requirements](application-virtualization-deployment-requirements.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
index 5408f6f762..0cd8731539 100644
--- a/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
+++ b/mdop/appv-v4/how-to-install-the-application-virtualization-streaming-server.md
@@ -24,7 +24,7 @@ If you have designated a target computer on the network, with a logon account ha
 **Note**  
 The Installation Wizard can create a server group record, if one does not exist, and a record of the Application Virtualization Streaming Server membership in this group.
 
- 
+ 
 
 After you complete the installation process, restart the server.
 
@@ -35,7 +35,7 @@ After you complete the installation process, restart the server.
     **Important**  
     Make sure that the App-V Management Server is not installed on this computer. The two products cannot be installed on the same computer.
 
-     
+     
 
 2.  Navigate to the location of the Application Virtualization System Setup program on the network, either run this program from the network or copy its directory to the target computer, and then double-click the **Setup.exe** file.
 
@@ -52,21 +52,21 @@ After you complete the installation process, restart the server.
     **Note**  
     The **Secure Connection Mode** setting requires the server to have a server certificate provisioned to it from a public key infrastructure. If a server certificate is not installed on the server, this option is unavailable and cannot be selected. You must grant the Network Service account read access to the certificate being used.
 
-     
+     
 
 8.  On the **TCP Port Configuration** page, to use the standard port (554), select **Use default port (554)**. To specify a custom port, select **Use custom port**, specify the port number in the field provided, and then click **Next**.
 
     **Note**  
     When you install the server in a nonsecure scenario, you can use the default port (554), or you can define a custom port.
 
-     
+     
 
 9.  On the **Content Root** page, specify the location on the target computer where SFT files will be saved, and then click **Next**.
 
     **Note**  
     If the HTTP or RTSP port for the Virtual Application Streaming Server is already allocated, you will be prompted to select a new port. Specify the desired port, and then click **Next**.
 
-     
+     
 
 10. On the **Advanced Setting** screen, enter the following information:
 
@@ -93,7 +93,7 @@ After you complete the installation process, restart the server.
     **Note**  
     The App-V Streaming Server uses NTFS file system permissions to control access to the applications under the Content share. Use **Enable User authentication** and **Enable User authorization** to control whether the server checks and enforces those access control lists (ACLs) or not.
 
-     
+     
 
 11. On the **Ready to Install the Program** page, to start the installation, click **Install**.
 
@@ -104,7 +104,7 @@ After you complete the installation process, restart the server.
 
     It is not required to restart the computer when you are prompted. However, to optimize system performance, we recommend a restart.
 
-     
+     
 
 13. Repeat Steps 1–12 for each Virtual Application Server that you have to install.
 
@@ -113,9 +113,9 @@ After you complete the installation process, restart the server.
 
 [How to Install the Servers and System Components](how-to-install-the-servers-and-system-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
index adaed4781c..ab7c6ff130 100644
--- a/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
+++ b/mdop/appv-v4/how-to-install-the-client-by-using-the-command-line-new.md
@@ -24,21 +24,21 @@ You can use optional command-line parameters to apply specific configuration set
 **Note**  
 When you install the App-V client to use with a read-only cache, for example with a VDI server implementation, you must set the *AUTOLOADTARGET* parameter to NONE to prevent the client from trying to update applications when the cache is read-only.
 
- 
+ 
 
 For more information about setting these parameter values after installation, see [How to Configure the App-V Client Registry Settings by Using the Command Line](https://go.microsoft.com/fwlink/?LinkId=169355) (https://go.microsoft.com/fwlink/?LinkId=169355) in the Application Virtualization (App-V) Operations Guide.
 
 **Note**  
 If a configuration setting on the user’s computer depends on the client installation path, note that the Application Virtualization (App-V) 4.5 client copies its installation files to a different folder than previous versions did. By default, a new installation of the App-V 4.5 client will copy its installation files to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, running the App-V 4.5 client installer will perform an upgrade of the existing client using the existing installation folder.
 
- 
+ 
 
 \[Template Token Value\]
 
 **Note**  
 For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is copied to the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is copied to the Windows\\SysWOW64 directory.
 
- 
+ 
 
 \[Template Token Value\]
 
@@ -64,9 +64,9 @@ Provides step-by-step procedures for installing any prerequisite software and al
 
 [How to Uninstall the App-V Client](how-to-uninstall-the-app-v-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-management-console.md b/mdop/appv-v4/how-to-install-the-management-console.md
index a082c316bf..1f584040a8 100644
--- a/mdop/appv-v4/how-to-install-the-management-console.md
+++ b/mdop/appv-v4/how-to-install-the-management-console.md
@@ -40,14 +40,14 @@ Before you can complete this procedure, you must install the Application Virtual
     **Note**  
     If a component is already installed on the computer, by deselecting it on the Custom Setup screen, it will automatically be uninstalled.
 
-     
+     
 
 8.  On the **Ready to Modify the Program** screen, click **Install**.
 
     **Note**  
     If this is the first component you install, the **Ready to Install the Program** page is displayed. To start the installation, click **Install**.
 
-     
+     
 
 9.  On the **Installation Wizard Completed** screen, click **Finish**. Click **Okay** to restart the computer and complete the installation.
 
@@ -64,9 +64,9 @@ Before you can complete this procedure, you must install the Application Virtual
 
 [How to Install the Servers and System Components](how-to-install-the-servers-and-system-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-management-web-service.md b/mdop/appv-v4/how-to-install-the-management-web-service.md
index ecdd307a3f..66cdda0365 100644
--- a/mdop/appv-v4/how-to-install-the-management-web-service.md
+++ b/mdop/appv-v4/how-to-install-the-management-web-service.md
@@ -36,21 +36,21 @@ Use the following procedure to install the Application Virtualization Management
     **Note**  
     If this is not the first component you installed on this computer, the **Program Maintenance** page is displayed. On the **Program Maintenance** page, click **Modify**.
 
-     
+     
 
 7.  On the **Custom Setup** page, clear all Application Virtualization System components except **App Virt Management Service**, and then click **Next**.
 
     **Note**  
     If a component is already installed on the computer, by clearing it on the **Custom Setup** page, you will automatically uninstall it.
 
-     
+     
 
 8.  On the **Database Server** page, click **Connect to available database**, and then click **Next**.
 
     **Note**  
     In a production environment, Microsoft assumes that you will connect to an existing database. If you want to install a database, see [How to Install a Database](how-to-install-a-database.md). After installing the database, continue with step 13.
 
-     
+     
 
 9.  On the **Database Server Type** page, select a database type from the list, and then click **Next**.
 
@@ -65,7 +65,7 @@ Use the following procedure to install the Application Virtualization Management
     **Note**  
     If this is the first component you install, the **Ready to Install the Program** page is displayed. On the page, click **Install**.
 
-     
+     
 
 14. On the **Installation Wizard Completed** page, click **Finish**.
 
@@ -74,9 +74,9 @@ Use the following procedure to install the Application Virtualization Management
 
 [How to Install the Servers and System Components](how-to-install-the-servers-and-system-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
index b6d86bc704..ce132d4f49 100644
--- a/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-install-the-sequencer---app-v-46-sp1-.md
@@ -21,10 +21,10 @@ The Microsoft Application Virtualization (App-V) Sequencer monitors and records
 
 You must have administrative credentials on the computer you are using to sequence the application, and the computer must not be running any version of App-V client. Creating a virtual application by using the App-V Sequencer requires multiple operations, so it is important that you install the Sequencer on a computer that meets or exceeds the [Application Virtualization Sequencer Hardware and Software Requirements](application-virtualization-sequencer-hardware-and-software-requirements.md).
 
-**Note**  
+**Note**  
 Running the App-V sequencer in Safe Mode is not supported.
 
- 
+
 
 **To install the Microsoft Application Virtualization Sequencer**
 
@@ -40,38 +40,40 @@ Running the App-V sequencer in Safe Mode is not supported.
 
 6.  On the **Virtual Drive** page, to configure the Application Virtualization default drive **Q:\\** (default) as the drive that all sequenced applications will run from, click **Next**. If you want to specify a different drive letter, use the list and select the drive letter that you want to use by selecting the appropriate drive letter, and then click **Next**.
 
-    **Important**  
+    **Important**  
     The Application Virtualization drive letter specified with this step is the drive letter that virtual applications will be run from on target computers. The drive letter specified must be available, and not currently in use on the computers running the App-V client. If the specified drive is already in use, the virtual application fails on the target computer.
 
-     
+
 
 7.  On the **Ready to Install the Program** page, to start the installation, click **Install**.
 
 8.  On the **InstallShield Wizard Completed** page, to close the installation wizard and open the App-V Sequencer, click **Finish**. To close the installation wizard without opening the Sequencer, clear **Launch the program**, and then click **Finish**.
 
-    **Note**  
+    **Note**  
     If you installed the App-V Sequencer on a computer running a virtual environment, for example a virtual machine, you must now take a snapshot. After you sequence an application, you can revert to this image, so you can sequence the next application.
 
-     
 
-    When you uninstall the Sequencer, the following registry keys are not removed from the computer that the Sequencer was installed on. Additionally, you must restart the computer after you have uninstalled the Sequencer so that all associated drivers can be stopped and the operation can be completed.
 
-    -   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid**
+~~~
+When you uninstall the Sequencer, the following registry keys are not removed from the computer that the Sequencer was installed on. Additionally, you must restart the computer after you have uninstalled the Sequencer so that all associated drivers can be stopped and the operation can be completed.
 
-    -   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5**
+-   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid**
 
-    -   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\SystemGuard**
+-   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5**
 
-    -   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\SystemGuard\\SecKey**
+-   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\SystemGuard**
+
+-   **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\SystemGuard\\SecKey**
+~~~
 
 ## Related topics
 
 
 [Configuring the Application Virtualization Sequencer (App-V 4.6 SP1)](configuring-the-application-virtualization-sequencer--app-v-46-sp1-.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
index 1e8509796b..a5fa8f0893 100644
--- a/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
+++ b/mdop/appv-v4/how-to-install-the-servers-and-system-components.md
@@ -22,7 +22,7 @@ Before you can deliver applications to users, you must install the Microsoft App
 **Note**  
 The procedures in this section take you through a customized installation, where you pick and choose components to install on separate computers, as recommended in a production environment. However, your operating procedures might dictate a different approach, and during the installation process you might want to group components together. Regardless of where you install the components, you can install them in any order.
 
- 
+ 
 
 ## In This Section
 
@@ -54,9 +54,9 @@ Provides step-by-step procedures to remove all or selected Application Virtualiz
 
 [How to Upgrade the Servers and System Components](how-to-upgrade-the-servers-and-system-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-load-files-and-packages.md b/mdop/appv-v4/how-to-load-files-and-packages.md
index af5bdf9c35..21dc909c70 100644
--- a/mdop/appv-v4/how-to-load-files-and-packages.md
+++ b/mdop/appv-v4/how-to-load-files-and-packages.md
@@ -22,7 +22,7 @@ You can use the following procedure to load files and packages on Application Vi
 **Note**  
 During the installation process, you specified the location of the \\Content directory on the **Content Path** page. This directory should be created and configured as a standard file share before you point to its location.
 
- 
+ 
 
 **To load files and packages**
 
@@ -41,16 +41,16 @@ During the installation process, you specified the location of the \\Content dir
 
         The App-V Clients must be properly configured to retrieve applications and packages from Web servers and file servers. For more information, see [How to Configure the Client for Application Package Retrieval](how-to-configure-the-client-for-application-package-retrieval.md).
 
-         
+         
 
 ## Related topics
 
 
 [Application Virtualization Server](application-virtualization-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-load-or-unload-an-application.md b/mdop/appv-v4/how-to-load-or-unload-an-application.md
index fc96564b9c..94fce4808b 100644
--- a/mdop/appv-v4/how-to-load-or-unload-an-application.md
+++ b/mdop/appv-v4/how-to-load-or-unload-an-application.md
@@ -22,7 +22,7 @@ You can use the following procedures to load or unload an application from the c
 **Note**  
 When you load or unload a package, all the applications in the package are loaded into or removed from cache. When loading a package, if you do not have adequate space in cache to load the applications, increase your cache size. For more information about cache size, see [How to Change the Cache Size and the Drive Letter Designation](how-to-change-the-cache-size-and-the-drive-letter-designation.md).
 
- 
+ 
 
 **To load an application**
 
@@ -41,9 +41,9 @@ When you load or unload a package, all the applications in the package are loade
 
 [How to Change the Cache Size and the Drive Letter Designation](how-to-change-the-cache-size-and-the-drive-letter-designation.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
index a7ad84ad83..6443110c20 100644
--- a/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
+++ b/mdop/appv-v4/how-to-load-virtual-applications-from-the-desktop-notification-area.md
@@ -24,7 +24,7 @@ The applications are loaded one application at a time. The progress bar shows yo
 **Note**  
 If your system encounters an error while loading an application, it reports the error to you. You must dismiss the error dialog before it will load the next application.
 
- 
+ 
 
 **To load all applications**
 
@@ -49,9 +49,9 @@ If your system encounters an error while loading an application, it reports the
 
 [How to Use the Desktop Notification Area for Application Virtualization Client Management](how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
index f5e2c37995..67680da087 100644
--- a/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-application-groups-in-the-server-management-console.md
@@ -34,7 +34,7 @@ You can create a group, place it where you would like in the console's **Applica
 **Note**  
 Moving applications into groups does not affect the locations of their files (SFT, OSD, or SPRJ) on the server's file system.
 
- 
+ 
 
 ## In This Section
 
@@ -58,9 +58,9 @@ Provides step-by-step instructions for removing or deleting an application group
 
 [How to Perform Administrative Tasks in the Application Virtualization Server Management Console](how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
index 3c643b1545..279a9aaa89 100644
--- a/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
+++ b/mdop/appv-v4/how-to-manage-application-licenses-in-the-server-management-console.md
@@ -22,7 +22,7 @@ The Application Virtualization Server Management Console is the interface you us
 **Important**  
 If the App-V client Application Source Root (ASR) setting is configured to use any type of streaming source other than the Management Server, for example a Streaming Server, an IIS server, or a File server, then the Management Server is unable to enforce its licensing policy.
 
- 
+ 
 
 ## In This Section
 
@@ -53,9 +53,9 @@ Provides a procedure for creating a new unlimited license group, allowing specif
 
 [How to Perform Administrative Tasks in the Application Virtualization Server Management Console](how-to-perform-administrative-tasks-in-the-application-virtualization-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
index 4edea45b0e..1f9c00705d 100644
--- a/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
+++ b/mdop/appv-v4/how-to-manage-the-app-v-client-cache-using-performance-counters.md
@@ -32,16 +32,16 @@ You can use the following procedure to determine how much free space is availabl
     **Important**  
     The App-V performance counters are implemented in a 32-bit DLL, so to see them, you must use the following command to start the 32-bit version of Performance Monitor: **mmc /32 perfmon.msc**. This command must be run directly on the computer being monitored and cannot be used to monitor a remote computer running a 64-bit operating system.
 
-     
+     
 
 ## Related topics
 
 
 [How to Manage Virtual Applications by Using the Command Line](how-to-manage-virtual-applications-by-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
index 77766cbcef..9b3d5d2637 100644
--- a/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
+++ b/mdop/appv-v4/how-to-manage-virtual-applications-manually.md
@@ -27,7 +27,7 @@ You can use the following procedures to load or unload an application from the c
 **Note**  
 When you load or unload a package, all the applications in the package are loaded into or removed from cache. When loading a package, if you do not have adequate space in cache to load the applications, increase your cache size. For more information about cache size, see [How to Change the Cache Size and the Drive Letter Designation](how-to-change-the-cache-size-and-the-drive-letter-designation.md).
 
- 
+ 
 
 **To load an App-V application**
 
@@ -49,7 +49,7 @@ You can clear an application from the console directly from the **Results** pane
 **Note**  
 When you clear an application from the console, you can no longer use that application. However, the application remains in cache and is still available to other users on the same system. After a publishing refresh, the cleared applications will again become available to you. If there are multiple applications in a package, the user's settings are not removed until all of the applications are cleared.
 
- 
+ 
 
 **To clear an application from the console**
 
@@ -84,7 +84,7 @@ You can use the following procedure to import an application into the cache dire
     **Note**  
     If you have already configured an import search path or if the SFT file is in the same path as the last successful import, step 2 is not required.
 
-     
+     
 
 ## How to lock or unlock an App-V application
 
@@ -113,7 +113,7 @@ When you delete an application, the selected application will no longer be avail
 
 After a publishing refresh, the deleted applications will again become available to you.
 
- 
+ 
 
 **To delete an application**
 
@@ -231,9 +231,9 @@ You can use the following procedure to delete a file type association. The **Fil
 
 [Application Virtualization Client](application-virtualization-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
index ad9474f810..014d912472 100644
--- a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
+++ b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md
@@ -17,19 +17,19 @@ ms.date: 08/30/2016
 # How to Manually Install the Application Virtualization Client
 
 
-There are two types of Application Virtualization Client components: the Application Virtualization Desktop Client, which is designed for installation on desktop computers, and the Application Virtualization Client for Remote Desktop Services (formerly Terminal Services), which you can install on Remote Desktop Session Host (RD Session Host) servers . Although the two client installer programs are different, you can use the following procedure to manually install either the Application Virtualization Desktop Client on a single desktop computer or the Application Virtualization Client for Remote Desktop Services on a single RD Session Host server. In a production environment, you most likely will install the Application Virtualization Desktop Client on multiple desktop computers with an automated scripted installation process. For information about how to install multiple clients by using a scripted installation process, see [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md).
+There are two types of Application Virtualization Client components: the Application Virtualization Desktop Client, which is designed for installation on desktop computers, and the Application Virtualization Client for Remote Desktop Services (formerly Terminal Services), which you can install on Remote Desktop Session Host (RD Session Host) servers . Although the two client installer programs are different, you can use the following procedure to manually install either the Application Virtualization Desktop Client on a single desktop computer or the Application Virtualization Client for Remote Desktop Services on a single RD Session Host server. In a production environment, you most likely will install the Application Virtualization Desktop Client on multiple desktop computers with an automated scripted installation process. For information about how to install multiple clients by using a scripted installation process, see [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md).
 
-**Note**  
-1.  If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md).
+**Note**  
+1.  If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md).
 
-2.  If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder.
+2.  If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder.
 
- 
 
-**Note**  
-For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is installed in the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is installed in the Windows\\SysWOW64 directory.
 
- 
+**Note**  
+For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is installed in the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is installed in the Windows\\SysWOW64 directory.
+
+
 
 **To manually install Application Virtualization Desktop Client**
 
@@ -43,30 +43,32 @@ For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL
 
 5.  The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them:
 
-    -   Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)
+    -   Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)
 
-    -   Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
+    -   Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
 
     -   Microsoft Application Error Reporting
 
-    **Note**  
-    For App-V version 4.6 and later, the wizard will also install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86).
+    **Note**  
+    For App-V version 4.6 and later, the wizard will also install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86).
 
-    For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see  (https://go.microsoft.com/fwlink/?LinkId=150700).
+    For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see  (https://go.microsoft.com/fwlink/?LinkId=150700).
 
-     
 
-    If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully.
 
-6.  When the **Microsoft Application Virtualization Desktop Client – InstallShield Wizard** is displayed, click **Next**.
+~~~
+If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully.
+~~~
 
-7.  The **License Agreement** screen is displayed. Read the license agreement, and if you agree, click **I accept the terms in the license agreement** and then click **Next**.
+6. When the **Microsoft Application Virtualization Desktop Client – InstallShield Wizard** is displayed, click **Next**.
 
-    Optionally, you can click the button to read the Privacy Statement. You must be connected to the Internet to access the Privacy Statement.
+7. The **License Agreement** screen is displayed. Read the license agreement, and if you agree, click **I accept the terms in the license agreement** and then click **Next**.
 
-8.  On the **Setup Type** screen, select the setup type. Click **Typical** to use the default program values, or click **Custom** if you want to configure the program settings during installation.
+   Optionally, you can click the button to read the Privacy Statement. You must be connected to the Internet to access the Privacy Statement.
 
-9.  If you choose **Typical**, the next screen displays **Ready to Install the Program**. Click **Install** to begin the installation.
+8. On the **Setup Type** screen, select the setup type. Click **Typical** to use the default program values, or click **Custom** if you want to configure the program settings during installation.
+
+9. If you choose **Typical**, the next screen displays **Ready to Install the Program**. Click **Install** to begin the installation.
 
 10. If you choose **Custom**, the **Destination Folder** screen appears.
 
@@ -74,71 +76,75 @@ For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL
 
 12. On the **Application Virtualization Data Location** screen, click **Next** to accept the default data locations or complete the following actions to change where the data is stored:
 
-    1.  Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data.
+   1.  Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data.
 
-    2.  If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list.
+   2.  If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list.
 
-    3.  Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications.
+   3.  Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications.
 
-        **Note**  
-        This path must be different for every user, so it should include a user-specific environment variable or a mapped drive or something else that will resolve to a unique path for each user.
+       **Note**  
+       This path must be different for every user, so it should include a user-specific environment variable or a mapped drive or something else that will resolve to a unique path for each user.
 
-         
 
-    4.  When you have finished making the changes, click **Next**.
+
+   4.  When you have finished making the changes, click **Next**.
 
 13. On the **Cache Size Settings** screen, you can accept or change the default cache size. Click one of the following radio buttons to choose how to manage the cache space:
 
-    1.  **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache.
+   1.  **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache.
 
-    2.  **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused.
+   2.  **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused.
 
-    **Important**  
-    To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**.
+   **Important**  
+   To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**.
 
-     
 
-    Click **Next** to continue.
+
+~~~
+Click **Next** to continue.
+~~~
 
 14. In the following sections of the **Runtime Package Policy Configuration** screen, you can change the parameters that affect how the Application Virtualization client behaves during runtime:
 
-    1.  **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file.
+   1.  **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file.
 
-    2.  **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application.
+   2.  **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application.
 
-    3.  **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share.
+   3.  **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share.
 
-    4.  **Automatically Load Application**. Controls when and how automatic background loading of applications occurs.
+   4.  **Automatically Load Application**. Controls when and how automatic background loading of applications occurs.
 
-        **Note**  
-        When you install the App-V client to use with a read-only cache, for example, with a VDI server implementation, set **What applications to Auto Load** to **Do not automatically load applications** to prevent the client from trying to update applications in the read-only cache.
+       **Note**  
+       When you install the App-V client to use with a read-only cache, for example, with a VDI server implementation, set **What applications to Auto Load** to **Do not automatically load applications** to prevent the client from trying to update applications in the read-only cache.
 
-         
 
-    Click **Next** to continue.
+
+~~~
+Click **Next** to continue.
+~~~
 
 15. On the **Publishing Server** screen, select the **Set up a Publishing Server now** check box if you want to define a publishing server, or click **Next** if you want to complete this later. To define a publishing server, specify the following information:
 
-    1.  **Display Name**—Enter the name you want to display for the server.
+   1.  **Display Name**—Enter the name you want to display for the server.
 
-    2.  **Type**—Select the server type from the drop-down list of server types.
+   2.  **Type**—Select the server type from the drop-down list of server types.
 
-    3.  **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs.
+   3.  **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs.
 
-    4.  **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active.
+   4.  **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active.
 
-    5.  **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client.
+   5.  **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client.
 
-    6.  When finished with the configuration steps, click **Next**.
+   6.  When finished with the configuration steps, click **Next**.
 
 16. On the **Ready to Install the Program** screen, click **Install**. A screen is displayed that shows the progress of the installation.
 
 17. On the **Install Wizard Completed** screen, click **Finish**.
 
-    **Note**  
-    If the installation fails for any reason, you might need to restart the computer before trying the install again.
+   **Note**  
+   If the installation fails for any reason, you might need to restart the computer before trying the install again.
+
 
-     
 
 ## Related topics
 
@@ -147,9 +153,9 @@ For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL
 
 [Stand-Alone Delivery Scenario Overview](stand-alone-delivery-scenario-overview.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md b/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md
index 857213e8d4..f2489eb2f5 100644
--- a/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md
+++ b/mdop/appv-v4/how-to-migrate-the-app-v-sql-database-to-a-different-sql-server.md
@@ -22,7 +22,7 @@ The following procedures describe in detail how to migrate the SQL database of t
 **Important**  
 This procedure requires that the App-V server service is stopped and this will prevent end-users from using their applications.
 
- 
+ 
 
 **To back up the App-V SQL database**
 
@@ -110,9 +110,9 @@ This procedure requires that the App-V server service is stopped and this will p
 
 7.  Open the App-V Management Console, right-click the **Applications** node and select **Refresh**. The list of applications should be displayed as before.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md b/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md
index 933de34358..af10891ff9 100644
--- a/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md
@@ -42,7 +42,7 @@ You must have the App-V Sequencer installed to modify a virtual application pack
     **Important**  
     If you are required to disable virus scanning software, scan the computer running the sequencer to ensure that no unwanted or malicious files are added to the package.
 
-     
+     
 
 6.  On the **Select Installer** page, click **Browse** and specify the update installation file for the application. If the update does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
@@ -51,7 +51,7 @@ You must have the App-V Sequencer installed to modify a virtual application pack
     **Note**  
     The sequencer monitors all changes and installations to the computer running the sequencer, including the changes and installations that are performed outside of the sequencing wizard.
 
-     
+     
 
 8.  On the **Installation Report** page, you can review information about the virtual application you just updated. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
 
@@ -60,7 +60,7 @@ You must have the App-V Sequencer installed to modify a virtual application pack
     **Note**  
     If you want to stop an application from loading during this step, in the **Application Launch** dialog box, click **Stop**, and then click one of the following options, **Stop all applications** or **Stop this application only**, depending on what you want.
 
-     
+     
 
 10. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. When you select this option, the package in the Sequencer console opens so that you can modify the package before it is saved. Click **Next**.
 
@@ -121,7 +121,7 @@ You must have the App-V Sequencer installed to modify a virtual application pack
     **Important**  
     If you are required to disable virus scanning software, scan the computer running the sequencer to ensure that no unwanted or malicious files can be added to the package.
 
-     
+     
 
 6.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
@@ -130,7 +130,7 @@ You must have the App-V Sequencer installed to modify a virtual application pack
     **Note**  
     All changes and installations to the computer running the sequencer are monitored by the sequencer, including the changes and installations that are performed outside of the sequencing wizard.
 
-     
+     
 
 8.  On the **Configure Software** page, optionally run the programs contained in the package. This step helps complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at the same time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
 
@@ -151,7 +151,7 @@ You must have the App-V Sequencer installed to modify a virtual application pack
     **Note**  
     If you want to stop an application from loading during this step, in the **Application Launch** dialog box, click **Stop** and select either the **Stop all applications** or the **Stop this application only** check box, depending on what you want.
 
-     
+     
 
 13. On the **Create Package** page, select the **Continue to modify package without saving using the package editor** check box, to modify the package without saving it. When you select this option, the package in the sequencer console opens so that you can modify the package before it is saved. Click **Next**.
 
@@ -164,9 +164,9 @@ You must have the App-V Sequencer installed to modify a virtual application pack
 
 [Tasks for the Application Virtualization Sequencer (App-V 4.6 SP1)](tasks-for-the-application-virtualization-sequencer--app-v-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md b/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md
index d5216f7819..c5b952309a 100644
--- a/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md
+++ b/mdop/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server.md
@@ -26,7 +26,7 @@ In Windows Server 2008, the process of changing the ACLs on the private key is
 **Note**  
 The default security context is Network Service; however, a domain account can be used instead.
 
- 
+ 
 
 **To manage private keys in Windows Server 2003**
 
@@ -57,9 +57,9 @@ The default security context is Network Service; however, a domain account can b
 
 [Configuring Certificates to Support Secure Streaming](configuring-certificates-to-support-secure-streaming.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-modify-the-log-directory-location.md b/mdop/appv-v4/how-to-modify-the-log-directory-location.md
index c648d46936..9b4accadbf 100644
--- a/mdop/appv-v4/how-to-modify-the-log-directory-location.md
+++ b/mdop/appv-v4/how-to-modify-the-log-directory-location.md
@@ -22,7 +22,7 @@ The log directory location is where the Application Virtualization (App-V) Seque
 **Important**  
 The log location directory must be located on the computer running the App-V Sequencer.
 
- 
+ 
 
 Use the following procedure to change the location of the directory where the App-V Sequencer will save associated logs.
 
@@ -41,9 +41,9 @@ Use the following procedure to change the location of the directory where the Ap
 
 [How to Configure the App-V Sequencer](how-to-configure-the-app-v-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md b/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md
index f77fb2f8db..f3aa20ff3b 100644
--- a/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md
+++ b/mdop/appv-v4/how-to-modify-the-operating-systems-associated-with-an-existing-windows-installer-file.md
@@ -36,7 +36,7 @@ Use the following procedure to modify the operating system versions associated w
     **Note**  
     If you select **Tools** / **Create MSI** to create a new Windows Installer file, you can skip **Step 6** of this procedure.
 
-     
+     
 
 6.  To save the virtual application package, select **Package** / **Save**.
 
@@ -45,9 +45,9 @@ Use the following procedure to modify the operating system versions associated w
 
 [Tasks for the Application Virtualization Sequencer](tasks-for-the-application-virtualization-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md b/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md
index 11e606a1f9..582f590f01 100644
--- a/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md
+++ b/mdop/appv-v4/how-to-modify-the-scratch-directory-location.md
@@ -22,7 +22,7 @@ The scratch directory is used by the App-V Sequencer to save temporary files dur
 **Important**  
 The specified scratch directory location should be located on the computer running the App-V Sequencer.
 
- 
+ 
 
 Use the following procedure to modify the scratch directory location.
 
@@ -43,9 +43,9 @@ Use the following procedure to modify the scratch directory location.
 
 [How to Modify the Log Directory Location](how-to-modify-the-log-directory-location.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-move-an-application-group.md b/mdop/appv-v4/how-to-move-an-application-group.md
index c544b38b85..13f84cae13 100644
--- a/mdop/appv-v4/how-to-move-an-application-group.md
+++ b/mdop/appv-v4/how-to-move-an-application-group.md
@@ -34,7 +34,7 @@ In the Application Virtualization Server Management Console, you can use the fol
     **Note**  
     You can select and move multiple application groups simultaneously. In the right pane, use the **CTRL**-click or **Shift**-click key combinations to select more than one group.
 
-     
+     
 
 ## Related topics
 
@@ -45,9 +45,9 @@ In the Application Virtualization Server Management Console, you can use the fol
 
 [How to Manage Applications in the Server Management Console](how-to-manage-applications-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-move-an-application.md b/mdop/appv-v4/how-to-move-an-application.md
index 3395f20062..891de6a2a0 100644
--- a/mdop/appv-v4/how-to-move-an-application.md
+++ b/mdop/appv-v4/how-to-move-an-application.md
@@ -22,7 +22,7 @@ If you have application groups under the **Applications** node in the Applicatio
 **Important**  
 You must have one or more application groups under the **Applications** node to move applications.
 
- 
+ 
 
 **To move an application**
 
@@ -41,7 +41,7 @@ You must have one or more application groups under the **Applications** node to
     **Note**  
     You can select and move multiple application groups simultaneously. In the right pane, use the **CTRL**-click or **Shift**-click key combinations to select more than one group.
 
-     
+     
 
 ## Related topics
 
@@ -50,9 +50,9 @@ You must have one or more application groups under the **Applications** node to
 
 [How to Manage Applications in the Server Management Console](how-to-manage-applications-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md b/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md
index 7f55ee7809..9a25b5de7e 100644
--- a/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-open-a-sequenced-application-using-the-command-line.md
@@ -46,16 +46,16 @@ Use the following procedure to open sequenced application packages using the com
     **Note**  
     If the installer or Windows Installer package has a graphical user interface, it will be displayed after you specify the command-line parameters.
 
-     
+     
 
 ## Related topics
 
 
 [How to Manage Virtual Applications Using the Command Line](how-to-manage-virtual-applications-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md b/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md
index 25574eab65..d91ae838c7 100644
--- a/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md
+++ b/mdop/appv-v4/how-to-publish-a-virtual-application-on-the-client.md
@@ -40,7 +40,7 @@ When you deploy Application Virtualization by using an electronic software distr
     **Important**  
     For OVERRIDEURL all backslash characters must be escaped using a preceding backslash, or the OVERRIDEURL path will not be parsed correctly. Also, properties and values must be entered as uppercase except where the value is a path to a file.
 
-     
+     
 
 **To publish a package using SFTMIME**
 
@@ -61,9 +61,9 @@ When you deploy Application Virtualization by using an electronic software distr
 
 [Stand-Alone Delivery Scenario for Application Virtualization Clients](stand-alone-delivery-scenario-for-application-virtualization-clients.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-refresh-the-publishing-servers.md b/mdop/appv-v4/how-to-refresh-the-publishing-servers.md
index 5cfbb564a4..54494a77f0 100644
--- a/mdop/appv-v4/how-to-refresh-the-publishing-servers.md
+++ b/mdop/appv-v4/how-to-refresh-the-publishing-servers.md
@@ -22,7 +22,7 @@ After you request access to additional applications and permission is granted by
 **Note**  
 By default, publishing information is refreshed on user log in.
 
- 
+ 
 
 **To refresh the publishing information**
 
@@ -37,7 +37,7 @@ By default, publishing information is refreshed on user log in.
 
     -   Right-click the server in the **Results** pane, and then select **Properties** from the pop-up menu. Select the **Refresh** tab, and then click the **Refresh** button.
 
-     
+     
 
 ## Related topics
 
@@ -46,9 +46,9 @@ By default, publishing information is refreshed on user log in.
 
 [How to Set Up Publishing Refresh on Login](how-to-set-up-publishing-refresh-on-login.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md b/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md
index 6e5218bac6..28cf02fc30 100644
--- a/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md
+++ b/mdop/appv-v4/how-to-remove-an-application-from-a-license-group.md
@@ -30,18 +30,18 @@ You can use the following procedure to remove an application from its assigned l
 4.  Click **OK**.
 
     **Note**  
-      You can alter the **Properties** tab of one application at a time.
+      You can alter the **Properties** tab of one application at a time.
 
-     
+     
 
 ## Related topics
 
 
 [How to Associate an Application with a License Group](how-to-associate-an-application-with-a-license-group.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-remove-an-application-group.md b/mdop/appv-v4/how-to-remove-an-application-group.md
index 86beaeaecc..9971b36c80 100644
--- a/mdop/appv-v4/how-to-remove-an-application-group.md
+++ b/mdop/appv-v4/how-to-remove-an-application-group.md
@@ -22,7 +22,7 @@ You can use the following procedures to remove an application group in the Appli
 **Caution**  
 Deleting a group with its applications deletes those applications from the Application Virtualization Management Server. When you try to do this, you must confirm the deletion in a pop-up window.
 
- 
+ 
 
 **To empty and then delete an application group**
 
@@ -49,7 +49,7 @@ Deleting a group with its applications deletes those applications from the Appli
     **Note**  
     You can select and remove multiple application groups simultaneously. In the right pane, use the **CTRL**-click or **Shift**-click key combinations to select more than one group.
 
-     
+     
 
 ## Related topics
 
@@ -58,9 +58,9 @@ Deleting a group with its applications deletes those applications from the Appli
 
 [How to Manage Applications in the Server Management Console](how-to-manage-applications-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-remove-an-application-license-group.md b/mdop/appv-v4/how-to-remove-an-application-license-group.md
index 4fe41a65b2..108f41917f 100644
--- a/mdop/appv-v4/how-to-remove-an-application-license-group.md
+++ b/mdop/appv-v4/how-to-remove-an-application-license-group.md
@@ -22,7 +22,7 @@ In the Application Virtualization Server Management Console, you can use the fol
 **Important**  
 Before you can remove a license group, you must remove any licenses associated with the group.
 
- 
+ 
 
 **To remove a license group**
 
@@ -51,9 +51,9 @@ Before you can remove a license group, you must remove any licenses associated w
 
 [How to Set Up an Unlimited License Group](how-to-set-up-an-unlimited-license-group.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-rename-an-application.md b/mdop/appv-v4/how-to-rename-an-application.md
index c31ed10887..d16fc9a6e9 100644
--- a/mdop/appv-v4/how-to-rename-an-application.md
+++ b/mdop/appv-v4/how-to-rename-an-application.md
@@ -30,16 +30,16 @@ You can rename an application through the Application Virtualization Server Mana
     **Note**  
     You can also highlight the application in the right pane and press **F2**.
 
-     
+     
 
 ## Related topics
 
 
 [How to Manage Applications in the Server Management Console](how-to-manage-applications-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-run-a-reportserver.md b/mdop/appv-v4/how-to-run-a-reportserver.md
index 60e1602dcd..feb8ffd3aa 100644
--- a/mdop/appv-v4/how-to-run-a-reportserver.md
+++ b/mdop/appv-v4/how-to-run-a-reportserver.md
@@ -22,7 +22,7 @@ The process for running a report is the same regardless of the report type. When
 **Note**  
 Reports are not run automatically; you must run them explicitly to generate output data. The length of time it takes to run a report is determined by the amount of data collected in the data store.
 
- 
+ 
 
 **To run a report**
 
@@ -55,9 +55,9 @@ Reports are not run automatically; you must run them explicitly to generate outp
 
 [How to Print a Report](how-to-print-a-reportserver.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
index e97ed83def..69b8fe0655 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Use the following procedure to create a new add-on or plug-in virtual application package by using the Application Virtualization (App-V) Sequencer. An add-on or plug-in application is an application that extends the functionality of an application, for example, a plug-in for Microsoft Excel. For more information about the types of applications you can sequence, see [How to Determine Which Type of Application to Sequence (App-V 4.6 SP1)](how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md).
 
-**Important**  
+**Important**  
 Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
 
- 
+
 
 You can also use an existing virtual application package as the parent application. To use an existing virtual application package, use the following procedure before sequencing the new add-on or plug-in.
 
@@ -40,10 +40,10 @@ You can also use an existing virtual application package as the parent applicati
 
 3.  On the **Prepare Computer** page, review the issues that might cause the package creation to fail, or for the package to contain unnecessary data. We strongly recommend that you resolve all potential issues before you continue. After you have fixed the conflicts, to update the information displayed, click **Refresh**. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
+    **Important**  
     If you are required to disable virus scanning software, scan the computer running the sequencer to ensure that no unwanted or malicious files could be added to the package.
 
-     
+
 
 4.  On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**.
 
@@ -53,59 +53,63 @@ You can also use an existing virtual application package as the parent applicati
 
 6.  On the **Select Primary** page, click **Browse** and specify the parent application.
 
-    **Important**  
+    **Important**  
     If the parent application that the add-on or plug-in you are installing is going to support has not been installed locally, stop here and install the application on the computer running the sequencer. For example, the **Excel.exe** program file must be installed locally for a Microsoft Excel plug-in.
 
-     
 
-    Click **Next**.
 
-7.  On the **Package Name** page, specify a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will also be displayed in the App-V management console. The **Installation Location** displays the Application Virtualization path where the application will be installed. To edit this location, select **Edit (Advanced)**.
+~~~
+Click **Next**.
+~~~
 
-    **Important**  
-    Editing the Application Virtualization path is an advanced configuration task. You should fully understand the implications of changing the path. For most applications, we recommend the default path.
+7. On the **Package Name** page, specify a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will also be displayed in the App-V management console. The **Installation Location** displays the Application Virtualization path where the application will be installed. To edit this location, select **Edit (Advanced)**.
 
-     
+   **Important**  
+   Editing the Application Virtualization path is an advanced configuration task. You should fully understand the implications of changing the path. For most applications, we recommend the default path.
 
-    Click **Next**.
 
-8.  On the **Installation** page, when the sequencer and application installer are ready, install the plug-in or add-in application so the sequencer can monitor the installation process. Perform the installation by using the application’s installation process. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
+~~~
+Click **Next**.
+~~~
+
+8. On the **Installation** page, when the sequencer and application installer are ready, install the plug-in or add-in application so the sequencer can monitor the installation process. Perform the installation by using the application’s installation process. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
+
+9. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
 
 10. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. If you want to customize any of the items in the following list, select **Customize**.
 
-    -   Edit the file type associations associated with an application.
+   -   Edit the file type associations associated with an application.
 
-    -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+   -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
 
-    -   Specify the operating systems that can run this package.
+   -   Specify the operating systems that can run this package.
 
-    Click **Next**.
+   Click **Next**.
 
 11. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application that you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. Under the application, select **Shortcuts** to review the shortcut information associated with an application. In the **Location** pane, you can review the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**.
 
 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
 
-    **Note**  
-    If you want to stop an application from loading during this step, in the **Application Launch** dialog box, click **Stop** and select one of the check boxes, **Stop all applications** or **Stop this application only**.
+   **Note**  
+   If you want to stop an application from loading during this step, in the **Application Launch** dialog box, click **Stop** and select one of the check boxes, **Stop all applications** or **Stop this application only**.
+
 
-     
 
 13. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Click **Next**.
 
 14. On the **Create Package** page, to modify the package without saving it, select **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the Sequencer console so that you can modify the package before it is saved. Click **Next**.
 
-    To save the package immediately, select the default **Save the package now**. Optionally, select **Comments** to add comments that will be associated with the package. Comments are useful for identifying version and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. If the package size exceeds 4 GB (uncompressed) and you plan to stream the package to target computers, you must select **Compress Package**. Click **Create**.
+   To save the package immediately, select the default **Save the package now**. Optionally, select **Comments** to add comments that will be associated with the package. Comments are useful for identifying version and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. If the package size exceeds 4 GB (uncompressed) and you plan to stream the package to target computers, you must select **Compress Package**. Click **Create**.
 
 15. On the **Completion** page, after you have reviewed the information that is displayed in the **Successful Virtual Application Package Report** pane, click **Close**. The information displayed in the **Successful Virtual Application Package Report** pane is also available in the directory specified in step 14 of this procedure, in a file named **Reports.xml**.
 
-    The package is now available in the sequencer. Click **Edit \[Package Name\]** to edit the package properties. For more information about modifying a package, see [How to Modify an Existing Virtual Application Package (App-V 4.6 SP1)](how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md).
+   The package is now available in the sequencer. Click **Edit \[Package Name\]** to edit the package properties. For more information about modifying a package, see [How to Modify an Existing Virtual Application Package (App-V 4.6 SP1)](how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md).
+
+   **Important**  
+   After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-    **Important**  
-    After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-     
 
 ## Related topics
 
@@ -114,9 +118,9 @@ You can also use an existing virtual application package as the parent applicati
 
 [How to Determine Which Type of Application to Sequence (App-V 4.6 SP1)](how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md b/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md
index 2ea4999e59..8cf0f80add 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application--app-v-46-.md
@@ -19,19 +19,19 @@ ms.date: 06/16/2016
 
 Use the following procedure to create a new virtual application by using the Application Virtualization (App-V) Sequencer. You can also use the App-V Sequencer to configure which files and configurations are applicable to all users and which files and configurations users can customize. After you successfully sequence the application, it is available in the App-V Sequencer.
 
-**Important**  
-During sequencing, if the computer running the sequencer is running Windows Vista or Windows 7, and a restart is initiated outside of the virtual environment, for example, by clicking **Start** / **Shut Down**, you must click **Cancel** when prompted to close the program that is preventing Windows from shutting down. If you click **Force shut down**, the package creation will fail, and the computer will restart. When you click **Cancel**, the sequencer successfully records the restart while the application is being sequenced.
+**Important**  
+During sequencing, if the computer running the sequencer is running Windows Vista or Windows 7, and a restart is initiated outside of the virtual environment, for example, by clicking **Start** / **Shut Down**, you must click **Cancel** when prompted to close the program that is preventing Windows from shutting down. If you click **Force shut down**, the package creation will fail, and the computer will restart. When you click **Cancel**, the sequencer successfully records the restart while the application is being sequenced.
+
 
- 
 
 **To sequence a new application**
 
 1.  To create the App-V drive, configure drive Q as the location that can be used to save files while you are sequencing an application. You must then create individual directories for each application that you plan to sequence on drive Q. You can create the virtual application targeted folders before you sequence an application, or you can create them in step 5 of this procedure.
 
-    **Note**  
+    **Note**  
     The App-V drive you specify must be accessible on targeted computers. If drive Q is not accessible, you can choose a different drive letter.
 
-     
+
 
 2.  To start the App-V Sequencer Console, on the computer that is running the App-V Sequencer, select **Start** / **Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. To start the Sequencing Wizard, click **Create a Package**.
 
@@ -41,34 +41,36 @@ During sequencing, if the computer running the sequencer is running Windows Vis
 
 5.  On the **Monitor Installation** page, when you are ready to install the application, click **Begin Monitoring**, and in the **Browse for Folder** dialog box, specify the directory on drive Q where the application will be installed. If you did not configure drive Q and used a different drive letter for the application virtualization drive, select the drive letter you specified in step 1 of this procedure. To install the application to a folder that has not been created on the application virtualization drive, click **Make New Folder**. After you specify the folder, wait while the Sequencer configures the computer for sequencing.
 
-    **Important**  
+    **Important**  
     You must install each application that you sequence into a separate directory on the virtual application drive, and the associated folder name must not be longer than eight characters.
 
-     
 
-    After the computer has been configured for sequencing, install the application so that the App-V Sequencer can monitor the installation; when you are finished, click **Stop Monitoring**, and then click **Next**.
 
-6.  On the **Configure Applications** page, if necessary, configure the shortcuts and file type associations that will be associated with the virtual application. To add a new file type association or shortcut, click **Add**, and in the **Add Application** dialog box, specify the new element. To remove an existing shortcut or file type association, click **Remove**. To edit an existing element, select the element you want to modify, and then click **Edit**. Specify the configurations in the **Edit Application** dialog box. Click **Save**, and then click **Next**.
+~~~
+After the computer has been configured for sequencing, install the application so that the App-V Sequencer can monitor the installation; when you are finished, click **Stop Monitoring**, and then click **Next**.
+~~~
 
-7.  On the **Launch Applications** page, to start the application to ensure that the package has been installed correctly and is optimized for streaming, select the package, and then click **Launch**. This step is useful for configuring how the application initially runs on targeted computers and for accepting any associated license agreements before the package becomes available to App-V clients. If multiple applications are associated with this package, you can select **Launch All** to open all of the applications. To sequence the package, click **Next**.
+6. On the **Configure Applications** page, if necessary, configure the shortcuts and file type associations that will be associated with the virtual application. To add a new file type association or shortcut, click **Add**, and in the **Add Application** dialog box, specify the new element. To remove an existing shortcut or file type association, click **Remove**. To edit an existing element, select the element you want to modify, and then click **Edit**. Specify the configurations in the **Edit Application** dialog box. Click **Save**, and then click **Next**.
 
-8.  After you have successfully created the package, in the App-V Sequencer Console, select **File** / **Save** and specify the name and the virtual drive location where the package will be saved.
+7. On the **Launch Applications** page, to start the application to ensure that the package has been installed correctly and is optimized for streaming, select the package, and then click **Launch**. This step is useful for configuring how the application initially runs on targeted computers and for accepting any associated license agreements before the package becomes available to App-V clients. If multiple applications are associated with this package, you can select **Launch All** to open all of the applications. To sequence the package, click **Next**.
 
-    You can optionally create an associated Windows Installer file (**.msi**) to install the virtual application package on targeted computers. To create a Windows Installer file, open the package in the Sequencer and select **Tools** / **Create MSI**. The Windows Installer file will be created and saved in the directory where the virtual application package is saved.
+8. After you have successfully created the package, in the App-V Sequencer Console, select **File** / **Save** and specify the name and the virtual drive location where the package will be saved.
+
+   You can optionally create an associated Windows Installer file (**.msi**) to install the virtual application package on targeted computers. To create a Windows Installer file, open the package in the Sequencer and select **Tools** / **Create MSI**. The Windows Installer file will be created and saved in the directory where the virtual application package is saved.
+
+   **Important**  
+   After you have successfully created a virtual application package, you cannot run the virtual application package on the computer running the sequencer.
 
-    **Important**  
-    After you have successfully created a virtual application package, you cannot run the virtual application package on the computer running the sequencer.
 
-     
 
 ## Related topics
 
 
 [How to Upgrade a Virtual Application Package (App-V 4.6)](how-to-upgrade-a-virtual-application-package--app-v-46-.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md b/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md
index 24fa8fa4f3..8df7b3d92a 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application-by-using-the-command-line.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 You can use a command line to sequence a new application. Using a command line is useful when you have to create a large number of virtual applications or when you need to create sequenced applications on a recurring basis.
 
-**Important**  
+**Important**  
 Command-line sequencing allows for default sequencing only. If you need to change default installation settings for the application you are sequencing, you must either manually modify the virtual application or update the virtual application by using the Application Virtualization (App-V) Sequencer. For more information about updating a virtual application by using the App-V Sequencer, see [How to Upgrade an Existing Virtual Application](how-to-upgrade-an-existing-virtual-application.md).
 
- 
+
 
 Use the following procedure to create a virtual application by using the command line.
 
@@ -36,43 +36,45 @@ Use the following procedure to create a virtual application by using the command
 
     `SFTSequencer /INSTALLPACKAGE:"pathtoMSI" /INSTALLPATH:"pathtopackageroot" /OUTPUTFILE:"pathtodestinationSPRJ"`
 
-    **Note**  
+    **Note**  
     You can specify additional parameters by using the command line, depending on the complexity of the application you are sequencing. For a complete list of parameters that are available for use with the App-V Sequencer, see [Sequencer Command-Line Parameters](sequencer-command-line-parameters.md).
 
-     
 
-    Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ValueDescription
    pathtoMSI
    Specifies the Windows Installer or a batch file that will be used to install an application so that it can be sequenced.
    pathtopackageroot
    Specify the package root directory.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
+Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-     
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ValueDescription
    pathtoMSI
    Specifies the Windows Installer or a batch file that will be used to install an application so that it can be sequenced.
    pathtopackageroot
    Specify the package root directory.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
 
-4.  Press **Enter**.
+
+
+4. Press **Enter**.
 
 ## Related topics
 
@@ -83,9 +85,9 @@ Use the following procedure to create a virtual application by using the command
 
 [Sequencer Command-Line Parameters](sequencer-command-line-parameters.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md b/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md
index 8c2c0b74ba..65432aa68a 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application-package-using-the-command-line.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 You can use a command line to sequence a new application. Using a command line is useful when you have to create a large number of virtual applications or when you need to create sequenced applications on a recurring basis.
 
-**Important**  
+**Important**  
 Command-line sequencing allows for default sequencing only. If you need to change default installation settings for the application you are sequencing, you must either manually modify the virtual application or update the virtual application by using the Application Virtualization (App-V) Sequencer. For more information about updating a virtual application by using the App-V Sequencer, see [How to Upgrade an Existing Virtual Application](how-to-upgrade-an-existing-virtual-application.md).
 
- 
+
 
 Use the following procedure to create a virtual application by using the command line.
 
@@ -36,52 +36,54 @@ Use the following procedure to create a virtual application by using the command
 
     `SFTSequencer /INSTALLPACKAGE:"pathtoMSI" /INSTALLPATH:"pathtopackageroot" /OUTPUTFILE:"pathtodestinationSPRJ"`
 
-    **Note**  
+    **Note**  
     You can specify additional parameters by using the command line, depending on the complexity of the application you are sequencing. For a complete list of parameters that are available for use with the App-V Sequencer, see [Application Virtualization Sequencer Command Line](application-virtualization-sequencer-command-line.md).
 
-     
 
-    Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ValueDescription
    pathtoMSI
    Specifies the Windows Installer or a batch file that will be used to install an application so that it can be sequenced.
    pathtopackageroot
    Specifies the package root directory.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
+Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-     
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ValueDescription
    pathtoMSI
    Specifies the Windows Installer or a batch file that will be used to install an application so that it can be sequenced.
    pathtopackageroot
    Specifies the package root directory.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
 
-4.  Press **Enter**.
+
+
+4. Press **Enter**.
 
 ## Related topics
 
 
 [How to Manage Virtual Applications Using the Command Line](how-to-manage-virtual-applications-using-the-command-line.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-a-new-application.md b/mdop/appv-v4/how-to-sequence-a-new-application.md
index f3c3c5f9f5..3d05d35761 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-application.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-application.md
@@ -31,29 +31,31 @@ After you successfully sequence the application, it is available in the App-V Se
 
 3.  On the **Package Information** page, specify the **Package Name** that will be assigned to the virtual application. The package name is required for generating the associated Windows Installer file. You should also add an optional comment that will be assigned to the package and that provides detailed information about the virtual application. To display the **Advanced Options** page, select **Show Advanced Monitoring Options**. Click **Next**.
 
-    **Note**  
+    **Note**  
     To display the **Advanced Options** page, you must select **Show Advanced Monitoring Options**. If you do not require the **Advanced Options** page, skip to step 4.
 
-     
+
 
 4.  On the **Advanced Options** page, to specify the **Block Size** for the virtual application, select the size you want. The block size determines how the **.sft** file will be divided for streaming the package across the network to target computers. To allow Microsoft Update to update the application as it is being sequenced; select **Allow Microsoft Update to run during monitoring**. If you select this option, Microsoft Updates are allowed to be installed during the monitoring phase and you will need to accept the associated updates for them to be installed. To remap the supported dynamic link library (.dll) files so that they use a contiguous space of RAM, select **Rebase DLLs**. Selecting this option can conserve memory and help improve performance. Many applications do not support this option, but it is useful in environments with limited RAM such as in Terminal Server scenarios. Click **Next**.
 
 5.  On the **Monitor Installation** page, to monitor the installation of an application, click **Begin Monitoring**. After you click **Begin Monitoring**, specify the directory on the Q:\\ drive where the application will be installed. To install the application to a folder that has not been ccreated, click **Make New Folder**. You must install each application that you sequence into a separate directory.
 
-    **Important**  
+    **Important**  
     The folder name you specify must not be longer than 8 characters.
 
-     
 
-    Wait for the virtual environment to load, and then install the application so that the App-V Sequencer can monitor the process. When you have completed the installation, click **Stop Monitoring** and then click **Next**.
 
-6.  On the **Additional Files to Map to Virtual File System (VFS)** page, to specify additional files to be added to the Virtual File System (VFS), click **Add**. Browse to the file you want to add, and click **Open**. To clear existing files that have been added, click **Reset** and then click **Next**.
+~~~
+Wait for the virtual environment to load, and then install the application so that the App-V Sequencer can monitor the process. When you have completed the installation, click **Stop Monitoring** and then click **Next**.
+~~~
 
-7.  On the **Configure Applications** page, configure the shortcuts and file type associations that will be associated with the virtual application. Select the element you want to update, and then click **Edit Locations**. Specify the configurations in the **Shortcut Locations** dialog box. Click **OK** and then click **Next**.
+6. On the **Additional Files to Map to Virtual File System (VFS)** page, to specify additional files to be added to the Virtual File System (VFS), click **Add**. Browse to the file you want to add, and click **Open**. To clear existing files that have been added, click **Reset** and then click **Next**.
 
-8.  On the **Launch Applications** page, to start the application to ensure that the package is optimized for streaming, select the package and click **Launch**. This step is useful for configuring how the application initially runs on target computers and for accepting any associated license agreements before the package is made available to clients. If there are multiple applications associated with this package, you can select **Launch All** to open all of the applications. To sequence the package, click **Next**.
+7. On the **Configure Applications** page, configure the shortcuts and file type associations that will be associated with the virtual application. Select the element you want to update, and then click **Edit Locations**. Specify the configurations in the **Shortcut Locations** dialog box. Click **OK** and then click **Next**.
 
-9.  On the **Sequence Package** page, to close the wizard, click **Finish**.
+8. On the **Launch Applications** page, to start the application to ensure that the package is optimized for streaming, select the package and click **Launch**. This step is useful for configuring how the application initially runs on target computers and for accepting any associated license agreements before the package is made available to clients. If there are multiple applications associated with this package, you can select **Launch All** to open all of the applications. To sequence the package, click **Next**.
+
+9. On the **Sequence Package** page, to close the wizard, click **Finish**.
 
 10. After you have successfully created the package, to save the package, in the App-V Sequencer Console, select **File** / **Save** and specify the name and the location where the package will be saved.
 
@@ -62,9 +64,9 @@ After you successfully sequence the application, it is available in the App-V Se
 
 [Tasks for the Application Virtualization Sequencer](tasks-for-the-application-virtualization-sequencer.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md
index 89175af2b4..4f5f815988 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-middleware-application--app-v-46-sp1-.md
@@ -21,10 +21,10 @@ Use the following procedure to create a new middleware virtual application packa
 
 Use this type of package by using Dynamic Suite Composition in App-V. Dynamic Suite Composition enables you to define a virtual application package as being dependent on another virtual application package. The dependency enables the application to interact with the middleware or plug-in in the virtual environment, where typically this interaction is prevented. This is useful because a secondary application package can be used with several other primary applications, which enables each primary application to reference the same secondary package. For more information about how to use Dynamic Suite Composition, see [How To Use Dynamic Suite Composition](https://go.microsoft.com/fwlink/?LinkID=203804&clcid=0x409) in the Microsoft Technical Library (https://go.microsoft.com/fwlink/?LinkID=203804&clcid=0x409).
 
-**Important**  
-During sequencing, if the computer running the App-V Sequencer is running Windows Vista or Windows 7 and a restart is initiated outside of the virtual environment, for example, **Start** / **Shut Down**, you must click **Cancel** when prompted to close the program that is preventing Windows from shutting down. If you click **Force shut down**, the package creation fails. When you click **Cancel**, App-V Sequencer successfully records the restart while the application is being sequenced.
+**Important**  
+During sequencing, if the computer running the App-V Sequencer is running Windows Vista or Windows 7 and a restart is initiated outside of the virtual environment, for example, **Start** / **Shut Down**, you must click **Cancel** when prompted to close the program that is preventing Windows from shutting down. If you click **Force shut down**, the package creation fails. When you click **Cancel**, App-V Sequencer successfully records the restart while the application is being sequenced.
+
 
- 
 
 **To sequence a new middleware application**
 
@@ -34,10 +34,10 @@ During sequencing, if the computer running the App-V Sequencer is running Window
 
 3.  On the **Prepare Computer** page, review the issues that might cause the package creation to fail, or for the package to contain unnecessary data. We strongly recommend that you resolve all potential issues before you continue. After you have fixed the conflicts, to update the information displayed, click **Refresh**. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
+    **Important**  
     If you are required to disable virus scanning software, you must scan the computer running the App-VSequencer to ensure that no unwanted or malicious files can be added to the package.
 
-     
+
 
 4.  On the **Type of Application** page, select **Middleware**, and then click **Next**.
 
@@ -47,33 +47,35 @@ During sequencing, if the computer running the App-V Sequencer is running Window
 
 6.  On the **Package Name** page, specify a name that will be associated with the package. The name helps identify the purpose and version of the application that will be added to the package. The package name is also displayed in the App-V Management Console. The **Installation Location** displays the application virtualization path where the application will be installed. To edit this location, select **Edit (Advanced)**.
 
-    **Important**  
+    **Important**  
     Editing the Application Virtualization path is an advanced configuration task. You should fully understand the implications of changing the path. For most applications, we recommend the default path.
 
-     
 
-    Click **Next**.
 
-7.  On the **Installation** page, when the Sequencer and middleware application installer are ready, install the application so that the Sequencer can monitor the installation process. Perform the installation by using the application’s installation process. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
+~~~
+Click **Next**.
+~~~
 
-8.  On the **Installation** page, wait while the Sequencer configures the virtual application package.
+7. On the **Installation** page, when the Sequencer and middleware application installer are ready, install the application so that the Sequencer can monitor the installation process. Perform the installation by using the application’s installation process. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
+8. On the **Installation** page, wait while the Sequencer configures the virtual application package.
+
+9. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
 
 10. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**.
 
 11. On the **Create Package** page, to modify the package without saving it, select the **Continue to modify package without saving using the package editor** check box. Selecting this option opens the package in the Sequencer console so that you can modify the package before it is saved. Click **Next**.
 
-    To save the package immediately, select the default, the **Save the package now** check box. Add optional comments in the **Comments** box that will be associated with the package. Comments are useful for identifying version and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse**, and then specify the new location. The uncompressed package size is displayed. If the package size exceeds 4 GB (uncompressed) and you plan to stream the package to target computers, you must select **Compress Package**. Click **Create**.
+   To save the package immediately, select the default, the **Save the package now** check box. Add optional comments in the **Comments** box that will be associated with the package. Comments are useful for identifying version and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse**, and then specify the new location. The uncompressed package size is displayed. If the package size exceeds 4 GB (uncompressed) and you plan to stream the package to target computers, you must select **Compress Package**. Click **Create**.
 
 12. On the **Completion** page, after you have reviewed the information displayed in the **Virtual Application Package Report** pane, click **Close**. The information displayed in the **Virtual Application Package Report** pane is also available in the directory specified in step 11 of this procedure, in a file named **Report.xml**.
 
-    The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about modifying a package, see [How to Modify an Existing Virtual Application Package (App-V 4.6 SP1)](how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md)
+   The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about modifying a package, see [How to Modify an Existing Virtual Application Package (App-V 4.6 SP1)](how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md)
+
+   **Important**  
+   After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the Sequencer.
 
-    **Important**  
-    After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the Sequencer.
 
-     
 
 ## Related topics
 
@@ -82,9 +84,9 @@ During sequencing, if the computer running the App-V Sequencer is running Window
 
 [How to Determine Which Type of Application to Sequence (App-V 4.6 SP1)](how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
index 1293f25561..0811b151cb 100644
--- a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
+++ b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md
@@ -19,15 +19,15 @@ ms.date: 06/16/2016
 
 Use the following procedure to create a new standard virtual application package by using the Application Virtualization (App-V) Sequencer. This procedure applies to most applications that you sequence. For more information about the types of applications you can sequence, see [How to Determine Which Type of Application to Sequence (App-V 4.6 SP1)](how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md). You must run the sequencer (**SFTSequencer.exe**) using an account that has administrator privileges because of the changes the sequencer makes to the local system. These changes can include writing files to the **C:\\Program Files** directory, making registry changes, starting and stopping services, updating security descriptors for files, and changing permissions.
 
-**Important**  
-During sequencing, if the computer running the Sequencer is running Windows Vista or Windows 7 and a restart is initiated outside of the virtual environment, for example, **Start** / **Shut Down**, you must click **Cancel** when prompted to close the program that is preventing Windows Vista or Windows from shutting down. If you click **Force shut down**, the package creation fails. When you click **Cancel**, the Sequencer successfully records the restart while the application is being sequenced.
+**Important**  
+During sequencing, if the computer running the Sequencer is running Windows Vista or Windows 7 and a restart is initiated outside of the virtual environment, for example, **Start** / **Shut Down**, you must click **Cancel** when prompted to close the program that is preventing Windows Vista or Windows from shutting down. If you click **Force shut down**, the package creation fails. When you click **Cancel**, the Sequencer successfully records the restart while the application is being sequenced.
 
- 
 
-**Note**  
+
+**Note**  
 Running the App-V sequencer in Safe Mode is not supported.
 
- 
+
 
 **To sequence a new standard application**
 
@@ -37,10 +37,10 @@ Running the App-V sequencer in Safe Mode is not supported.
 
 3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail, or for the package to contain unnecessary data. We strongly recommend that you resolve all potential issues before you continue. After you have fixed the conflicts, to update the information that is displayed, click **Refresh**. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
+    **Important**  
     If you are required to disable virus scanning software, scan the computer running the Sequencer to ensure that no unwanted or malicious files could be added to the package.
 
-     
+
 
 4.  On the **Type of Application** page, click **Standard Application (default)** check box, and then click **Next**.
 
@@ -50,59 +50,61 @@ Running the App-V sequencer in Safe Mode is not supported.
 
 6.  On the **Package Name** page, specify a name that will be associated with the package. The name helps identify the purpose and version of the application that are added to the package. The package name is also displayed in the App-V management console. The **Primary Virtual Application Directory** displays the Application Virtualization path where the application will be installed on target computers. To edit this location, select **Edit (Advanced)**.
 
-    **Important**  
+    **Important**  
     Editing the Application Virtualization path is an advanced configuration task. You should fully understand the implications of changing the path. For most applications, the default path is recommended.
 
-     
 
-    Click **Next**.
 
-7.  On the **Installation** page, when the Sequencer and application installer are ready, install the application so that the Sequencer can monitor the installation process. Perform the installation by using the application’s installation process. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+~~~
+Click **Next**.
+~~~
 
-8.  On the **Installation** page, wait while the Sequencer configures the virtual application package.
+7. On the **Installation** page, when the Sequencer and application installer are ready, install the application so that the Sequencer can monitor the installation process. Perform the installation by using the application’s installation process. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
 
-9.  On the **Configure Software** page, optionally run the programs contained in the package. This step helps complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
+8. On the **Installation** page, wait while the Sequencer configures the virtual application package.
+
+9. On the **Configure Software** page, optionally run the programs contained in the package. This step helps complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs you want to run, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. It can take several minutes for all programs to run. Click **Next**.
 
 10. On the **Installation Report** page, you can review information about the virtual application package you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
 
 11. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 15 of this procedure. If you want to customize any of the items in the following list, select **Customize**.
 
-    -   Edit the file type associations and the icons associated with an application.
+   -   Edit the file type associations and the icons associated with an application.
 
-    -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+   -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
 
-    -   Specify the operating systems that can run this package.
+   -   Specify the operating systems that can run this package.
 
-    Click **Next**.
+   Click **Next**.
 
 12. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) and shortcut locations that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. To review the shortcut information associated with an application, under the application, select **Shortcuts**, and in the **Location** pane, you can edit the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**.
 
 13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
 
-    **Note**  
-    If you want to stop an application from loading during this step, in the **Application Launch** dialog box, click **Stop**, and select one of the check boxes, **Stop all applications** or **Stop this application only**, depending on what you want.
+   **Note**  
+   If you want to stop an application from loading during this step, in the **Application Launch** dialog box, click **Stop**, and select one of the check boxes, **Stop all applications** or **Stop this application only**, depending on what you want.
+
 
-     
 
 14. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and specify the operating systems that can run this package. Click **Next**.
 
-    **Important**  
-    The operating systems specified during this step reflect the operating systems on target computers that are enabled to run the package. You must ensure that the operating systems specified are supported by the application you are sequencing.
+   **Important**  
+   The operating systems specified during this step reflect the operating systems on target computers that are enabled to run the package. You must ensure that the operating systems specified are supported by the application you are sequencing.
+
 
-     
 
 15. On the **Create Package** page, to modify the package without saving it, select **Continue to modify package without saving using the package editor**. Selecting this option opens the package in the Sequencer console so that you can modify the package before it is saved. Click **Next**.
 
-    To save the package immediately, select the default **Save the package now**. Add optional **Comments** that will be associated with the package. Comments are useful for identifying version and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. If the package size exceeds 4 GB (uncompressed) and you plan to stream the package to target computers, you must select **Compress Package**. Click **Create**.
+   To save the package immediately, select the default **Save the package now**. Add optional **Comments** that will be associated with the package. Comments are useful for identifying version and other information about the package. The default **Save Location** is also displayed. To change the default location, click **Browse** and specify the new location. The uncompressed package size is displayed. If the package size exceeds 4 GB (uncompressed) and you plan to stream the package to target computers, you must select **Compress Package**. Click **Create**.
 
 16. On the **Completion** page, after you have reviewed the information displayed in the **Virtual Application Package Report** pane, click **Close**. The information displayed in the **Virtual Application Package Report** pane is also available in the directory specified in step 15 of this procedure, in a file named **Report.xml**.
 
     The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about modifying a package, see [How to Modify an Existing Virtual Application Package (App-V 4.6 SP1)](how-to-modify-an-existing-virtual-application-package--app-v-46-sp1-.md)
 
-    **Important**  
+    **Important**  
     After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the Sequencer.
 
-     
+
 
 ## Related topics
 
@@ -111,9 +113,9 @@ Running the App-V sequencer in Safe Mode is not supported.
 
 [How to Determine Which Type of Application to Sequence (App-V 4.6 SP1)](how-to-determine-which-type-of-application-to-sequence---app-v-46-sp1-.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-sequence-an-application.md b/mdop/appv-v4/how-to-sequence-an-application.md
index dc5570e9bf..6e4b78a2d3 100644
--- a/mdop/appv-v4/how-to-sequence-an-application.md
+++ b/mdop/appv-v4/how-to-sequence-an-application.md
@@ -31,29 +31,31 @@ After you successfully sequence the application, it is available in the App-V Se
 
 3.  On the **Package Information** page, specify the **Package Name** that will be assigned to the virtual application. The package name is required for generating the associated Windows Installer file. You should also add an optional comment that will be assigned to the package and that provides detailed information about the virtual application. To display the **Advanced Options** page, select **Show Advanced Monitoring Options**. Click **Next**.
 
-    **Note**  
+    **Note**  
     To display the **Advanced Options** page, you must select **Show Advanced Monitoring Options**. If you do not require the **Advanced Options** page, skip to step 4.
 
-     
 
-4.  On the **Advanced Options** page, to specify the **Block Size** for the virtual application, select the size you want. The block size determines how the **.sft** file will be divided for streaming the package across the network to target computers. To allow Microsoft Update to update the application as it is being sequenced; select **Allow Microsoft Update to run during monitoring**. If you select this option, Microsoft Updates are allowed to be installed during the monitoring phase and you will need to accept the associated updates for them to be installed. To remap the supported dynamic link library (.dll) files so that they use a contiguous space of RAM, select **Rebase DLLs**. Selecting this option can conserve memory and help improve performance. Many applications do not support this option, but it is useful in environments with limited RAM such as in Remote Desktop Session Host (RD Session Host) Server scenarios. Click **Next**.
+
+4.  On the **Advanced Options** page, to specify the **Block Size** for the virtual application, select the size you want. The block size determines how the **.sft** file will be divided for streaming the package across the network to target computers. To allow Microsoft Update to update the application as it is being sequenced; select **Allow Microsoft Update to run during monitoring**. If you select this option, Microsoft Updates are allowed to be installed during the monitoring phase and you will need to accept the associated updates for them to be installed. To remap the supported dynamic link library (.dll) files so that they use a contiguous space of RAM, select **Rebase DLLs**. Selecting this option can conserve memory and help improve performance. Many applications do not support this option, but it is useful in environments with limited RAM such as in Remote Desktop Session Host (RD Session Host) Server scenarios. Click **Next**.
 
 5.  On the **Monitor Installation** page, to monitor the installation of an application, click **Begin Monitoring**. After you click **Begin Monitoring**, specify the directory on the Q:\\ drive where the application will be installed. To install the application to a folder that has not been created, click **Make New Folder**. You must install each application that you sequence into a separate directory.
 
-    **Important**  
+    **Important**  
     The folder name you specify must not be longer than 8 characters.
 
-     
 
-    Wait for the virtual environment to load, and then install the application so that the App-V Sequencer can monitor the process. When you have completed the installation, click **Stop Monitoring**, and then click **Next**.
 
-6.  On the **Additional Files to Map to Virtual File System (VFS)** page, to specify additional files to be added to the Virtual File System (VFS), click **Add**. Browse to the file you want to add and click **Open**. To clear existing files that have been added, click **Reset**, and then click **Next**.
+~~~
+Wait for the virtual environment to load, and then install the application so that the App-V Sequencer can monitor the process. When you have completed the installation, click **Stop Monitoring**, and then click **Next**.
+~~~
 
-7.  On the **Configure Applications** page, configure the shortcuts and file type associations that will be associated with the virtual application. Select the element that you want to update, and then click **Edit Locations**. Specify the configurations in the Shortcut Locations dialog box. Click **OK**, and then click **Next**.
+6. On the **Additional Files to Map to Virtual File System (VFS)** page, to specify additional files to be added to the Virtual File System (VFS), click **Add**. Browse to the file you want to add and click **Open**. To clear existing files that have been added, click **Reset**, and then click **Next**.
 
-8.  On the **Launch Applications** page, to start the application to ensure that the package is optimized for streaming, select the package and click **Launch**. This step is useful for configuring how the application initially runs on target computers and for accepting any associated license agreements before the package is made available to clients. If there are multiple applications associated with this package, you can select **Launch All** to open all of the applications. To sequence the package, click **Next**.
+7. On the **Configure Applications** page, configure the shortcuts and file type associations that will be associated with the virtual application. Select the element that you want to update, and then click **Edit Locations**. Specify the configurations in the Shortcut Locations dialog box. Click **OK**, and then click **Next**.
 
-9.  On the **Sequence Package** page, to close the wizard, click **Finish**.
+8. On the **Launch Applications** page, to start the application to ensure that the package is optimized for streaming, select the package and click **Launch**. This step is useful for configuring how the application initially runs on target computers and for accepting any associated license agreements before the package is made available to clients. If there are multiple applications associated with this package, you can select **Launch All** to open all of the applications. To sequence the package, click **Next**.
+
+9. On the **Sequence Package** page, to close the wizard, click **Finish**.
 
 10. After you have successfully created the package, to save the package, in the App-V Sequencer Console, select **File** / **Save** and specify the name and the location where the package will be saved.
 
@@ -64,9 +66,9 @@ After you successfully sequence the application, it is available in the App-V Se
 
 [How to Sequence a New Application by Using the Command Line](how-to-sequence-a-new-application-by-using-the-command-line.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md b/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md
index 847e678222..330c8fd3c2 100644
--- a/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md
+++ b/mdop/appv-v4/how-to-set-up-and-enable-or-disable-authentication.md
@@ -20,9 +20,9 @@ ms.date: 06/16/2016
 The Application Virtualization Server Management Console lets you enable or disable Windows authentication, which lets you to define who has access to the system. You can use the following procedures to set up and disable authentication from the **Provider Policies Results** pane of the console.
 
 **Note**  
-  Normally, you set up authentication when you add a provider policy through the New Provider Policy Wizard.
+  Normally, you set up authentication when you add a provider policy through the New Provider Policy Wizard.
 
- 
+ 
 
 **To set up authentication**
 
@@ -53,9 +53,9 @@ The Application Virtualization Server Management Console lets you enable or disa
 
 [How to Customize an Application Virtualization System in the Server Management Console](how-to-customize-an-application-virtualization-system-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-set-up-or-disable-database-size.md b/mdop/appv-v4/how-to-set-up-or-disable-database-size.md
index 95f24a2f22..80082bec49 100644
--- a/mdop/appv-v4/how-to-set-up-or-disable-database-size.md
+++ b/mdop/appv-v4/how-to-set-up-or-disable-database-size.md
@@ -24,7 +24,7 @@ When the size of the stored data reaches 95% (the high watermark) of the specifi
 **Note**  
 The **No Size Limit** and **Keep All Usage** options are provided so that you can disable usage reporting and database cleanup. Selecting these items will clean up the database transaction log as well. (All committed Microsoft SQL Server transactions will be removed from the database log.)
 
- 
+ 
 
 **To set up database size**
 
@@ -55,9 +55,9 @@ The **No Size Limit** and **Keep All Usage** options are provided so that you ca
 
 [How to Set Up or Disable Usage Reporting](how-to-set-up-or-disable-usage-reporting.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md b/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md
index 5c4a0755b9..cc5904c915 100644
--- a/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md
+++ b/mdop/appv-v4/how-to-set-up-or-disable-usage-reporting.md
@@ -20,9 +20,9 @@ ms.date: 06/16/2016
 You can use the following procedures in the Application Virtualization Server Management Console to specify the duration (in months) of Application Virtualization System usage information you want to store in the database.
 
 **Note**  
- To store usage information, you must select the **Log Usage Information** check box on the **Provider Pipeline** tab. To display this tab, right-click the provider policy in the **Provider Policies Results** pane and select **Properties**.
+ To store usage information, you must select the **Log Usage Information** check box on the **Provider Pipeline** tab. To display this tab, right-click the provider policy in the **Provider Policies Results** pane and select **Properties**.
 
- 
+ 
 
 **To set up usage reporting**
 
@@ -55,9 +55,9 @@ You can use the following procedures in the Application Virtualization Server Ma
 
 [How to Set Up or Disable Database Size](how-to-set-up-or-disable-database-size.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md b/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md
index 6bbe52ef10..7c062516ea 100644
--- a/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md
+++ b/mdop/appv-v4/how-to-set-up-periodic-publishing-refresh.md
@@ -22,7 +22,7 @@ You can use the following procedure to configure the client to periodically refr
 **Note**  
 After you have performed this procedure, the publishing information will be refreshed according to the new settings after the first refresh at login. When this first refresh occurs, the server might override the computer settings with different settings, depending on how it is configured. The **Refresh** tab in the **Properties** dialog box shows the locally configured client computer settings and any settings that might have been configured for the user by the publishing server.
 
- 
+ 
 
 **To periodically refresh the publishing information from the Application Virtualization Servers**
 
@@ -35,7 +35,7 @@ After you have performed this procedure, the publishing information will be refr
     **Note**  
     This setting will cause the client to refresh publishing information every time the configured period elapses. If the user is not logged in when it's time to do a refresh, the refresh will take place when the user next logs in. The timer is then started again for the next period.
 
-     
+     
 
 4.  Click **Apply** to change the configuration.
 
@@ -46,9 +46,9 @@ After you have performed this procedure, the publishing information will be refr
 
 [How to Configure the Client in the Application Virtualization Client Management Console](how-to-configure-the-client-in-the-application-virtualization-client-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-uninstall-the-app-v-client.md b/mdop/appv-v4/how-to-uninstall-the-app-v-client.md
index e85301064c..32cefce588 100644
--- a/mdop/appv-v4/how-to-uninstall-the-app-v-client.md
+++ b/mdop/appv-v4/how-to-uninstall-the-app-v-client.md
@@ -28,14 +28,14 @@ Use the following procedure to uninstall the Application Virtualization Client f
     **Important**  
     The uninstall process cannot be canceled or interrupted.
 
-     
+     
 
 3.  When a message stating that the Microsoft Application Virtualization Client Tray application must be closed before continuing appears, right-click the App-V icon in the notification area and select **Exit** to close the application. Then click **Retry** to continue with the uninstall process.
 
     **Important**  
     You might see a message stating that one or more virtual applications are in use. Close any open applications and save your data before you continue. Then click **OK** to continue with the uninstall process.
 
-     
+     
 
 4.  A progress bar shows the time remaining. When this step finishes, you must restart the computer so that all associated drivers can be stopped to complete the uninstall process.
 
@@ -50,7 +50,7 @@ Use the following procedure to uninstall the Application Virtualization Client f
 
     -   HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\SoftGrid\\4.5\\SystemGuard\\SecKey
 
-     
+     
 
 ## Related topics
 
@@ -61,9 +61,9 @@ Use the following procedure to uninstall the Application Virtualization Client f
 
 [How to Publish a Virtual Application on the Client](how-to-publish-a-virtual-application-on-the-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md b/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md
index 72bbdf39b0..6084e10e78 100644
--- a/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md
+++ b/mdop/appv-v4/how-to-upgrade-a-package-using-the-open-package-command.md
@@ -30,16 +30,16 @@ Use the Open Package command to upgrade or apply an update to a sequenced applic
     **Important**  
     Updating the file name with the package version is essential to successfully completing the upgrade.
 
-     
+     
 
 ## Related topics
 
 
 [How to Manage Virtual Applications Using the Command Line](how-to-manage-virtual-applications-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-a-package.md b/mdop/appv-v4/how-to-upgrade-a-package.md
index 63a4c6cb90..503f8d897c 100644
--- a/mdop/appv-v4/how-to-upgrade-a-package.md
+++ b/mdop/appv-v4/how-to-upgrade-a-package.md
@@ -28,7 +28,7 @@ When you upgrade a package with a new version, you can leave the existing versio
     **Note**  
     If resequencing did not add features that changed the Open Software Descriptor (OSD), icon (ICO), or Sequencer Project (SPRJ) files, you do not need to copy those. You can include these files if you want all these files to display the same date.
 
-     
+     
 
 2.  In left pane of the Application Virtualization Server Management Console, expand **Packages**.
 
@@ -47,9 +47,9 @@ When you upgrade a package with a new version, you can leave the existing versio
 
 [How to Manage Packages in the Server Management Console](how-to-manage-packages-in-the-server-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md b/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md
index 1822dbefd4..3ed3a2cdfc 100644
--- a/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-upgrade-a-sequenced-application-package-using-the-command-line.md
@@ -29,56 +29,58 @@ Use the following procedure to upgrade a virtual application by using a command
 
     `SFTSequencer /UPGRADE:"pathtosourceSPRJ" /INSTALLPACKAGE:"pathtoUpgradeInstaller" /DECODEPATH:"pathtodecodefolder" /OUTPUTFILE:"pathtodestinationSPRJ"`
 
-    **Note**  
+    **Note**  
     You can specify additional parameters by using the command line, depending on the complexity of the application you are upgrading. For a complete list of parameters that are available for use with the App-V Sequencer, see [Command-Line Parameters](command-line-parameters.md).
 
-     
 
-    Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ValueDescription
    pathtosourceSPRJ
    Specifies the directory location of the virtual application to be upgraded.
    pathtoUpgradeInstaller
    Specifies the Windows Installer or a batch file that will be used to install an upgrade to the application.
    pathtodecodefolder
    Specify the directory in which to unpack the SFT file.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
+Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-     
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ValueDescription
    pathtosourceSPRJ
    Specifies the directory location of the virtual application to be upgraded.
    pathtoUpgradeInstaller
    Specifies the Windows Installer or a batch file that will be used to install an upgrade to the application.
    pathtodecodefolder
    Specify the directory in which to unpack the SFT file.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
 
-4.  Press **Enter**.
+
+
+4. Press **Enter**.
 
 ## Related topics
 
 
 [How to Manage Virtual Applications Using the Command Line](how-to-manage-virtual-applications-using-the-command-line.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md b/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md
index 4ee6cef6b0..74d9705ad4 100644
--- a/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md
+++ b/mdop/appv-v4/how-to-upgrade-a-sequenced-virtual-application-package.md
@@ -22,7 +22,7 @@ You can upgrade an existing virtual application to a new version by using the Ap
 **Caution**  
 You should not reference a previous version of the Windows Installer (.msi) file when you upgrade an existing virtual application package because the previous version of the .sft file will be modified during the upgrade.
 
- 
+ 
 
 Use the following procedure to upgrade an existing virtual application.
 
@@ -37,7 +37,7 @@ Use the following procedure to upgrade an existing virtual application.
     **Important**  
     The directory that you specify must be located in the package root directory on the Q:\\ drive. You can create a new folder, or you can create a subfolder under the directory where the original virtual application is saved. The name assigned to the new folder must not be longer than 8 eight characters.
 
-     
+     
 
 4.  To open the Sequencing Wizard, select **Tools**/**Sequencing Wizard**. On the **Package Information** page, optionally specify the new **Package Name** and add optional comments that will be associated with the updated virtual application. Click **Next**.
 
@@ -58,9 +58,9 @@ Use the following procedure to upgrade an existing virtual application.
 
 [Tasks for the Application Virtualization Sequencer](tasks-for-the-application-virtualization-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md b/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md
index c4bbb5fa00..30f369aa2b 100644
--- a/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md
+++ b/mdop/appv-v4/how-to-upgrade-a-virtual-application-by-using-the-command-line.md
@@ -29,47 +29,49 @@ Use the following procedure to upgrade a virtual application by using a command
 
     `SFTSequencer /UPGRADE:"pathtosourceSPRJ" /INSTALLPACKAGE:"pathtoUpgradeInstaller" /DECODEPATH:"pathtodecodefolder" /OUTPUTFILE:"pathtodestinationSPRJ"`
 
-    **Note**  
+    **Note**  
     You can specify additional parameters by using the command line, depending on the complexity of the application you are upgrading. For a complete list of parameters that are available for use with the App-V Sequencer, see [Sequencer Command-Line Parameters](sequencer-command-line-parameters.md).
 
-     
 
-    Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ValueDescription
    pathtosourceSPRJ
    Specifies the directory location of the virtual application to be upgraded.
    pathtoUpgradeInstaller
    Specifies the Windows Installer or a batch file that will be used to install an upgrade to the application.
    pathtodecodefolder
    Specify the directory in which to unpack the SFT file.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
+Use the value descriptions in the following table to help you determine the actual text you will use in the preceding command.
 
-     
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ValueDescription
    pathtosourceSPRJ
    Specifies the directory location of the virtual application to be upgraded.
    pathtoUpgradeInstaller
    Specifies the Windows Installer or a batch file that will be used to install an upgrade to the application.
    pathtodecodefolder
    Specify the directory in which to unpack the SFT file.
    pathtodestinationSPRJ
    Specifies the path and file name of the SPRJ file that will be created.
    
+~~~
 
-4.  Press **Enter**.
+
+
+4. Press **Enter**.
 
 ## Related topics
 
@@ -80,9 +82,9 @@ Use the following procedure to upgrade a virtual application by using a command
 
 [Sequencer Command-Line Parameters](sequencer-command-line-parameters.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md b/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md
index 813a4396b9..a1184994e7 100644
--- a/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md
+++ b/mdop/appv-v4/how-to-upgrade-a-virtual-application-package--app-v-46-.md
@@ -28,7 +28,7 @@ Use the following procedure to upgrade an existing virtual application by using
     **Warning**  
     You must specify the root folder of the existing virtual application. Do not manually create a subfolder or the upgrade will fail.
 
-     
+     
 
 3.  On the **Package Information** page, specify the **Package Name** that will be assigned to the updated package. The package name is required for generating the associated Windows Installer file. You should also add an optional comment that will be assigned to the package and that provides detailed information about the virtual application—for example, a version number. To display the **Advanced Options** page, select **Show Advanced Monitoring Options** and click **Next**; otherwise, proceed to step 5.
 
@@ -51,9 +51,9 @@ Use the following procedure to upgrade an existing virtual application by using
 
 [How to Sequence a New Application (App-V 4.6)](how-to-sequence-a-new-application--app-v-46-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md
index b1e7fbf32e..f2acf0f9d6 100644
--- a/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md
+++ b/mdop/appv-v4/how-to-upgrade-the-application-virtualization-client.md
@@ -22,12 +22,12 @@ You can use the following procedures to upgrade the Application Virtualization (
 **Note**  
 During the upgrade to Application Virtualization (App-V) 4.5 or later versions, the permissions to the HKCU registry key are changed. Because of this, users will lose user configurations that were set previously, such as user-configured Disconnected Mode settings. If the user is not actively restricted from configuring client user interface behavior through a permission lockdown, the user can reset these preferences after a publishing refresh.
 
- 
+ 
 
 **Important**  
 When upgrading to version 4.6 or a later version of the App-V Client, you must use the correct installer for the computer’s operating system, 32-bit or 64-bit. The installation will fail and an error message will be displayed if you use the wrong installer.
 
- 
+ 
 
 **To upgrade the Application Virtualization Desktop Client**
 
@@ -50,7 +50,7 @@ When upgrading to version 4.6 or a later version of the App-V Client, you must
 
     -   Microsoft Visual C++ 2008 SP1 Redistributable Package (x86)
 
-     
+     
 
 5.  Click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully.
 
@@ -63,14 +63,14 @@ When upgrading to version 4.6 or a later version of the App-V Client, you must
     **Warning**  
     If you did not shut down the client program in step 1, you might see a **Files In Use** warning displayed. If this happens, right-click the App-V Client icon displayed in the desktop notification area and select **Exit** to shut down the existing client. Then click **Retry** to continue.
 
-     
+     
 
 9.  When the installation completes successfully, you will be prompted to restart the computer. You need to restart the computer to complete the installation.
 
     **Caution**  
     If the upgrade fails for any reason, you will need to restart the computer before attempting the upgrade again.
 
-     
+     
 
 **To upgrade the Application Virtualization Client by Using the Command Line**
 
@@ -81,7 +81,7 @@ When upgrading to version 4.6 or a later version of the App-V Client, you must
 
     -   For App-V version 4.6, command-line parameters cannot be used during an upgrade and will be ignored.
 
-     
+     
 
 2.  The following command-line example uses the setup.msi file to upgrade the App-V Client. You will need to use the correct client installer program depending on whether you are upgrading the App-V Desktop Client or the App-V Client for Remote Desktop Services (formerly Terminal Services).
 
@@ -90,7 +90,7 @@ When upgrading to version 4.6 or a later version of the App-V Client, you must
     **Important**  
     The quotation marks are required only when the value contains a space. For consistency, all instances in the preceding example are shown as having quotation marks.
 
-     
+     
 
 **To upgrade the Application Virtualization Client for Remote Desktop Services**
 
@@ -101,7 +101,7 @@ When upgrading to version 4.6 or a later version of the App-V Client, you must
     **Note**  
     In App-V version 4.6 and later, in addition to using the command line to upgrade the client, you can also use a Remote Desktop session. No special parameters are required to start the Remote Desktop session.
 
-     
+     
 
 3.  After the Client for Remote Desktop Services upgrade is complete, restart and log in to the RD Session Host.
 
@@ -110,16 +110,16 @@ When upgrading to version 4.6 or a later version of the App-V Client, you must
     **Caution**  
     If the upgrade fails for any reason, you will need to restart the computer before attempting the upgrade again.
 
-     
+     
 
 ## Related topics
 
 
 [Application Virtualization Deployment and Upgrade Considerations](application-virtualization-deployment-and-upgrade-considerations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md b/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md
index 17f40aed8e..3724881e5b 100644
--- a/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md
+++ b/mdop/appv-v4/how-to-upgrade-the-servers-and-system-components.md
@@ -26,7 +26,7 @@ Use the following procedure to upgrade software components installed on all Appl
 
 -   You can upgrade to Microsoft Application Virtualization (App-V) 4.5 only from Microsoft Application Virtualization (App-V) 4.1 or 4.1 SP1. App-V 4.0 and earlier must be uninstalled or upgraded to 4.1 or 4.1 SP1 before upgrading to App-V 4.5.
 
- 
+ 
 
 **To upgrade software components on Application Virtualization System computers**
 
@@ -51,7 +51,7 @@ Use the following procedure to upgrade software components installed on all Appl
 
     When you want to restore a database with VSS, you must first stop the App-V Server Service on the Management Server. This should be done on every Management server if there is more than one server connected to the same database.
 
-     
+     
 
 9.  On the first **Package Validation** page, read the content and then click **Next**.
 
@@ -70,9 +70,9 @@ Use the following procedure to upgrade software components installed on all Appl
 
 [Application Virtualization Deployment and Upgrade Considerations](application-virtualization-deployment-and-upgrade-considerations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-use-dynamic-suite-composition.md b/mdop/appv-v4/how-to-use-dynamic-suite-composition.md
index 8a49422338..a92d326172 100644
--- a/mdop/appv-v4/how-to-use-dynamic-suite-composition.md
+++ b/mdop/appv-v4/how-to-use-dynamic-suite-composition.md
@@ -30,7 +30,7 @@ If you plan to make several primary applications dependent on a single middlewar
 **Important**  
 Package dependencies can be specified as mandatory for a primary application. If a secondary package is flagged as mandatory and it cannot be accessed for some reason during loading, the load of the secondary package will fail. Also, the primary application will fail when the user tries to start it.
 
- 
+ 
 
 You can use the following procedures to create a secondary package, for either a plug-in or a middleware component, and then you can use the final procedure to define the dependency in the OSD file of the secondary package.
 
@@ -47,7 +47,7 @@ You can use the following procedures to create a secondary package, for either a
     **Important**  
     You must specify a new package root for the secondary package.
 
-     
+     
 
 5.  Start the sequencer monitoring phase.
 
@@ -62,7 +62,7 @@ You can use the following procedures to create a secondary package, for either a
     **Note**  
     To assist with management of secondary packages, it is recommended that the package name include the term “Secondary package” to emphasize that this is a package that will not function as a stand-alone application—for example, **\[Plug In Name\] Secondary package**.
 
-     
+     
 
 **To create a secondary package for middleware by using Dynamic Suite Composition**
 
@@ -87,56 +87,56 @@ You can use the following procedures to create a secondary package, for either a
     **Note**  
     To assist with management of secondary packages, it is recommended that the package name include the term “Secondary package” to emphasize that this is a package that will not function as a stand-alone application—for example, **\[Middleware Name\] Secondary package**.
 
-     
+     
 
 **To define the dependency in the primary package**
 
-1.  On the server, open the OSD file of the secondary package for editing. (It is a good idea to use an XML editor to make changes to the OSD file; however, you can use Notepad as an alternative.)
+1. On the server, open the OSD file of the secondary package for editing. (It is a good idea to use an XML editor to make changes to the OSD file; however, you can use Notepad as an alternative.)
 
-2.  Copy the **CODEBASE HREF** line from that file.
+2. Copy the **CODEBASE HREF** line from that file.
 
-3.  Open the OSD file of the primary package for editing.
+3. Open the OSD file of the primary package for editing.
 
-4.  Insert the **<DEPENDENCIES>**tag after the close of **</ENVLIST>** tag at the end of the **<VIRTUALENV>** section just before the **</VIRTUALENV>** tag.
+4. Insert the <DEPENDENCIES>tag after the close of **</ENVLIST>** tag at the end of the **<VIRTUALENV>** section just before the **</VIRTUALENV>** tag.
 
-5.  Paste the **CODEBASE HREF** line from the secondary package after the **<DEPENDENCIES>** tag you just created.
+5. Paste the **CODEBASE HREF** line from the secondary package after the **<DEPENDENCIES>** tag you just created.
 
-6.  If the secondary package is a mandatory package, which means that it must be started before the primary package is started, add the **MANDATORY=”TRUE”** property inside the **CODEBASE** tag. If it is not mandatory, the property can be omitted.
+6. If the secondary package is a mandatory package, which means that it must be started before the primary package is started, add the **MANDATORY=”TRUE”** property inside the **CODEBASE** tag. If it is not mandatory, the property can be omitted.
 
-7.  Close the **<DEPENDENCIES>** tag by inserting the following:
+7. Close the **<DEPENDENCIES>** tag by inserting the following:
 
-    **</DEPENDENCIES>**
+   **</DEPENDENCIES>**
 
-8.  Review the changes that you made to the OSD file, and then save and close the file. The following example shows how the added section should appear. The tag values shown here are for example only.
+8. Review the changes that you made to the OSD file, and then save and close the file. The following example shows how the added section should appear. The tag values shown here are for example only.
 
-    **<VIRTUALENV>**
+   **<VIRTUALENV>**
 
-         **<ENVLIST>**
+        **<ENVLIST>**
 
-    **…**
+   **…**
 
-         **</ENVLIST>**
+        **</ENVLIST>**
 
-         **<DEPENDENCIES>**
+        **<DEPENDENCIES>**
 
-              **<CODEBASE HREF="rtsp://virt\_apps/package.1/package.1.sft" GUID="D54C80FA-9DFF-459D-AA33-DD852C9FBFBA" SYSGUARDFILE="package.1\\osguard.cp"/>**
+             **<CODEBASE HREF="rtsp://virt\_apps/package.1/package.1.sft" GUID="D54C80FA-9DFF-459D-AA33-DD852C9FBFBA" SYSGUARDFILE="package.1\\osguard.cp"/>**
 
-              **<CODEBASE HREF="rtsp://sample\_apps/package.2/sample.sft" GUID="D54C80FA-9DFF-459D-AA33-DD852C9FBFBA" SYSGUARDFILE="package.2\\osguard.cp" MANDATORY="TRUE" />**
+             **<CODEBASE HREF="rtsp://sample\_apps/package.2/sample.sft" GUID="D54C80FA-9DFF-459D-AA33-DD852C9FBFBA" SYSGUARDFILE="package.2\\osguard.cp" MANDATORY="TRUE" />**
 
-         **</DEPENDENCIES>**
+        **</DEPENDENCIES>**
 
-    **</VIRTUALENV>**
+   **</VIRTUALENV>**
 
-9.  If the secondary package has any entries in the **<ENVLIST>** section of the OSD file, you must copy those entries to the same section in the primary package.
+9. If the secondary package has any entries in the **<ENVLIST>** section of the OSD file, you must copy those entries to the same section in the primary package.
 
 ## Related topics
 
 
 [How to Create or Upgrade Virtual Applications Using the App-V Sequencer](how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md b/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md
index b63b75ced7..5c1a2d616f 100644
--- a/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md
+++ b/mdop/appv-v4/how-to-use-the-cache-space-management-feature.md
@@ -24,7 +24,7 @@ More than one package is deleted if necessary. Packages that are locked are not
 **Note**  
 To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly.
 
- 
+ 
 
 The cache space management feature is controlled by the UnloadLeastRecentlyUsed registry value. A value of 1 enables the feature, and a value of 0 (zero) disables it.
 
@@ -43,16 +43,16 @@ The cache space management feature is controlled by the UnloadLeastRecentlyUsed
     **Caution**  
     The maximum value for this registry key is 0x00011111. Larger values will prevent the correct operation of the cache space management feature.
 
-     
+     
 
 ## Related topics
 
 
 [How to Configure the App-V Client Registry Settings by Using the Command Line](how-to-configure-the-app-v-client-registry-settings-by-using-the-command-line.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-use-the-differential-sft-file.md b/mdop/appv-v4/how-to-use-the-differential-sft-file.md
index 2a7af0419e..ee2cad8104 100644
--- a/mdop/appv-v4/how-to-use-the-differential-sft-file.md
+++ b/mdop/appv-v4/how-to-use-the-differential-sft-file.md
@@ -28,7 +28,7 @@ For more information about upgrading a package, see “How to Upgrade an Existin
 **Note**  
 As a prerequisite, all user computers being targeted by the ESD must have the V1.sft file fully loaded into their local cache, and file streaming must be enabled on all computers.
 
- 
+ 
 
 **To use the Differential SFT file**
 
@@ -55,16 +55,16 @@ As a prerequisite, all user computers being targeted by the ESD must have the V1
 
 -   The **Generate Microsoft Windows Installer (MSI) Package** capability in the Sequencer cannot be used with the Differential SFT file.
 
- 
+ 
 
 ## Related topics
 
 
 [How to Create or Upgrade Virtual Applications Using the App-V Sequencer](how-to-create-or-upgrade-virtual-applications-using--the-app-v-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md b/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md
index 612f70f5ea..2600e02b87 100644
--- a/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md
+++ b/mdop/appv-v4/how-to-work-offline-or-online-with-application-virtualization.md
@@ -22,7 +22,7 @@ If you plan to be disconnected from the network for an extended period of time,
 **Note**  
 By default, **Work Offline** is disabled for the Client for Remote Desktop Services (formerly Terminal Services). Your system administrator must change your user permissions to allow you to use this setting on a Client for Remote Desktop Services.
 
- 
+ 
 
 **To work offline**
 
@@ -37,9 +37,9 @@ By default, **Work Offline** is disabled for the Client for Remote Desktop Servi
 
 [How to Use the Desktop Notification Area for Application Virtualization Client Management](how-to-use-the-desktop-notification-area-for-application-virtualization-client-management.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/improving-security-during-app-v-sequencing.md b/mdop/appv-v4/improving-security-during-app-v-sequencing.md
index 915cf67c11..25d280c294 100644
--- a/mdop/appv-v4/improving-security-during-app-v-sequencing.md
+++ b/mdop/appv-v4/improving-security-during-app-v-sequencing.md
@@ -34,13 +34,13 @@ This feature also enables the sequencing engineer to capture the security settin
 **Important**  
 Although the sequencer captures the NTFS ACLs while monitoring the installation phase of sequencing, it does not capture the ACLs for the registry. Users have full access to all registry keys for virtual applications except for services. However, if a user modifies the registry of a virtual application, that change is stored in a specific location (`uservol_sftfs_v1.pkg`) and won’t affect other users.
 
- 
+ 
 
 During the installation phase, a sequencing engineer can modify the default permissions of the files if necessary. After the sequencing process is complete, but before saving the package, the sequencing engineer can then choose to enforce security descriptors that were captured during the installation phase. It is a best practice to enforce security descriptors if no other solution allows the application to run properly once virtualized.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/installation-files-page.md b/mdop/appv-v4/installation-files-page.md
index b127b488e8..01386f3df3 100644
--- a/mdop/appv-v4/installation-files-page.md
+++ b/mdop/appv-v4/installation-files-page.md
@@ -30,7 +30,7 @@ Click **Browse** to specify the installation files that have been installed loca
 **Note**  
 The default installation location you provide depends on the following conditions:
 
- 
+ 
 
 -   The package root specified when the package was originally created.
 
@@ -49,9 +49,9 @@ When you create a package using a package accelerator, each file in the package,
 
 [Create Package Accelerator Wizard (AppV 4.6 SP1)](create-package-accelerator-wizard--appv-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md b/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md
index 3dd1bfce4a..a57d3fd5ef 100644
--- a/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md
+++ b/mdop/appv-v4/installing-app-v-management-server-or-streaming-server-securely.md
@@ -22,7 +22,7 @@ The topics in this section provide information for installing an enhanced securi
 **Note**  
 Installing or configuring an App-V Management or Streaming Server to use enhanced security (for example, Transport Layer Security, or TLS) requires that an X.509 V3 certificate has been provisioned to the App-V server.
 
- 
+ 
 
 When you prepare to install or configure a secure Management or Streaming Server, consider the following technical requirements:
 
@@ -35,7 +35,7 @@ When you prepare to install or configure a secure Management or Streaming Server
     **Note**  
     If you are using App-V in a Network Load Balancing cluster, you must configure the certificate with Subject Alternate Names (SANs) to support RTSPS. For information about configuring the certification authority (CA) and creating certificates with SANs, see .
 
-     
+     
 
 -   The client and the server need to trust the root CA—The CA issuing the certificate to the App-V server must by trusted by the client connecting to the server. If not, the client ends the connection.
 
@@ -53,9 +53,9 @@ Provides procedures you can use to modify keys in Windows Server 2003 and Windo
 [Configuring Certificates to Support App-V Management Server or Streaming Server](configuring-certificates-to-support-app-v-management-server-or-streaming-server.md)  
 Provides information about configuring certificates for the App-V Management or Streaming Servers, including information about configuring certificates for Network Load Balancing environments.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md b/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md
index 81e70170d2..08a864e1ad 100644
--- a/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md
+++ b/mdop/appv-v4/internet-facing-server-scenarios-for-perimeter-networks.md
@@ -42,7 +42,7 @@ Place the following servers in the perimeter network:
 **Note**  
 It is a best practice to place the Management Server and IIS server on separate computers.
 
- 
+ 
 
 Place the following servers in the internal network:
 
@@ -80,7 +80,7 @@ The following tables list the traffic requirements for communication from the In
 
 
 
- 
+ 
 
 @@ -117,11 +117,11 @@ The following tables list the traffic requirements for communication from the In
 
    
 

 
    
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md b/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md
index d8b0f1880b..fb9336a35c 100644
--- a/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md
+++ b/mdop/appv-v4/introduction-to-the-application-virtualization-security-guide.md
@@ -22,7 +22,7 @@ This Microsoft Application Virtualization (App-V) security guide provides instru
 **Note**  
 This documentation does not provide guidance for choosing the specific security options. That information is provided in the App-V Security Best Practices white paper available at .
 
- 
+ 
 
 As an App-V administrator using this guide, you should be familiar with the following security-related technologies:
 
@@ -48,7 +48,7 @@ For more information about App-V infrastructure models, see the following docume
 
 -   [Infrastructure Planning and Design Guide Series](https://go.microsoft.com/fwlink/?LinkId=151986)
 
- 
+ 
 
 These models utilize some but possibly not all of the App-V components depicted in the following illustration.
 
@@ -75,9 +75,9 @@ The App-V Sequencer monitors and captures the installation of applications and c
 Application Virtualization (App-V) Client  
 The App-V Client is installed on the App-V Desktop Client computer or on the App-V Terminal Services Client computer. It provides the virtual environment for the virtual application packages. The App-V Client manages the package streaming to the cache, virtual application publishing refresh, and interaction with the Application Virtualization Servers.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/load-app.md b/mdop/appv-v4/load-app.md
index df4cfdf568..e76ab3bbfd 100644
--- a/mdop/appv-v4/load-app.md
+++ b/mdop/appv-v4/load-app.md
@@ -22,7 +22,7 @@ Loads the specified application and all other applications in the package into t
 **Note**  
 The **LOAD APP** command starts the load process and a progress bar is displayed in the Desktop Notification Area. The command exits immediately after starting this process, so any load errors are displayed in the same location. Use the **LOAD PACKAGE** command if you want to start the load process from the command line without using the Desktop Notification Area.
 
- 
+ 
 
 `SFTMIME LOAD APP:application [/LOG log-pathname | /GUI]`
 
@@ -53,7 +53,7 @@ The **LOAD APP** command starts the load process and a progress bar is displayed
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -70,16 +70,16 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/load-package.md b/mdop/appv-v4/load-package.md
index 38af545eee..a5b0ab5872 100644
--- a/mdop/appv-v4/load-package.md
+++ b/mdop/appv-v4/load-package.md
@@ -56,7 +56,7 @@ Loads the specified package into the file system cache.
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -73,23 +73,23 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 **Note**  
 If no SFTPATH is specified, the client will load the package by using the path it has been configured to use, based on the OSD file, the ApplicationSourceRoot registry key value, or the OverrideURL setting.
 
 The **LOAD PACKAGE** command performs a synchronous load and will not be complete until the package is fully loaded or until it encounters an error condition.
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
index d45a94db3b..91f7d0618e 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md
@@ -68,7 +68,7 @@ The remainder of this document will address the following specific features:
 **Note**  
 This section is divided into two parts: (1) features in all versions of App-V and (2) features in App-V 4.6 SP1 and later.
 
- 
+ 
 
 ### Microsoft Error Reporting
 
@@ -217,9 +217,9 @@ No information is sent to Microsoft through customers’ use of the Application
 
 [About Microsoft Application Virtualization 4.6 SP2](about-microsoft-application-virtualization-46-sp2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md
index ff7b325be9..1e8882dde6 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes-45-sp1.md
@@ -22,7 +22,7 @@ To search these Release Notes, press CTRL+F.
 **Important**  
 Read these Release Notes thoroughly before you install the Application Virtualization Management System. These Release Notes contain information that you need to successfully install the Application Virtualization Management System. These Release Notes contain information that is not available in the product documentation. If there is a discrepancy between these Release Notes and other Application Virtualization Management System documentation, the latest change should be considered authoritative.
 
- 
+ 
 
 For updated information about known issues, please visit the Microsoft TechNet Library at .
 
@@ -75,16 +75,16 @@ When this has been completed, install the App-V 4.5 SP1 client by using setup.ms
 
 When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP1 Desktop client:
 
-    msiexec /i dw20shared.msi APPGUID={93468B43-C19D-44F9-8BCC-114076DB0443}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
+    msiexec /i dw20shared.msi APPGUID={93468B43-C19D-44F9-8BCC-114076DB0443}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
 
 Alternatively, if you are installing or upgrading to the App-V 4.5 SP1 Client for Remote Desktop Services (formerly Terminal Services), use the following command:
 
-    msiexec /i dw20shared.msi APPGUID={0042AD3C-99A4-4E58-B5F0-744D5AD96E1C} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
+    msiexec /i dw20shared.msi APPGUID={0042AD3C-99A4-4E58-B5F0-744D5AD96E1C} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
 
 **Note**  
 The APPGUID parameter references the product code of the App-V client that you install or upgrade. The product code is unique for each setup.msi. You can use the Orca database editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP1.
 
- 
+ 
 
 ### Improving performance when sequencing the .NET Framework
 
@@ -211,9 +211,9 @@ Microsoft, Active Directory, ActiveSync, MS-DOS, Windows, Windows Server, and W
 
 All other trademarks are property of their respective owners.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md
index d706463499..34494bd042 100644
--- a/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md
+++ b/mdop/appv-v4/microsoft-application-virtualization-management-system-release-notes.md
@@ -22,7 +22,7 @@ To search these Release Notes, press CTRL+F.
 **Important**  
 Read these Release Notes thoroughly before you install the Application Virtualization Management System. These Release Notes contain information that you need to successfully install the Application Virtualization Management System. This document contains information that is not available in the product documentation. If there is a discrepancy between these Release Notes and other Application Virtualization Management System documentation, the latest change should be considered authoritative. These Release Notes supersede the content included with this product.
 
- 
+ 
 
 For updated information about known issues, please visit the Microsoft TechNet Library at .
 
@@ -36,7 +36,7 @@ These Release Notes have been updated to reflect the changes introduced with Mic
     **Important**  
     Running App-V 4.5 CU1 on any version of Windows 7 or Windows Server 2008 R2 in a live operating environment is not supported.
 
-     
+     
 
 -   Improved support for sequencing the .NET Framework: App-V 4.5 CU1 addresses previous issues with sequencing the .NET Framework 3.5 and earlier on Windows XP (SP2 or later). For more information about the new capabilities, see the TechNet article at .
 
@@ -74,16 +74,16 @@ When this has been completed, install the App-V 4.5 CU1 client by using setup.m
 
 When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 CU1 Desktop client:
 
-    msiexec /i dw20shared.msi APPGUID={FE495DBC-6D42-4698-B61F-86E655E0796D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
+    msiexec /i dw20shared.msi APPGUID={FE495DBC-6D42-4698-B61F-86E655E0796D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
 
 Alternatively, if you are installing or upgrading to the App-V 4.5 CU1 Terminal Services client, use the following command:
 
-    msiexec /i dw20shared.msi APPGUID={8A97C241-D92A-47DC-B360-E716C1AAA929} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
+    msiexec /i dw20shared.msi APPGUID={8A97C241-D92A-47DC-B360-E716C1AAA929} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus
 
 **Note**  
 The APPGUID parameter references the product code of the App-V client that you install or upgrade to. The product code is unique for each setup.msi. You can use the Orca database editor or similar tool to examine Windows Installer files and determine the product code. This step is required for all installs or upgrades to App-V 4.5 CU1.
 
- 
+ 
 
 ### Some applications might fail to install during the monitoring phase when sequencing on Windows 7 Beta
 
@@ -91,12 +91,12 @@ When sequencing on Windows 7 Beta or on a computer with Windows Installer 5.0,
 
 WORKAROUND   You must manually grant the Everyone group Full Control permissions to the following registry key:
 
-    HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\SystemGuard
+    HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SoftGrid\\4.5\\SystemGuard
 
 **Important**  
 You must use the **Advanced** button to set the “Include inheritable permissions from this object’s parent” option.
 
- 
+ 
 
 ### Unable to save packages when sequencing on Windows 7 Beta
 
@@ -235,7 +235,7 @@ WORKAROUND   After installing the application on the sequencing computer, whi
 **Important**  
 This issue has been fixed in Microsoft Application Virtualization 4.5 Cumulative Update 1.
 
- 
+ 
 
 ### When the server installer is run in silent mode, it does not correctly check for MSXML6
 
@@ -262,7 +262,7 @@ When using Symantec Endpoint Protection with the Application and Device Control
 **Important**  
 This issue has been fixed in Microsoft Application Virtualization 4.5 Cumulative Update 1.
 
- 
+ 
 
 ## Release Notes Copyright Information
 
@@ -277,9 +277,9 @@ Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, an
 
 The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/package-name-page---learn-more-.md b/mdop/appv-v4/package-name-page---learn-more-.md
index 9c4ecbc616..2ec6a13682 100644
--- a/mdop/appv-v4/package-name-page---learn-more-.md
+++ b/mdop/appv-v4/package-name-page---learn-more-.md
@@ -22,7 +22,7 @@ Use the **Package Name** page to specify a name for the virtual application pack
 **Note**  
 Editing the primary virtual application directory is an advanced task.
 
- 
+ 
 
 This page contains the following elements:
 
@@ -37,9 +37,9 @@ Select this option to change the location of where the virtual application will
 
 [Create New Package Wizard (AppV 4.6 SP1)](create-new-package-wizard---appv-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/planning-for-client-security.md b/mdop/appv-v4/planning-for-client-security.md
index dcf7f1cf5f..6050d3895b 100644
--- a/mdop/appv-v4/planning-for-client-security.md
+++ b/mdop/appv-v4/planning-for-client-security.md
@@ -38,9 +38,9 @@ By default, the installation of the client registers file type associations (FTA
 
 Starting with App-V version 4.6, the file type association is no longer created for OSD files during a new installation of the client, although the existing settings will be maintained during an upgrade from version 4.2 or 4.5 of the App-V client. If for any reason it is essential to create the file type association, you can create the following registry keys and set their values as shown:
 
-    Create HKEY\_CLASSES\_ROOT\\.osd with a default value of SoftGrid.osd.File
+    Create HKEY\_CLASSES\_ROOT\\.osd with a default value of SoftGrid.osd.File
 
-    Under HKEY\_LOCAL\_MACHINE\\software\\classes\\Softgrid.osd.file, create a string value named AppUserModelID with a data value of Microsoft.AppV.Client.Tray
+    Under HKEY\_LOCAL\_MACHINE\\software\\classes\\Softgrid.osd.file, create a string value named AppUserModelID with a data value of Microsoft.AppV.Client.Tray
 
 ### Authorization
 
@@ -66,7 +66,7 @@ When the client communicates with the server to perform a publishing refresh, it
 **Note**  
 If you are using IIS to publish the ICO and OSD files, configure a MIME type for OSD=TXT; otherwise, IIS will refuse to serve the ICO and OSD files to clients.
 
- 
+ 
 
 ### Package Streaming
 
@@ -75,7 +75,7 @@ When a user launches an application for the first time, or if auto-loading param
 **Note**  
 If you are using IIS to publish packages (SFT files), configure a MIME type for SFT=Binary; otherwise, IIS will refuse to serve the SFT files to clients.
 
- 
+ 
 
 ### Roaming Profiles and Folder Redirection
 
@@ -99,9 +99,9 @@ If a user is home-based and the computer is not joined to the company domain, Ap
 
 [Planning for Security and Protection](planning-for-security-and-protection.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/planning-for-migration-from-previous-versions.md b/mdop/appv-v4/planning-for-migration-from-previous-versions.md
index 2e51199471..c999a32a70 100644
--- a/mdop/appv-v4/planning-for-migration-from-previous-versions.md
+++ b/mdop/appv-v4/planning-for-migration-from-previous-versions.md
@@ -28,7 +28,7 @@ To help ensure a successful migration, the Application Virtualization system com
     **Note**  
     If you have more than one server sharing access to the Application Virtualization database, all those servers must be taken offline while the database is being upgraded. You should follow your normal business practices for the database upgrade, but it is highly advisable that you test the database upgrade by using a backup copy of the database first on a test server. Then, you should select one of the servers for the first upgrade, which will upgrade the database schema. After the production database has been successfully upgraded, you can upgrade the other servers.
 
-     
+     
 
 3.  **Microsoft Application Virtualization Management Web Service.** This step applies only if the Management Web Service is on a separate server, which would require that you run the server installer program on that separate server to upgrade the Web service. Otherwise, the previous server upgrade step will automatically upgrade the Management Web Service.
 
@@ -87,14 +87,14 @@ You can deploy packages created in previous versions of App-V to App-V 4.6 Clie
 
 
 
- 
+ 
 
 To run a newly created 32-bit package, you must sequence the application on a computer running a 32-bit operating system with the App-V 4.6 Sequencer installed. After you have sequenced the application, in the Sequencer console, select the **Deployment** tab and then specify the appropriate operating system and chip architecture as required.
 
 **Important**  
 Applications sequenced on a computer running a 64-bit operating system must be deployed to computers running a 64-bit operating system. New 32-bit packages created by using the App-V 4.6 Sequencer will not run on computers running the App-V 4.5 Client.
 
- 
+ 
 
 To run new 64-bit packages on the App-V 4.6 Client, you must sequence the application on a computer running the App-V 4.6 Sequencer and that is running a 64-bit operating system. After you have sequenced the application, in the Sequencer console, select the **Deployment** tab and then specify the appropriate operating system and chip architecture as required.
 
@@ -179,7 +179,7 @@ The following table lists which client versions will run packages created by usi
 
 
 
- 
+ 
 
 ¹Applies to all versions of the App-V 4.5 Client, including App-V 4.5, App-V 4.5 CU1 and App-V 4.5 SP1.
 
@@ -195,7 +195,7 @@ If the App-V 4.2 Client has already been upgraded to 4.5, it is possible to us
 
 "GlobalDataDirectory"="C:\\\\Documents and Settings\\\\All Users\\\\Documents\\\\" (a globally writeable location)
 
- 
+ 
 
 Windows Installer files generated by the App-V 4.5 Sequencer display the error message "This package requires Microsoft Application Virtualization Client 4.5 or later" when you try to run them on an App-V 4.6 Client. Open the old package with either the App-V 4.5 SP1 Sequencer or the App-V 4.6 Sequencer and generate a new .msi for the package.
 
@@ -208,9 +208,9 @@ For additional information about upgrading from previous versions, see [Upgradin
 
 [Planning for Application Virtualization System Deployment](planning-for-application-virtualization-system-deployment.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/planning-for-sequencer-security.md b/mdop/appv-v4/planning-for-sequencer-security.md
index 0c70b2b38e..d3ad4052ec 100644
--- a/mdop/appv-v4/planning-for-sequencer-security.md
+++ b/mdop/appv-v4/planning-for-sequencer-security.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Incorporate recommended implementation practices as early as possible when configuring Application Virtualization (App-V) so that your Sequencer implementation is functional and more secure. If you have already configured the Sequencer, use the following best-practice guidelines to revisit your design decisions and analyze them from a security perspective.
 
-**Important**  
+**Important**  
 The App-V Sequencer collects and deploys all application information recorded on the computer running the sequencer. You should ensure that all users accessing the computer running the Sequencer have administrative credentials. Users with user account credentials should not have access to control package contents and package files. If you are sequencing on a computer running Remote Desktop Services (formerly Terminal Services), make sure it is a computer that is dedicated to sequencing and that users with user account credentials are not connected to it during sequencing.
 
- 
+
 
 ## Sequencer Security Best Practices
 
@@ -31,19 +31,21 @@ Consider the following scenarios and the associated best practices when implemen
 
 -   **Virus scanning on the computer running the Sequencer**—It is recommended that you scan the computer running the Sequencer for viruses and then disable all antivirus and malware detection software on the computer running the Sequencer during the sequencing process. This will speed the sequencing process and prevent the antivirus and anti-malware software components from interfering with the sequencing process. Next install the sequenced package on a computer not running the Sequencer, and after successful installation, scan that computer for viruses. If viruses are found, the manufacturer of the software should be contacted to inform them of the infected source files and request an updated installation source without viruses. Optionally, the Sequencer could be scanned after the installation phase and if a virus is found, the software manufacturer should be contacted as mentioned above.
 
-    **Note**  
+    **Note**  
     If a virus is detected in an application, the application should not be deployed to target computers.
 
-     
+
 
 -   **Capturing access control lists (ACLs) on NTFS files**—The App-V Sequencer captures NTFS file system permissions for the files that are monitored during the installation of the product. This capability allows you to more accurately replicate the intended behavior of the application, as if it were installed locally and not virtualized. In some scenarios, an application might store information that users were not intended to access within the application files. For example, an application could store credentials information in a file inside of the application. If ACLs are not enforced on the package, a user could potentially view and then use this information outside of the application.
 
-    **Note**  
+    **Note**  
     You should not sequence applications that store unencrypted security-specific information, such as passwords, and so on.
 
-     
 
-    During the installation phase, you can modify the default permissions of the files if necessary. After completion of the sequencing process, but before saving the package, you can choose whether to enforce security descriptors that were captured during the installation of the application. By default, App-V will enforce the security descriptors specified during the installation of the application. If you turn off security descriptor enforcement, you should test the application to ensure the removal of associated Access Control Lists (ACL) will not cause the application to perform unexpectedly.
+
+~~~
+During the installation phase, you can modify the default permissions of the files if necessary. After completion of the sequencing process, but before saving the package, you can choose whether to enforce security descriptors that were captured during the installation of the application. By default, App-V will enforce the security descriptors specified during the installation of the application. If you turn off security descriptor enforcement, you should test the application to ensure the removal of associated Access Control Lists (ACL) will not cause the application to perform unexpectedly.
+~~~
 
 -   **Sequencer doesn’t capture registry ACLs**—Although the Sequencer captures the NTFS file system ACLs during the installation phase of sequencing, it does not capture the ACLs for the registry. Users will have full access to all registry keys for virtual applications except for services. However, if a user modifies the registry of a virtual application, the change will be stored in a specific store (**uservol\_sftfs\_v1.pkg**) and will not affect other users.
 
@@ -58,9 +60,9 @@ Consider the following scenarios and the associated best practices when implemen
 
 [Planning for Security and Protection](planning-for-security-and-protection.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v4/planning-for-server-security.md b/mdop/appv-v4/planning-for-server-security.md
index 691db969f7..7f51cc0fc6 100644
--- a/mdop/appv-v4/planning-for-server-security.md
+++ b/mdop/appv-v4/planning-for-server-security.md
@@ -71,7 +71,7 @@ Installing or configuring an App-V Management Server or Streaming Server to use
     **Note**  
     If you use App-V in a network load balanced cluster, the certificate must be configured with *Subject Alternate Names* (SANs) to support RTSPS. For information about configuring the certification authority (CA) and creating certificates with SANs, see  (https://go.microsoft.com/fwlink/?LinkId=133228).
 
-     
+     
 
 -   The CA issuing the certificate to the App-V server must be trusted by the client connecting to the server. Otherwise, the client terminates the connection.
 
@@ -80,7 +80,7 @@ Installing or configuring an App-V Management Server or Streaming Server to use
     **Note**  
     For information about configuring a public key infrastructure (PKI), see  (https://go.microsoft.com/fwlink/?LinkId=133229).
 
-     
+     
 
 ### Configuring IIS Servers with HTTPS
 
@@ -89,7 +89,7 @@ App-V might use IIS servers in certain infrastructure configurations. For more i
 **Note**  
 If you are using IIS to publish the ICO and OSD files, configure a MIME type for OSD=TXT; otherwise, IIS will refuse to serve the ICO and OSD files to clients.
 
- 
+ 
 
 ### Application-Level Security
 
@@ -115,9 +115,9 @@ For the infrastructure to operate correctly, separating the App-V Management Con
 
 [Planning for Security and Protection](planning-for-security-and-protection.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md b/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md
index d99739b85f..fe295dc2f6 100644
--- a/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md
+++ b/mdop/appv-v4/planning-the-application-virtualization-sequencer-implementation.md
@@ -28,7 +28,7 @@ For step-by-step information about installing the Sequencer, see [How to Install
 **Important**  
 The entire sequencing process plan should be reviewed and approved by your corporate security team. Sequencer operations would usually be kept separate from the production environment in a lab. This can be as simple or as comprehensive as necessary, based on your business requirements. The sequencing computers will need connectivity to the corporate network to copy finished packages over to the production servers. However, because they are typically operated without antivirus protection, they must not be on the corporate network unprotected—for example, you might be able to operate behind a firewall or on an isolated network segment. Using Virtual Machines configured to share an isolated virtual network might also be an acceptable approach. Follow your corporate security policies to safely address this situation.
 
- 
+ 
 
 Key steps for planning the sequencing process include the following:
 
@@ -41,7 +41,7 @@ Key steps for planning the sequencing process include the following:
     **Important**  
     Running the App-V sequencer in Safe Mode is not supported.
 
-     
+     
 
 -   Verify that you understand the sequenced application’s operating environment, including integration elements such as Microsoft Office or the Java Runtime Environment, because this will often determine whether anything has to be installed on the sequencing computer prior to sequencing the application.
 
@@ -64,9 +64,9 @@ Key steps for planning the sequencing process include the following:
 
 [Security and Protection Overview](security-and-protection-overview.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md b/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md
index 77e89fcbc7..15a00e586c 100644
--- a/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md
+++ b/mdop/appv-v4/planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md
@@ -24,7 +24,7 @@ The supported options include using a file server, an IIS server, or an Applicat
 **Note**  
 The active upgrade feature enables a new version of an application to be added to an App-V Management Server or Streaming Server without affecting users currently running the application. The App-V clients will automatically receive the latest version of the application from the App-V Management Server or Streaming Server the next time the user starts the application. Use of the RTSP(S) protocol is required for this feature.
 
- 
+ 
 
 @@ -53,7 +53,7 @@ The active upgrade feature enables a new version of an application to be added t
 
-
+
@@ -69,7 +69,7 @@ The active upgrade feature enables a new version of an application to be added t
 
  • Need to manage IIS
  • No active upgrade
    • 
-
+
@@ -83,7 +83,7 @@ The active upgrade feature enables a new version of an application to be added t
 
  • Dual infrastructure
  • Server administration requirement
    • 
-
+
@@ -97,12 +97,12 @@ The active upgrade feature enables a new version of an application to be added t
 
  • Dual infrastructure
  • Server administration requirement
    • 
-
+
    
 

      
 
    • No active upgrade
      • 
 
    [How to Configure the File Server](how-to-configure-the-file-server.md)
    How to Configure the File Server
    		
 
    
 
    
 
    IIS server
    		
 
 
    [How to Configure the Server for IIS](how-to-configure-the-server-for-iis.md)
    How to Configure the Server for IIS
    		
 
    
 
    
 
    Application Virtualization Streaming Server
    		
 
 
    [How to Configure the Application Virtualization Streaming Servers](how-to-configure-the-application-virtualization-streaming-servers.md)
    How to Configure the Application Virtualization Streaming Servers
    		
 
    
 
    
 
    Application Virtualization Management Server
    		
 
 
    [How to Configure the Application Virtualization Management Servers](how-to-configure-the-application-virtualization-management-servers.md)
    How to Configure the Application Virtualization Management Servers
    		
 
    
     
 
    
 
- 
+ 
 
 ## Related topics
 
@@ -113,9 +113,9 @@ The active upgrade feature enables a new version of an application to be added t
 
 [Publishing Virtual Applications Using Application Virtualization Management Servers](publishing-virtual-applications-using-application-virtualization-management-servers.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md b/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md
index 5e5f3b172b..a166551ed1 100644
--- a/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md
+++ b/mdop/appv-v4/planning-your-streaming-solution-in-an-electronic-software-distribution-implementation.md
@@ -24,7 +24,7 @@ The Application Virtualization Streaming Server provides support for the active
 **Note**  
 Access to the applications is controlled by means of Security Groups in Active Directory Domain Services, so you will need to plan a process for setting up a security group for each virtual application and for managing which users are added to each group. The Application Virtualization system administrator configures each streaming server to use these Active Directory groups by applying ACLs to the application directories under the CONTENT share, which controls access to the packages based on Active Directory group membership.
 
- 
+ 
 
 The characteristics of the available streaming options are summarized in the following table.
 
@@ -55,7 +55,7 @@ The characteristics of the available streaming options are summarized in the fol
 
      
 
    • No active upgrade
      • 
 
    
-
    [How to Configure the File Server](how-to-configure-the-file-server.md)
    
+
    How to Configure the File Server
    
 
 
 
    IIS server
    
@@ -71,7 +71,7 @@ The characteristics of the available streaming options are summarized in the fol
 
  • Need to manage IIS
    • 
 
  • No active upgrade
    • 
 

-
[How to Configure the Server for IIS](how-to-configure-the-server-for-iis.md)

+
How to Configure the Server for IIS

 
 
 
Application Virtualization Streaming Server

@@ -85,12 +85,12 @@ The characteristics of the available streaming options are summarized in the fol
 
  • Dual infrastructure
    • 
 
  • Server administration requirement
    • 
 
-
    [How to Configure the Application Virtualization Management Servers](how-to-configure-the-application-virtualization-management-servers.md)
    
+
    How to Configure the Application Virtualization Management Servers
    
 
 
 
 
- 
+ 
 
 ## Related topics
 
@@ -101,9 +101,9 @@ The characteristics of the available streaming options are summarized in the fol
 
 [Publishing Virtual Applications Using Electronic Software Distribution](publishing-virtual-applications-using-electronic-software-distribution.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/publish-package.md b/mdop/appv-v4/publish-package.md
index 2244ea2b8d..0ddf0d20e8 100644
--- a/mdop/appv-v4/publish-package.md
+++ b/mdop/appv-v4/publish-package.md
@@ -60,7 +60,7 @@ Publishes the contents of an entire package.
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -77,7 +77,7 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 **Important**  
 The package must already have been added to the Application Virtualization Client, and the manifest file is required.
@@ -90,16 +90,16 @@ Publishing with the **GLOBAL** parameter adds the file types and shortcuts liste
 
 If the package is not global before the call and the **GLOBAL** parameter is used, the package is made global and available to all users.
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/publishing-servers-results-pane-columns.md b/mdop/appv-v4/publishing-servers-results-pane-columns.md
index 21a25b5593..ef1b0fcca5 100644
--- a/mdop/appv-v4/publishing-servers-results-pane-columns.md
+++ b/mdop/appv-v4/publishing-servers-results-pane-columns.md
@@ -22,7 +22,7 @@ The **Publishing Servers Results** pane can display a variety of columns. **Name
 **Note**  
 You can add or remove a column simply by right-clicking in the **Results** pane, selecting **View**, then selecting **Add/Remove Columns**.
 
- 
+ 
 
 The list can be sorted by any of the columns. Columns that contain dates and times are sorted in chronological order, not alphabetical. For columns that contain a mix of dates and times and text (for example, **Next Refresh**), dates and times are considered to come before any other text.
 
@@ -65,9 +65,9 @@ The last time a refresh happened from this server for any user.
 
 [Publishing Servers Results Pane](publishing-servers-results-pane.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md b/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md
index 3e9819103c..8b19e64174 100644
--- a/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md
+++ b/mdop/appv-v4/publishing-virtual-applications-using-application-virtualization-management-servers.md
@@ -22,14 +22,14 @@ In an Application Virtualization Server-based deployment, virtual application pa
 **Note**  
 The CONTENT share should be located on the server’s attached disk storage. Using a network storage device such as a SAN or a DFS share should be considered carefully because of the network impact.
 
- 
+ 
 
 Applications are provisioned to Active Directory groups. Typically, the Application Virtualization administrator will create Active Directory groups for each virtual application to be published and then add the appropriate users to those groups. When the users log on to their workstations, the Application Virtualization Client, by default, performs a publishing refresh using the credentials of the logged on user. The user can then start applications from wherever the shortcuts have been placed. The Application Virtualization administrator determines where and how many shortcuts are located on the client system during the sequencing of the application.
 
 **Note**  
 A *publishing refresh* is a call to the Application Virtualization Server that is defined on the Application Virtualization Client, to determine which virtual application shortcuts are sent to the client for use by the end user.
 
- 
+ 
 
 ## Related topics
 
@@ -42,9 +42,9 @@ A *publishing refresh* is a call to the Application Virtualization Server that i
 
 [Planning Your Streaming Solution in an Application Virtualization Server-Based Implementation](planning-your-streaming-solution-in-an-application-virtualization-server-based-implementation.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/query-obj.md b/mdop/appv-v4/query-obj.md
index 78ce46407b..21de4d2dc6 100644
--- a/mdop/appv-v4/query-obj.md
+++ b/mdop/appv-v4/query-obj.md
@@ -68,7 +68,7 @@ Returns a tab-delimited list of current applications, packages, file type associ
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -85,7 +85,7 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 **Note**  
 In version 4.6, a new column has been added to the output of SFTMIME QUERY OBJ:APP \[/GLOBAL\]. The last column of the output is a numeric value that indicates whether an application is published or not.
@@ -96,7 +96,7 @@ PUBLISHED=0 means the application has not been published or it is no longer publ
 
 If you use the /GLOBAL parameter, the PUBLISHED state will be 1 for applications that were published globally and 0 for those applications that were published under user contexts. Without the /GLOBAL parameter, a PUBLISHED state of 1 is returned for applications published in the context of the user running the command, and a state of 0 is returned for those applications that are published globally.
 
- 
+ 
 
 The SFTMIME QUERY OBJ command can be used to query for information on all of the objects shown above—applications, packages, file type associations, and servers. To show how you might use the SFTMIME QUERY OBJ command in your normal operations tasks, the following example demonstrates the process you would follow if you wanted to set the OVERRIDEURL parameter value for a specific package to specify a new path to the package content. 
 
@@ -125,16 +125,16 @@ For version 4.6 SP2, the following option has been added.
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/sequencer-command-line-error-codes.md b/mdop/appv-v4/sequencer-command-line-error-codes.md
index 601a845085..a328fb293d 100644
--- a/mdop/appv-v4/sequencer-command-line-error-codes.md
+++ b/mdop/appv-v4/sequencer-command-line-error-codes.md
@@ -22,7 +22,7 @@ Use the following list to help identify errors that are related to sequencing ap
 **Note**  
 Multiple errors can occur during sequencing, and if this happens, the error code that is displayed might be the sum of two error codes. For example, if the */InstallPath* and */OutputFile* parameters are missing, the App-V Sequencer will return **96**—the sum of the two error codes.
 
- 
+ 
 
 01  
 There is an unspecified error.
@@ -91,9 +91,9 @@ The package name is not specified.
 
 [Sequencer Command-Line Parameters](sequencer-command-line-parameters.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/sequencer-hardware-and-software-requirements.md b/mdop/appv-v4/sequencer-hardware-and-software-requirements.md
index 755e20033f..47e3854169 100644
--- a/mdop/appv-v4/sequencer-hardware-and-software-requirements.md
+++ b/mdop/appv-v4/sequencer-hardware-and-software-requirements.md
@@ -38,7 +38,7 @@ The following list outlines the recommended hardware requirements for running th
     **Note**  
     Sequencing requires heavy disk usage. A fast disk speed can decrease the sequencing time.
 
-     
+     
 
 ### Software Requirements
 
@@ -81,14 +81,14 @@ The following list outlines the supported operating systems for running the Sequ
 
 
 
- 
+ 
 
 ¹Supported for App-V 4.5 with SP1 or SP2, and App-V 4.6 only
 
 **Note**  
 The Application Virtualization (App-V) 4.6 Sequencer supports 32-bit and 64-bit versions of these operating systems.
 
- 
+ 
 
 You should configure computers running the Sequencer with the same applications that are installed on target computers.
 
@@ -131,21 +131,21 @@ You should configure computers running the Sequencer with the same applications
 
 
 
- 
+ 
 
 **Note**  
 Application Virtualization (App-V) 4.6 for Remote Desktop Services supports 32-bit and 64-bit versions of these operating systems.
 
- 
+ 
 
 ## Related topics
 
 
 [Application Virtualization Sequencer Overview](application-virtualization-sequencer-overview.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/server-management-console-application-virtualization-system-node.md b/mdop/appv-v4/server-management-console-application-virtualization-system-node.md
index bd131b7023..527349e8e6 100644
--- a/mdop/appv-v4/server-management-console-application-virtualization-system-node.md
+++ b/mdop/appv-v4/server-management-console-application-virtualization-system-node.md
@@ -24,19 +24,19 @@ You can right-click the Application Virtualization System node to display the fo
 **Configure Connection**  
 In this dialog box, you can modify the following settings:
 
--   **Web Service Host Name**—Enables you to enter the name of the Application Virtualization System to which you want to connect, or you can enter **localhost** to connect to the local computer.
+- **Web Service Host Name**—Enables you to enter the name of the Application Virtualization System to which you want to connect, or you can enter **localhost** to connect to the local computer.
 
--   **Use Secure Connection**—Select if you want to connect to the server with a secure connection.
+- **Use Secure Connection**—Select if you want to connect to the server with a secure connection.
 
--   **Port**—Enables you to enter the port number you want to use for the connection. 80 is the default regular port number, and 443 is default secure port number.
+- **Port**—Enables you to enter the port number you want to use for the connection. 80 is the default regular port number, and 443 is default secure port number.
 
--   **Use Current Windows Account**—Select to use the current Windows account credentials.
+- **Use Current Windows Account**—Select to use the current Windows account credentials.
 
--   **Specify Windows Account**—Select when you want to connect to the server as a different user.
+- **Specify Windows Account**—Select when you want to connect to the server as a different user.
 
--   **Name**—Enables you to enter the name of the new user by using either the *DOMAIN\\username* or the *username@domain* format.
+- **Name**—Enables you to enter the name of the new user by using either the *DOMAIN\\username* or the username@domain format.
 
--   **Password**—Enables you to enter the password that corresponds to the new user.
+- **Password**—Enables you to enter the password that corresponds to the new user.
 
 **System Options**  
 On the following tabs on this dialog box, you can modify the associated settings:
@@ -62,9 +62,9 @@ Starts the management console help file.
 
 [Application Virtualization Server Management Console Reference](application-virtualization-server-management-console-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/sfttray-command-reference.md b/mdop/appv-v4/sfttray-command-reference.md
index 4d8b2607ce..ec90b9b166 100644
--- a/mdop/appv-v4/sfttray-command-reference.md
+++ b/mdop/appv-v4/sfttray-command-reference.md
@@ -26,28 +26,28 @@ By default, the icon is displayed whenever a virtual application is started, alt
 
 The list of commands and command-line switches can be displayed by running the following command from a command window.
 
-**Note**  
+**Note**  
 There is only one Application Virtualization Client Tray instance for each user context, so if you start a new SFTTRAY command, it will be passed to the program that is already running.
 
- 
 
-`     Sfttray.exe /?`
+
+`     Sfttray.exe /?`
 
 ### Command Usage
 
-`     Sfttray.exe [/HIDE | /SHOW]`
+`     Sfttray.exe [/HIDE | /SHOW]`
 
-`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] [/EXE alternate-exe] /LAUNCH app [args]`
+`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] [/EXE alternate-exe] /LAUNCH app [args]`
 
-`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOAD app [/SFTFILE sft]`
+`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOAD app [/SFTFILE sft]`
 
-`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOADALL`
+`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOADALL`
 
-`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /REFRESHALL`
+`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /REFRESHALL`
 
-`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LAUNCHRESULT   /LAUNCH app [args]`
+`     Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LAUNCHRESULT   /LAUNCH app [args]`
 
-`     Sfttray.exe /EXIT`
+`     Sfttray.exe /EXIT`
 
 ### Command-Line Switches
 
@@ -81,22 +81,20 @@ The SFTTRAY command-line switches are described in the following table.
 
    /EXE <alternate-exe>
    
 
    Used with /LAUNCH to specify that an executable program is to be started in the virtual environment when a virtual application is started in place of the target file specified in the OSD.
    
 
    
-Note  
-
    For example, use “SFTTRAY.EXE /EXE REGEDIT.EXE /LAUNCH <app>” to enable you to examine the registry of the virtual environment in which the application is running.
    
+Note
    For example, use “SFTTRAY.EXE /EXE REGEDIT.EXE /LAUNCH <app>” to enable you to examine the registry of the virtual environment in which the application is running.
    
 
    
 
    
- 
+
 
    
 
 
 
    /LAUNCH <app> [<args>]
    
 
    Starts a virtual application. Specify the name and version of an application or the path to an OSD file. Optionally, command-line arguments can be passed to the virtual application.
    
 
    
-Note  
-
    Use the command “SFTMIME.EXE /QUERY OBJ:APP /SHORT” to obtain a list of the names and versions of available virtual applications.
    
+Note
    Use the command “SFTMIME.EXE /QUERY OBJ:APP /SHORT” to obtain a list of the names and versions of available virtual applications.
    
 
    
 
    
- 
+
 
    
 
 
@@ -126,20 +124,20 @@ The SFTTRAY command-line switches are described in the following table.
 
 
 
- 
 
-**Note**  
+
+**Note**  
 ¹ The */LAUNCHRESULT* command line parameter provides a means for the process that launches sfttray.exe to specify the root name for a global event and a memory mapped file that are used to return the launch result code to the process. The unique identifier name should start with “SFT-” to prevent the event name from getting virtualized when the launching process is invoked within a virtual environment. The memory mapped region will be 64 bits in size.
 
 To use this parameter, the launching process creates an event with the name “<UNIQUE ID>-result\_event”, a memory mapped file with the name “<UNIQUE ID>-result\_value”, and optionally an event with the name “<UNIQUE ID>-shutdown\_event”, and then the launching process launches sfttray.exe and waits on the event to be signaled. After the event “<UNIQUE ID>-result\_event” is signaled, the launching process retrieves the 64-bit return code from the memory mapped region.
 
 If the optional event “<UNIQUE ID>-shutdown\_event” exists when the virtual application exits, sfttray.exe opens and signals the event. The launching process waits on this shutdown event if it needs to determine when the virtual application exits.
 
- 
-
- 
-
- 
+
+
+
+
+
 
 
 
diff --git a/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md b/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md
index ed9253a02c..35eb413f20 100644
--- a/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md
+++ b/mdop/appv-v4/stand-alone-delivery-scenario-for-application-virtualization-clients.md
@@ -22,7 +22,7 @@ The Stand-Alone Delivery Scenario enables you to realize the benefits of Microso
 **Note**  
 It is assumed that you have already installed the Application Virtualization Sequencer in preparation for the stand-alone scenario. For more information, see [How to Install the Application Virtualization Sequencer](how-to-install-the-application-virtualization-sequencer.md).
 
- 
+ 
 
 ## In This Section
 
@@ -48,9 +48,9 @@ Provides command-line procedures for publishing an application package, using ei
 
 [How to Install the Application Virtualization Sequencer](how-to-install-the-application-virtualization-sequencer.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/streaming-page-learn-more.md b/mdop/appv-v4/streaming-page-learn-more.md
index 39a82004b2..be20559d54 100644
--- a/mdop/appv-v4/streaming-page-learn-more.md
+++ b/mdop/appv-v4/streaming-page-learn-more.md
@@ -22,7 +22,7 @@ Use the **Streaming** page to optimize the virtual application package. During t
 **Note**  
 You only have to perform the following tasks if you plan to stream the package across the network.
 
- 
+ 
 
 This page contains the following elements:
 
@@ -37,9 +37,9 @@ Runs all the programs saved in the virtual application package.
 
 [Create New Package Wizard (AppV 4.6 SP1)](create-new-package-wizard---appv-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/system-utilization-reportserver.md b/mdop/appv-v4/system-utilization-reportserver.md
index 65731e2111..0120c1b27d 100644
--- a/mdop/appv-v4/system-utilization-reportserver.md
+++ b/mdop/appv-v4/system-utilization-reportserver.md
@@ -42,7 +42,7 @@ After you run a report and the output is displayed in the Application Virtualiza
 **Note**  
 The App-V server name reported from the clients must be part of the Default Server Group in order for the System Utilization report to show data. For example, if you are using multiple servers with a Network Load Balancer (NLB), you must add the NLB cluster name to the Default Server Group.
 
- 
+ 
 
 ## Related topics
 
@@ -57,9 +57,9 @@ The App-V server name reported from the clients must be part of the Default Serv
 
 [How to Run a Report](how-to-run-a-reportserver.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/target-os-page-learn-more.md b/mdop/appv-v4/target-os-page-learn-more.md
index a3caad179a..19b12e2fee 100644
--- a/mdop/appv-v4/target-os-page-learn-more.md
+++ b/mdop/appv-v4/target-os-page-learn-more.md
@@ -22,7 +22,7 @@ Use the **Target OS** page to specify which operating systems in your environmen
 **Note**  
 The operating systems specified on this page can only run this virtual application package if the application you are sequencing supports the operating systems specified. Review the supported operating systems for the application you are sequencing to ensure compatibility.
 
- 
+ 
 
 This page contains the following elements:
 
@@ -37,9 +37,9 @@ Enables the virtual application package to be installed and run only on the sele
 
 [Create New Package Wizard (AppV 4.6 SP1)](create-new-package-wizard---appv-46-sp1-.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/unpublish-package.md b/mdop/appv-v4/unpublish-package.md
index b3594c6f63..378a0dd72c 100644
--- a/mdop/appv-v4/unpublish-package.md
+++ b/mdop/appv-v4/unpublish-package.md
@@ -60,7 +60,7 @@ Enables you to remove the shortcuts and file types for an entire package.
 
 
 
- 
+ 
 
 For version 4.6, the following option has been added.
 
@@ -77,7 +77,7 @@ For version 4.6, the following option has been added.
 
 
 
- 
+ 
 
 **Important**  
 Before you can run the **UNPUBLISH PACKAGE** command, the package must already have been added to the Application Virtualization Client.
@@ -92,16 +92,16 @@ Using **UNPUBLISH PACKAGE** without **GLOBAL** removes the user shortcuts and fi
 
 **UNPUBLISH PACKAGE** always clears all the user settings, shortcuts, and file types regardless of the use of the /CLEAR switch.
 
- 
+ 
 
 ## Related topics
 
 
 [SFTMIME Command Reference](sftmime--command-reference.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md b/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md
index 733fc666cd..e8376d17ce 100644
--- a/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md
+++ b/mdop/appv-v4/user-access-permissions-in-application-virtualization-client.md
@@ -22,7 +22,7 @@ On the **Permissions** tab on the **Properties** dialog box, accessible by right
 **Note**  
 Before changing users permissions, ensure that any permissions changes are consistent with the organization's guidelines for granting user permissions.
 
- 
+ 
 
 The following table lists and describes the permissions that can be granted to users.
 
@@ -117,16 +117,16 @@ The following table lists and describes the permissions that can be granted to u
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [How to Change User Access Permissions](how-to-change-user-access-permissions.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md b/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md
index d448c2c2b3..d9c8bd044f 100644
--- a/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md
+++ b/mdop/appv-v4/using-application-virtualization-servers-as-a-package-management-solution.md
@@ -22,7 +22,7 @@ If you do not have an existing ESD system to deploy your Application Virtualizat
 **Note**  
 Access to the applications is controlled by means of Security Groups in Active Directory Domain Services, so you will need to plan a process to set up a security group for each virtualized application and for managing which users are added to each group. The Application Virtualization Management Server administrator configures the server to use these Active Directory groups, and the server then automatically controls access to the packages based on Active Directory group membership.
 
- 
+ 
 
 ## In This Section
 
@@ -43,9 +43,9 @@ Describes available options for using Application Virtualization Streaming Serve
 
 [Planning for Application Virtualization System Deployment](planning-for-application-virtualization-system-deployment.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
index 0e79ae7a90..a4913fba8b 100644
--- a/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
+++ b/mdop/appv-v5/about-app-v-50-dynamic-configuration.md
@@ -35,7 +35,7 @@ The previous .xml files specify package settings and allow for packages to be cu
 **Note**  
 The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements.
 
- 
+ 
 
 ### Dynamic Configuration file contents
 
@@ -58,7 +58,7 @@ All of the additions, deletions, and updates in the configuration files need to
 
 
 
- 
+ 
 
 The previous table represents how the files will be read. The first entry represents what will be read last, therefore, its content takes precedence. Therefore, all packages inherently contain and provide default settings from the package manifest. If a deployment configuration .xml file with customized settings is applied, it will override the package manifest defaults. If a user configuration .xml file with customized settings is applied prior to that, it will override both the deployment configuration and the package manifest defaults.
 
@@ -102,477 +102,477 @@ The structure of the App-V 5.0 Dynamic Configuration file is explained in the fo
 
 **Header** - the header of a dynamic user configuration file is as follows:
 
-<?xml version="1.0" encoding="utf-8"?><UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration">
+<?xml version="1.0" encoding="utf-8"?><UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
 
 The **PackageId** is the same value as exists in the Manifest file.
 
 **Body** - the body of the Dynamic User Configuration file can include all the app extension points that are defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body:
 
-1.  **Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
+1. **Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
 
-    <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration">
+   <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
 
-    <Applications>
+   <Applications>
 
-    <!-- No new application can be defined in policy. AppV Client will ignore any application ID that is not also in the Manifest file -->
+   <!-- No new application can be defined in policy. AppV Client will ignore any application ID that is not also in the Manifest file -->
 
-    <Application Id="{a56fa627-c35f-4a01-9e79-7d36aed8225a}" Enabled="false">
+   <Application Id="{a56fa627-c35f-4a01-9e79-7d36aed8225a}" Enabled="false">
 
-    </Application>
+   </Application>
 
-    </Applications>
+   </Applications>
 
-    …
+   …
 
-    </UserConfiguration>
+   </UserConfiguration>
 
-2.  **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the <Subsystems>:
+2. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the <Subsystems>:
 
-    <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration">
+   <UserConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
 
-    <Subsystems>
+   <Subsystems>
 
-    ..
+   ..
 
-    </Subsystems>
+   </Subsystems>
 
-    ..
+   ..
 
-    </UserConfiguration>
+   </UserConfiguration>
 
-    Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples.
+   Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples.
 
-    **Extensions:**
+   **Extensions:**
 
-    Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM
+   Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM
 
-    Extension Subsystems can be enabled and disabled independently of the content.  Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an <Extensions> node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file.
+   Extension Subsystems can be enabled and disabled independently of the content.  Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an <Extensions> node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file.
 
-    Example using the shortcuts subsystem:
+   Example using the shortcuts subsystem:
 
-    1.  If the user defined this in either the dynamic or deployment config file:
+   1.  If the user defined this in either the dynamic or deployment config file:
 
-                                     **<Shortcuts  Enabled="true">**
+                                    **<Shortcuts  Enabled="true">**
 
-                                                 **<Extensions>**
+                                                **<Extensions>**
 
-                                                  ...
+                                                 ...
 
-                                                 **</Extensions>**
+                                                **</Extensions>**
 
-                                     **</Shortcuts>**
+                                    **</Shortcuts>**
 
-                          Content in the manifest will be ignored.   
+                         Content in the manifest will be ignored.   
 
-    2.  If the user defined only the following:
+   2.  If the user defined only the following:
 
-                                    **<Shortcuts  Enabled="true"/>**
+                                   **<Shortcuts  Enabled="true"/>**
 
-                          Then the content in the Manifest will be integrated during publishing.
+                         Then the content in the Manifest will be integrated during publishing.
 
-    3.  If the user defines the following
+   3.  If the user defines the following
 
-                                   **<Shortcuts  Enabled="true">**
+                                  **<Shortcuts  Enabled="true">**
 
-                                                 **<Extensions/>**
+                                                **<Extensions/>**
 
-                                     **</Shortcuts>**
+                                    **</Shortcuts>**
 
-    Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated.
+   Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated.
 
-    The supported Extension Subsystems are:
+   The supported Extension Subsystems are:
 
-    **Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts:
+   **Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts:
 
-    <Subsystems>
+   <Subsystems>
 
-    <Shortcuts Enabled="true">
+   <Shortcuts Enabled="true">
 
-      <Extensions>
+     <Extensions>
 
-        <Extension Category="AppV.Shortcut">
+       <Extension Category="AppV.Shortcut">
 
-          <Shortcut>
+         <Shortcut>
 
-            <File>\[{Common Programs}\]\\Microsoft Contoso\\Microsoft ContosoApp Filler 2010.lnk</File>
+           <File>\[{Common Programs}\]\\Microsoft Contoso\\Microsoft ContosoApp Filler 2010.lnk</File>
 
-            <Target>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</Target>
+           <Target>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</Target>
 
-            <Icon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\inficon.exe</Icon>
+           <Icon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\inficon.exe</Icon>
 
-            <Arguments />
+           <Arguments />
 
-            <WorkingDirectory />
+           <WorkingDirectory />
 
-            <AppUserModelId>ContosoApp.Filler.3</AppUserModelId>
+           <AppUserModelId>ContosoApp.Filler.3</AppUserModelId>
 
-            <Description>Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp.</Description>
+           <Description>Fill out dynamic forms to gather and reuse information throughout the organization using Microsoft ContosoApp.</Description>
 
-            <Hotkey>0</Hotkey>
+           <Hotkey>0</Hotkey>
 
-            <ShowCommand>1</ShowCommand>
+           <ShowCommand>1</ShowCommand>
 
-            <ApplicationId>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</ApplicationId>
+           <ApplicationId>\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE</ApplicationId>
 
-          </Shortcut>
+         </Shortcut>
 
-      </Extension>
+     </Extension>
 
-      <Extension Category="AppV.Shortcut">
+     <Extension Category="AppV.Shortcut">
 
-        <Shortcut>
+       <Shortcut>
 
-          <File>\[{AppData}\]\\Microsoft\\Contoso\\Recent\\Templates.LNK</File>
+         <File>\[{AppData}\]\\Microsoft\\Contoso\\Recent\\Templates.LNK</File>
 
-          <Target>\[{AppData}\]\\Microsoft\\Templates</Target>
+         <Target>\[{AppData}\]\\Microsoft\\Templates</Target>
 
-          <Icon />
+         <Icon />
 
-          <Arguments />
+         <Arguments />
 
-          <WorkingDirectory />
+         <WorkingDirectory />
 
-          <AppUserModelId />
+         <AppUserModelId />
 
-          <Description />
+         <Description />
 
-          <Hotkey>0</Hotkey>
+         <Hotkey>0</Hotkey>
 
-          <ShowCommand>1</ShowCommand>
+         <ShowCommand>1</ShowCommand>
 
-          <!-- Note the ApplicationId is optional -->
+         <!-- Note the ApplicationId is optional -->
 
-        </Shortcut>
+       </Shortcut>
 
-      </Extension>
-
-     </Extensions>
-
-    </Shortcuts>
-
-    **File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below:
-
-    <FileTypeAssociations Enabled="true">
-
-    <Extensions>
-
-      <Extension Category="AppV.FileTypeAssociation">
-
-        <FileTypeAssociation>
-
-          <FileExtension MimeAssociation="true">
-
-          <Name>.docm</Name>
-
-          <ProgId>contosowordpad.DocumentMacroEnabled.12</ProgId>
-
-          <PerceivedType>document</PerceivedType>
-
-          <ContentType>application/vnd.ms-contosowordpad.document.macroEnabled.12</ContentType>
-
-          <OpenWithList>
-
-            <ApplicationName>wincontosowordpad.exe</ApplicationName>
-
-          </OpenWithList>
-
-         <OpenWithProgIds>
-
-            <ProgId>contosowordpad.8</ProgId>
-
-          </OpenWithProgIds>
-
-          <ShellNew>
-
-            <Command />
-
-            <DataBinary />
-
-            <DataText />
-
-            <FileName />
-
-            <NullFile>true</NullFile>
-
-            <ItemName />
-
-            <IconPath />
-
-            <MenuText />
-
-            <Handler />
-
-          </ShellNew>
-
-        </FileExtension>
-
-        <ProgId>
-
-           <Name>contosowordpad.DocumentMacroEnabled.12</Name>
-
-            <DefaultIcon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\contosowordpadicon.exe,15</DefaultIcon>
-
-            <Description>Blah Blah Blah</Description>
-
-            <FriendlyTypeName>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,9182</FriendlyTypeName>
-
-            <InfoTip>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,1424</InfoTip>
-
-            <EditFlags>0</EditFlags>
-
-            <ShellCommands>
-
-              <DefaultCommand>Open</DefaultCommand>
-
-              <ShellCommand>
-
-                 <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId>
-
-                 <Name>Edit</Name>
-
-                 <FriendlyName>&Edit</FriendlyName>
-
-                 <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /vu "%1"</CommandLine>
-
-              </ShellCommand>
-
-              </ShellCommand>
-
-                <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId>
-
-                <Name>Open</Name>
-
-                <FriendlyName>&Open</FriendlyName>
-
-                <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /n "%1"</CommandLine>
-
-                <DropTargetClassId />
-
-                <DdeExec>
-
-                  <Application>mscontosowordpad</Application>
-
-                  <Topic>ShellSystem</Topic>
-
-                  <IfExec>\[SHELLNOOP\]</IfExec>
-
-                  <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand>
-
-                </DdeExec>
-
-              </ShellCommand>
-
-            </ShellCommands>
-
-          </ProgId>
-
-         </FileTypeAssociation>
-
-       </Extension>
-
-      </Extensions>
-
-      </FileTypeAssociations>
-
-    **URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”.
-
-    <URLProtocols Enabled="true">
-
-    <Extensions>
-
-    <Extension Category="AppV.URLProtocol">
-
-    <URLProtocol>
-
-      <Name>mailto</Name>
-
-      <ApplicationURLProtocol>
-
-      <DefaultIcon>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE,-9403</DefaultIcon>
-
-      <EditFlags>2</EditFlags>
-
-      <Description />
-
-      <AppUserModelId />
-
-      <FriendlyTypeName />
-
-      <InfoTip />
-
-    <SourceFilter />
-
-      <ShellFolder />
-
-      <WebNavigableCLSID />
-
-      <ExplorerFlags>2</ExplorerFlags>
-
-      <CLSID />
-
-      <ShellCommands>
-
-      <DefaultCommand>open</DefaultCommand>
-
-      <ShellCommand>
-
-      <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId>
-
-      <Name>open</Name>
-
-      <CommandLine>\[{ProgramFilesX86}\\Microsoft Contoso\\Contoso\\contosomail.EXE" -c OEP.Note /m "%1"</CommandLine>
-
-      <DropTargetClassId />
-
-      <FriendlyName />
-
-      <Extended>0</Extended>
-
-      <LegacyDisable>0</LegacyDisable>
-
-      <SuppressionPolicy>2</SuppressionPolicy>
-
-       <DdeExec>
-
-      <NoActivateHandler />
-
-      <Application>contosomail</Application>
-
-      <Topic>ShellSystem</Topic>
-
-      <IfExec>\[SHELLNOOP\]</IfExec>
-
-      <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand>
-
-      </DdeExec>
-
-      </ShellCommand>
-
-      </ShellCommands>
-
-      </ApplicationURLProtocol>
-
-      </URLProtocol>
-
-      </Extension>
-
-      </Extension>
-
-      </URLProtocols>
-
-    **Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client.
-
-    <SoftwareClients Enabled="true">
-
-      <ClientConfiguration EmailEnabled="false" />
-
-    </SoftwareClients>
-
-    AppPaths:- If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe.
-
-    <AppPaths Enabled="true">
-
-    <Extensions>
-
-    <Extension Category="AppV.AppPath">
-
-    <AppPath>
-
-      <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId>
-
-      <Name>contosomail.exe</Name>
-
-      <ApplicationPath>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationPath>
-
-      <PATHEnvironmentVariablePrefix />
-
-      <CanAcceptUrl>false</CanAcceptUrl>
-
-      <SaveUrl />
-
-    </AppPath>
-
-    </Extension>
+     </Extension>
 
     </Extensions>
 
-    </AppPaths>
+   </Shortcuts>
 
-    **COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol.
+   **File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below:
 
-    <COM Mode="Isolated"/>
+   <FileTypeAssociations Enabled="true">
 
-    **Other Settings**:
+   <Extensions>
 
-    In addition to Extensions, other subsystems can be enabled/disabled and edited:
+     <Extension Category="AppV.FileTypeAssociation">
 
-    **Virtual Kernel Objects**:
+       <FileTypeAssociation>
 
-    <Objects Enabled="false" />
+         <FileExtension MimeAssociation="true">
 
-    **Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU
+         <Name>.docm</Name>
 
-    <Registry Enabled="true">
+         <ProgId>contosowordpad.DocumentMacroEnabled.12</ProgId>
 
-    <Include>
+         <PerceivedType>document</PerceivedType>
 
-    <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\ABC">
+         <ContentType>application/vnd.ms-contosowordpad.document.macroEnabled.12</ContentType>
 
-    <Value Type="REG\_SZ" Name="Bar" Data="NewValue" />
+         <OpenWithList>
 
-     </Key>
+           <ApplicationName>wincontosowordpad.exe</ApplicationName>
 
-      <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\EmptyKey" />
+         </OpenWithList>
 
-     </Include>
+        <OpenWithProgIds>
 
-    <Delete>
+           <ProgId>contosowordpad.8</ProgId>
 
-      </Registry>
+         </OpenWithProgIds>
 
-    **Virtual File System**
+         <ShellNew>
 
-          <FileSystem Enabled="true" />
+           <Command />
 
-    **Virtual Fonts**
+           <DataBinary />
 
-          <Fonts Enabled="false" />
+           <DataText />
 
-    **Virtual Environment Variables**
+           <FileName />
 
-    <EnvironmentVariables Enabled="true">
+           <NullFile>true</NullFile>
 
-    <Include>
+           <ItemName />
 
-           <Variable Name="UserPath" Value="%path%;%UserProfile%" />
+           <IconPath />
 
-           <Variable Name="UserLib" Value="%UserProfile%\\ABC" />
+           <MenuText />
 
-           </Include>
+           <Handler />
 
-          <Delete>
+         </ShellNew>
 
-           <Variable Name="lib" />
+       </FileExtension>
 
-            </Delete>
+       <ProgId>
 
-            </EnvironmentVariables>
+          <Name>contosowordpad.DocumentMacroEnabled.12</Name>
 
-    **Virtual services**
+           <DefaultIcon>\[{Windows}\]\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\contosowordpadicon.exe,15</DefaultIcon>
 
-          <Services Enabled="false" />
+           <Description>Blah Blah Blah</Description>
 
-3.  **UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used.
+           <FriendlyTypeName>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,9182</FriendlyTypeName>
 
-4.  **ManagingAuthority** – Can be used when 2 versions of your package are co-existing on the same machine, one deployed to App-V 4.6 and the other deployed on App-V 5.0. To Allow App-V vNext to take over App-V 4.6 extension points for the named package enter the following in the UserConfig file (where PackageName is the Package GUID in App-V 4.6:
+           <InfoTip>\[{FOLDERID\_ProgramFilesX86}\]\\Microsoft Contoso 14\\res.dll,1424</InfoTip>
 
-    <ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName="032630c0-b8e2-417c-acef-76fc5297fe81" />
+           <EditFlags>0</EditFlags>
+
+           <ShellCommands>
+
+             <DefaultCommand>Open</DefaultCommand>
+
+             <ShellCommand>
+
+                <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId>
+
+                <Name>Edit</Name>
+
+                <FriendlyName>&Edit</FriendlyName>
+
+                <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /vu "%1"</CommandLine>
+
+             </ShellCommand>
+
+             </ShellCommand>
+
+               <ApplicationId>{e56fa627-c35f-4a01-9e79-7d36aed8225a}</ApplicationId>
+
+               <Name>Open</Name>
+
+               <FriendlyName>&Open</FriendlyName>
+
+               <CommandLine>"\[{PackageRoot}\]\\Contoso\\WINcontosowordpad.EXE" /n "%1"</CommandLine>
+
+               <DropTargetClassId />
+
+               <DdeExec>
+
+                 <Application>mscontosowordpad</Application>
+
+                 <Topic>ShellSystem</Topic>
+
+                 <IfExec>\[SHELLNOOP\]</IfExec>
+
+                 <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand>
+
+               </DdeExec>
+
+             </ShellCommand>
+
+           </ShellCommands>
+
+         </ProgId>
+
+        </FileTypeAssociation>
+
+      </Extension>
+
+     </Extensions>
+
+     </FileTypeAssociations>
+
+   **URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”.
+
+   <URLProtocols Enabled="true">
+
+   <Extensions>
+
+   <Extension Category="AppV.URLProtocol">
+
+   <URLProtocol>
+
+     <Name>mailto</Name>
+
+     <ApplicationURLProtocol>
+
+     <DefaultIcon>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE,-9403</DefaultIcon>
+
+     <EditFlags>2</EditFlags>
+
+     <Description />
+
+     <AppUserModelId />
+
+     <FriendlyTypeName />
+
+     <InfoTip />
+
+   <SourceFilter />
+
+     <ShellFolder />
+
+     <WebNavigableCLSID />
+
+     <ExplorerFlags>2</ExplorerFlags>
+
+     <CLSID />
+
+     <ShellCommands>
+
+     <DefaultCommand>open</DefaultCommand>
+
+     <ShellCommand>
+
+     <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId>
+
+     <Name>open</Name>
+
+     <CommandLine>\[{ProgramFilesX86}\\Microsoft Contoso\\Contoso\\contosomail.EXE" -c OEP.Note /m "%1"</CommandLine>
+
+     <DropTargetClassId />
+
+     <FriendlyName />
+
+     <Extended>0</Extended>
+
+     <LegacyDisable>0</LegacyDisable>
+
+     <SuppressionPolicy>2</SuppressionPolicy>
+
+      <DdeExec>
+
+     <NoActivateHandler />
+
+     <Application>contosomail</Application>
+
+     <Topic>ShellSystem</Topic>
+
+     <IfExec>\[SHELLNOOP\]</IfExec>
+
+     <DdeCommand>\[SetForeground\]\[ShellNewDatabase "%1"\]</DdeCommand>
+
+     </DdeExec>
+
+     </ShellCommand>
+
+     </ShellCommands>
+
+     </ApplicationURLProtocol>
+
+     </URLProtocol>
+
+     </Extension>
+
+     </Extension>
+
+     </URLProtocols>
+
+   **Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client.
+
+   <SoftwareClients Enabled="true">
+
+     <ClientConfiguration EmailEnabled="false" />
+
+   </SoftwareClients>
+
+   AppPaths:- If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe.
+
+   <AppPaths Enabled="true">
+
+   <Extensions>
+
+   <Extension Category="AppV.AppPath">
+
+   <AppPath>
+
+     <ApplicationId>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationId>
+
+     <Name>contosomail.exe</Name>
+
+     <ApplicationPath>\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE</ApplicationPath>
+
+     <PATHEnvironmentVariablePrefix />
+
+     <CanAcceptUrl>false</CanAcceptUrl>
+
+     <SaveUrl />
+
+   </AppPath>
+
+   </Extension>
+
+   </Extensions>
+
+   </AppPaths>
+
+   **COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol.
+
+   <COM Mode="Isolated"/>
+
+   **Other Settings**:
+
+   In addition to Extensions, other subsystems can be enabled/disabled and edited:
+
+   **Virtual Kernel Objects**:
+
+   <Objects Enabled="false" />
+
+   **Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU
+
+   <Registry Enabled="true">
+
+   <Include>
+
+   <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\ABC">
+
+   <Value Type="REG\_SZ" Name="Bar" Data="NewValue" />
+
+    </Key>
+
+     <Key Path="\\REGISTRY\\USER\\\[{AppVCurrentUserSID}\]\\Software\\EmptyKey" />
+
+    </Include>
+
+   <Delete>
+
+     </Registry>
+
+   **Virtual File System**
+
+         <FileSystem Enabled="true" />
+
+   **Virtual Fonts**
+
+         <Fonts Enabled="false" />
+
+   **Virtual Environment Variables**
+
+   <EnvironmentVariables Enabled="true">
+
+   <Include>
+
+          <Variable Name="UserPath" Value="%path%;%UserProfile%" />
+
+          <Variable Name="UserLib" Value="%UserProfile%\\ABC" />
+
+          </Include>
+
+         <Delete>
+
+          <Variable Name="lib" />
+
+           </Delete>
+
+           </EnvironmentVariables>
+
+   **Virtual services**
+
+         <Services Enabled="false" />
+
+3. **UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used.
+
+4. **ManagingAuthority** – Can be used when 2 versions of your package are co-existing on the same machine, one deployed to App-V 4.6 and the other deployed on App-V 5.0. To Allow App-V vNext to take over App-V 4.6 extension points for the named package enter the following in the UserConfig file (where PackageName is the Package GUID in App-V 4.6:
+
+   <ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName="032630c0-b8e2-417c-acef-76fc5297fe81" />
 
 ### Dynamic Deployment Configuration file
 
 **Header** - The header of a Deployment Configuration file is as follows:
 
-<?xml version="1.0" encoding="utf-8"?><DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
+<?xml version="1.0" encoding="utf-8"?><DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
 
 The **PackageId** is the same value as exists in the manifest file.
 
@@ -582,11 +582,11 @@ The **PackageId** is the same value as exists in the manifest file.
 
 -   Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS.
 
-<DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
+<DeploymentConfiguration **PackageId**="1f8488bf-2257-46b4-b27f-09c9dbaae707" DisplayName="Reserved" xmlns=";
 
 <UserConfiguration>
 
-  ..
+  ..
 
 </UserConfiguration>
 
@@ -610,11 +610,11 @@ Machine Configuration - the Machine configuration section of the Deployment Conf
 
     <MachineConfiguration>
 
-      <Subsystems>
+      <Subsystems>
 
-      ..
+      ..
 
-      </Subsystems>
+      </Subsystems>
 
     ..
 
@@ -630,65 +630,65 @@ Machine Configuration - the Machine configuration section of the Deployment Conf
 
     <ApplicationCapabilities Enabled="true">
 
-      <Extensions>
+      <Extensions>
 
-       <Extension Category="AppV.ApplicationCapabilities">
+       <Extension Category="AppV.ApplicationCapabilities">
 
-        <ApplicationCapabilities>
+        <ApplicationCapabilities>
 
-         <ApplicationId>\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe</ApplicationId>
+         <ApplicationId>\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe</ApplicationId>
 
-         <Reference>
+         <Reference>
 
-          <Name>LitView Browser</Name>
+          <Name>LitView Browser</Name>
 
-          <Path>SOFTWARE\\LitView\\Browser\\Capabilities</Path>
+          <Path>SOFTWARE\\LitView\\Browser\\Capabilities</Path>
 
-         </Reference>
+         </Reference>
 
-       <CapabilityGroup>
+       <CapabilityGroup>
 
-        <Capabilities>
+        <Capabilities>
 
-         <Name>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12345</Name>
+         <Name>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12345</Name>
 
-         <Description>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12346</Description>
+         <Description>@\[{ProgramFilesX86}\]\\LitView\\LitViewBrowser.exe,-12346</Description>
 
-         <Hidden>0</Hidden>
+         <Hidden>0</Hidden>
 
-         <EMailSoftwareClient>Lit View E-Mail Client</EMailSoftwareClient>
+         <EMailSoftwareClient>Lit View E-Mail Client</EMailSoftwareClient>
 
-         <FileAssociationList>
+         <FileAssociationList>
 
-          <FileAssociation Extension=".htm" ProgID="LitViewHTML" />
+          <FileAssociation Extension=".htm" ProgID="LitViewHTML" />
 
-          <FileAssociation Extension=".html" ProgID="LitViewHTML" />
+          <FileAssociation Extension=".html" ProgID="LitViewHTML" />
 
-          <FileAssociation Extension=".shtml" ProgID="LitViewHTML" />
+          <FileAssociation Extension=".shtml" ProgID="LitViewHTML" />
 
-         </FileAssociationList>
+         </FileAssociationList>
 
-         <MIMEAssociationList>
+         <MIMEAssociationList>
 
-          <MIMEAssociation Type="audio/mp3" ProgID="LitViewHTML" />
+          <MIMEAssociation Type="audio/mp3" ProgID="LitViewHTML" />
 
-          <MIMEAssociation Type="audio/mpeg" ProgID="LitViewHTML" />
+          <MIMEAssociation Type="audio/mpeg" ProgID="LitViewHTML" />
 
-         </MIMEAssociationList>
+         </MIMEAssociationList>
 
-        <URLAssociationList>
+        <URLAssociationList>
 
-          <URLAssociation Scheme="http" ProgID="LitViewHTML.URL.http" />
+          <URLAssociation Scheme="http" ProgID="LitViewHTML.URL.http" />
 
-         </URLAssociationList>
+         </URLAssociationList>
 
-         </Capabilities>
+         </Capabilities>
 
-      </CapabilityGroup>
+      </CapabilityGroup>
 
-       </ApplicationCapabilities>
+       </ApplicationCapabilities>
 
-      </Extension>
+      </Extension>
 
     </Extensions>
 
@@ -704,15 +704,15 @@ Machine Configuration - the Machine configuration section of the Deployment Conf
 
     <Include>
 
-      <Key Path="\\REGISTRY\\Machine\\Software\\ABC">
+      <Key Path="\\REGISTRY\\Machine\\Software\\ABC">
 
-        <Value Type="REG\_SZ" Name="Bar" Data="Baz" />
+        <Value Type="REG\_SZ" Name="Bar" Data="Baz" />
 
-       </Key>
+       </Key>
 
-      <Key Path="\\REGISTRY\\Machine\\Software\\EmptyKey" />
+      <Key Path="\\REGISTRY\\Machine\\Software\\EmptyKey" />
 
-     </Include>
+     </Include>
 
     <Delete>
 
@@ -724,9 +724,9 @@ Machine Configuration - the Machine configuration section of the Deployment Conf
 
     <NotIsolate>
 
-       <Object Name="testObject" />
+       <Object Name="testObject" />
 
-     </NotIsolate>
+     </NotIsolate>
 
     </Objects>
 
@@ -734,11 +734,11 @@ Machine Configuration - the Machine configuration section of the Deployment Conf
 
     <MachineConfiguration>
 
-      .. 
+      .. 
 
-      <ProductSourceURLOptOut Enabled="true" />
+      <ProductSourceURLOptOut Enabled="true" />
 
-      ..
+      ..
 
     </MachineConfiguration>
 
@@ -748,19 +748,19 @@ Machine Configuration - the Machine configuration section of the Deployment Conf
 
     <MachineConfiguration>
 
-      ..   
+      ..   
 
-      <TerminateChildProcesses>
+      <TerminateChildProcesses>
 
-        <Application Path="\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE" />
+        <Application Path="\[{PackageRoot}\]\\Contoso\\ContosoApp.EXE" />
 
-        <Application Path="\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe" />
+        <Application Path="\[{PackageRoot}\]\\LitView\\LitViewBrowser.exe" />
 
-        <Application Path="\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE" />
+        <Application Path="\[{ProgramFilesX86}\]\\Microsoft Contoso\\Contoso\\contosomail.EXE" />
 
-      </TerminateChildProcesses>
+      </TerminateChildProcesses>
 
-      ..
+      ..
 
     </MachineConfiguration>
 
@@ -855,7 +855,7 @@ The following table describes the various script events and the context under wh
 
 
 
- 
+ 
 
 ### Create a Dynamic Configuration file using an App-V 5.0 Manifest file
 
@@ -879,9 +879,9 @@ To create the file manually, the information above in previous sections can be c
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-app-v-50-reporting.md b/mdop/appv-v5/about-app-v-50-reporting.md
index 24988cb82c..befb001a5f 100644
--- a/mdop/appv-v5/about-app-v-50-reporting.md
+++ b/mdop/appv-v5/about-app-v-50-reporting.md
@@ -41,7 +41,7 @@ The following list displays the end–to-end high-level workflow for reporting i
     **Note**  
     If you are using the Configuration Manager integration with App-V 5.0, most reports are generated from Configuration Manager rather than from App-V 5.0.
 
-     
+     
 
 4.  After importing the App-V 5.0 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.0 client. This sample PowerShell cmdlet enables App-V 5.0 reporting:
 
@@ -60,9 +60,11 @@ The following list displays the end–to-end high-level workflow for reporting i
     **Note**  
     By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
 
-     
+     
 
-    If the App-V 5.0 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
+~~~
+If the App-V 5.0 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
+~~~
 
 ###  App-V 5.0 reporting server frequently asked questions
 
@@ -110,24 +112,23 @@ The following table displays answers to common questions about App-V 5.0 reporti
 
    Yes. Besides manually sending reporting using PowerShell Cmdlets (Send-AppvClientReport), the task can be scheduled so it will happen automatically. There are two ways to schedule the reporting:
    
 
      
 
    1. Using PowerShell cmdlets - Set-AppvClientConfiguration. For example:
      
-
      Set-AppvClientConfiguration -ReportingEnabled 1 - ReportingServerURL http://any.com/appv-reporting
      
+
      Set-AppvClientConfiguration -ReportingEnabled 1 - ReportingServerURL http://any.com/appv-reporting
      
 
      
-
      For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings.md) and look for the following entries: ReportingEnabled, ReportingServerURL, ReportingDataCacheLimit, ReportingDataBlockSize, ReportingStartTime, ReportingRandomDelay, ReportingInterval.
      
+
      For a complete list of client configuration settings see About Client Configuration Settings and look for the following entries: ReportingEnabled, ReportingServerURL, ReportingDataCacheLimit, ReportingDataBlockSize, ReportingStartTime, ReportingRandomDelay, ReportingInterval.
      
 
      2. 
 
    2. By using Group Policy. If distributed using the domain controller, the settings are the same as previously listed.
      
 
      
-Note  
-
      Group Policy settings override local settings configured using PowerShell.
      
+Note
      Group Policy settings override local settings configured using PowerShell.
      
 
      
 
      
- 
+
 
      3. 
 
    
 
 
 
+ 
 
- 
 
 ##  App-V 5.0 Client Reporting
 
@@ -138,10 +139,10 @@ To use App-V 5.0 reporting you must install and configure the App-V 5.0 client.
 
 The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.0 client.
 
-**Note**  
+**Note**  
 The following configuration task can also be configured using Group Policy settings in the App-V 5.0 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.0 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-50-client-configuration-using-the-admx-template-and-group-policy.md).
+ 
 
- 
 
 **To enable reporting and to initiate data collection on the computer running the App-V 5.0 client**:
 
@@ -155,7 +156,7 @@ Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPor
 
 `-ReportingInterval 1 -ReportingRandomDelay 30`
 
-This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
+This example configures the client to automatically send the reporting data to the reporting server URL http://MyReportingServer:MyPort/. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
 
 **To limit the size of the data cache on the client**:
 
@@ -224,8 +225,8 @@ The following table displays the types of information you can collect by using A
 
 
 
+ 
 
- 
 
 The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file.
 
@@ -270,20 +271,19 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
 
 
    If you have an existing App-V 5.0 reporting Server, create a customized scheduled task or script. Specify that the client send the data to the specified location with the desired frequency.
    
 
    If you do not have an existing App-V 5.0 reporting Server, use the –URL parameter to send the data to a specified share. For example:
    
-
    Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess
    
-
    The previous example will send the reporting data to \\MyShare\MyData\ location indicated by the -URL parameter. After the data has been sent, the cache is cleared.
    
+
    Send-AppVClientReport –URL \Myshare\MyData\ -DeleteOnSuccess
    
+
    The previous example will send the reporting data to \MyShare\MyData</strong> location indicated by the -URL parameter. After the data has been sent, the cache is cleared.
    
 
    
-Note  
-
    If a location other than the Reporting Server is specified, the data is sent using .xml format with no additional processing.
    
+Note
    If a location other than the Reporting Server is specified, the data is sent using .xml format with no additional processing.
    
 
    
 
    
- 
+ 
 
    
 
 
 
 
- 
+ 
 
 ### Creating Reports
 
@@ -317,9 +317,9 @@ You should also ensure that the reporting server web service’s **Maximum Concu
 
 [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-app-v-50-sp1.md b/mdop/appv-v5/about-app-v-50-sp1.md
index fae0ea6408..65c04e3806 100644
--- a/mdop/appv-v5/about-app-v-50-sp1.md
+++ b/mdop/appv-v5/about-app-v-50-sp1.md
@@ -32,7 +32,7 @@ This service pack contains the following changes:
 
     -   Reporting - **HKEY\_LOCAL\_MACHINE** \\ **SOFTWARE** \\ **Microsoft** \\ **AppV** \\ **Server** \\ **ReportingService** \\ **REPORTING\_DB\_NAME**
 
-     
+     
 
 ## How to Get MDOP Technologies
 
@@ -51,9 +51,9 @@ App-V 5.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is p
 
 [Release Notes for App-V 5.0 SP1](release-notes-for-app-v-50-sp1.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-app-v-50-sp2.md b/mdop/appv-v5/about-app-v-50-sp2.md
index c3fd881748..fa43f9f5d9 100644
--- a/mdop/appv-v5/about-app-v-50-sp2.md
+++ b/mdop/appv-v5/about-app-v-50-sp2.md
@@ -61,7 +61,7 @@ Tasks that have been placed in a pending state will be performed according to th
 
 
 
- 
+ 
 
 When a task is placed in a pending state, the App-V client also generates a registry key for the pending task, as follows:
 
@@ -88,7 +88,7 @@ When a task is placed in a pending state, the App-V client also generates a regi
 
 
 
- 
+ 
 
 ### Virtualizing Microsoft Office 2013 and Microsoft Office 2010 using App-V 5.0
 
@@ -99,7 +99,7 @@ Use the following link for more information about App-V 5.0 supported Microsoft
 **Note**  
 This document focuses on creating a Microsoft Office 2013 App-V 5.0 Package. However, it also provides information about scenarios for Microsoft Office 2010 with App-V 5.0.
 
- 
+ 
 
 ###  App-V 5.0 Client Management User Interface Application
 
@@ -173,9 +173,9 @@ App-V 5.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is p
 
 [Release Notes for App-V 5.0 SP2](release-notes-for-app-v-50-sp2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-app-v-50-sp3.md b/mdop/appv-v5/about-app-v-50-sp3.md
index b4f0f69c18..b427373e7f 100644
--- a/mdop/appv-v5/about-app-v-50-sp3.md
+++ b/mdop/appv-v5/about-app-v-50-sp3.md
@@ -59,17 +59,17 @@ See the following links for the App-V 5.0 SP3 software prerequisites and support
 
 
 
-
    [App-V 5.0 SP3 Prerequisites](app-v-50-sp3-prerequisites.md)
    
+
    App-V 5.0 SP3 Prerequisites
    
 
    Prerequisite software that you must install before starting the App-V 5.0 SP3 installation
    
 
 
-
    [App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md)
    
+
    App-V 5.0 SP3 Supported Configurations
    
 
    Supported operating systems and hardware requirements for the App-V Server, Sequencer, and Client components
    
 
 
 
 
- 
+
 
 ## Migrating to App-V 5.0 SP3
 
@@ -101,11 +101,10 @@ Review the following information before you start the upgrade:
 
  • Connection groups
    • 
 
 
    
-Note  
-
    To use the App-V client user interface, download the existing version from [Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186).
    
+Note
    To use the App-V client user interface, download the existing version from Microsoft Application Virtualization 5.0 Client UI Application.
    
 
    
 
    
- 
+
 
    
 
 
@@ -113,8 +112,8 @@ Review the following information before you start the upgrade:
 
    You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.0 SP3.
    
 
    For more information, see:
    
 
 
    
 
@@ -135,7 +134,7 @@ Review the following information before you start the upgrade:
 
 
 
- 
+
 
 ### Steps to upgrade the App-V infrastructure
 
@@ -157,15 +156,14 @@ Complete the following steps to upgrade each component of the App-V infrastructu
 
    Step 1: Upgrade the App-V Server.
    
 
    If you are not using the App-V Server, skip this step and go to the next step.
    
 
    
-Note  
-
    The App-V 5.0 SP3 client is compatible with the App-V 5.0 SP1 Server.
    
+Note
    The App-V 5.0 SP3 client is compatible with the App-V 5.0 SP1 Server.
    
 
    
 
    
- 
+
 
    
 
    Follow these steps:
    
 
      
-
    1. Review the [Release Notes for App-V 5.0 SP3](release-notes-for-app-v-50-sp3.md) for issues that may affect the App-V Server installation.
      2. 
+
    2. Review the Release Notes for App-V 5.0 SP3 for issues that may affect the App-V Server installation.
      3. 
 
    3. Do one of the following, depending on the method you are using to upgrade the Management database and/or Reporting database:
      
 @@ -193,35 +191,35 @@ Complete the following steps to upgrade each component of the App-V infrastructu
 
-
+
-
+
      
 

 
      
 
      Management database
      To install or upgrade, see [SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail](https://support.microsoft.com/kb/3031340).
      To install or upgrade, see SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail.
      		
 
      
 
      
 
      Reporting database
      Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md).
      Follow the steps in How to Deploy the App-V Databases by Using SQL Scripts.
      		
 
      
       
 
      
-
       
      
+
       
      
 
 
 
-
       
      4. 
-
    4. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](#bkmk-check-reg-key-svr).
      5. 
-
    5. Follow the steps in [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).
      6. 
+
       
      
+
    6. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section Check registry keys after installing the App-V 5.0 SP3 Server.
      7. 
+
    7. Follow the steps in How to Deploy the App-V 5.0 Server.
      8. 
 
    
 
 
 
    Step 2: Upgrade the App-V Sequencer.
    
-
    See [How to Install the Sequencer](how-to-install-the-sequencer-beta-gb18030.md).
    
+
    See How to Install the Sequencer.
    
 
 
 
    Step 3: Upgrade the App-V client or App-V RDS client.
    
-
    See [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md).
    
+
    See How to Deploy the App-V Client.
    
 
 
 
 
- 
+
 
 ### Check registry keys before installing the App-V 5.0 SP3 Server
 
@@ -252,7 +250,7 @@ This is step 3 from the previous table.
 
 
 
- 
+
 
 **ManagementDatabase key**
 
@@ -320,7 +318,7 @@ If you are installing the Management database, set these registry keys under `HK
 
 
 
- 
+
 
 **ManagementService key**
 
@@ -355,7 +353,7 @@ If you are installing the Management server, set these registry keys under `HKLM
 
 
 
- 
+
 
 **ReportingDatabase key**
 
@@ -423,7 +421,7 @@ If you are installing the Reporting database, set these registry keys under `HKL
 
 
 
- 
+
 
 **ReportingService key**
 
@@ -454,7 +452,7 @@ If you are installing the Reporting server, set these registry keys under `HKLM\
 
 
 
- 
+
 
 ## Manually created connection group xml file requires update to schema
 
@@ -489,27 +487,27 @@ You can manage connection groups more easily by using optional packages and othe
 
    Including optional packages in a connection group enables you to dynamically determine which applications will be included in the connection group’s virtual environment, based on the applications that users are entitled to.
    
 
    You don’t need to manage as many connection groups because you can mix optional and non-optional packages in the same connection group. Mixing packages allows different groups of users to use the same connection group, even though users might have only one package in common.
    
 
    Example: You can enable a package with Microsoft Office for all users, but enable different optional packages, which contain different Office plug-ins, to different subsets of users.
    
-
    [How to Use Optional Packages in Connection Groups](how-to-use-optional-packages-in-connection-groups.md#bkmk-apps-plugs-optional)
    
+
    How to Use Optional Packages in Connection Groups
    
 
 
 
    Unpublish or delete an optional package without changing the connection group
    
 
    Unpublish or delete, or unpublish and republish an optional package, which is in a connection group, without having to disable or re-enable the connection group on the App-V client.
    
-
    [How to Use Optional Packages in Connection Groups](how-to-use-optional-packages-in-connection-groups.md#bkmk-apps-plugs-optional)
    
+
    How to Use Optional Packages in Connection Groups
    
 
 
 
    Publish connection groups that contain user-published and globally published packages
    
 
    Create a user-published connection group that contains user-published and globally published packages.
    
-
    [How to Create a Connection Group with User-Published and Globally Published Packages](how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md)
    
+
    How to Create a Connection Group with User-Published and Globally Published Packages
    
 
 
 
    Make a connection group ignore the package version
    
 
    Configure a connection group to accept any version of a package, which enables you to upgrade a package without having to disable the connection group. In addition, if there is an optional package with an incorrect version in the connection group, the package is ignored and won’t block the connection group’s virtual environment from being created.
    
-
    [How to Make a Connection Group Ignore the Package Version](how-to-make-a-connection-group-ignore-the-package-version.md)
    
+
    How to Make a Connection Group Ignore the Package Version
    
 
 
 
    Limit end users’ publishing capabilities
    
 
    Enable only administrators (not end users) to publish packages and to enable connection groups.
    
-
    For information about connection groups, see [How to Allow Only Administrators to Enable Connection Groups](how-to-allow-only-administrators-to-enable-connection-groups.md)
    
+
    For information about connection groups, see How to Allow Only Administrators to Enable Connection Groups
    
 
    For information about packages, see the following articles:
    
 @@ -525,19 +523,19 @@ You can manage connection groups more easily by using optional packages and othe
 
-
+
-
+
-
+
    
 

 
    
 
    Management console
    [How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md)
    How to Publish a Package by Using the Management Console
    		
 
    
 
    
 
    PowerShell
    [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admin-only-posh-topic-cg)
    How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell
    		
 
    
 
    
 
    Third-party electronic software delivery system
    [How to Enable Only Administrators to Publish Packages by Using an ESD](how-to-enable-only-administrators-to-publish-packages-by-using-an-esd.md)
    How to Enable Only Administrators to Publish Packages by Using an ESD
    		
 
    
     
 
    
-
     
    
+
     
    
 
 
 
    Enable or disable a connection group for a specific user
    
@@ -546,18 +544,18 @@ You can manage connection groups more easily by using optional packages and othe
 
  • Enable-AppVClientConnectionGroup
    • 
 
  • Disable-AppVClientConnectionGroup
    • 
 
-
    [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md#bkmk-enable-cg-for-user-poshtopic)
    
+
    How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell
    
 
 
 
    Merging identical package paths into one virtual directory in connection groups
    
 
    If two or more packages in a connection group contain identical directory paths, the paths are merged into a single virtual directory inside the connection group virtual environment.
    
 
    This merging of paths allows an application in one package to access files that are in a different package.
    
-
    [About the Connection Group Virtual Environment](about-the-connection-group-virtual-environment.md#bkmk-merged-root-ve-exp)
    
+
    About the Connection Group Virtual Environment
    
 
 
 
 
- 
+
 
 ## Administrators can publish and unpublish packages for a specific user
 
@@ -591,7 +589,7 @@ Administrators can use the following cmdlets to publish or unpublish packages fo
 
 
 
- 
+
 
 ## Enable only administrators to publish and unpublish packages
 
@@ -618,12 +616,12 @@ You can enable only administrators (not end users) to publish and unpublish pack
 
 
 
    PowerShell
    
-
    [How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md#bkmk-admins-pub-pkgs)
    
+
    How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell
    
 
 
 
 
- 
+
 
 ## RunVirtual registry key supports packages that are published to the user
 
@@ -655,7 +653,7 @@ New Windows PowerShell cmdlets for the App-V Server have been added to help you
 
 
 
    Add-AppvServerConnectionGroupPackage
    
-
    Appends a package to the end of a connection group's package list and enables you to configure the package as optional and/or with no version within the connection group.
    
+
    Appends a package to the end of a connection group's package list and enables you to configure the package as optional and/or with no version within the connection group.
    
 
 
 
    Set-AppvServerConnectionGroupPackage
    
@@ -668,7 +666,7 @@ New Windows PowerShell cmdlets for the App-V Server have been added to help you
 
 
 
- 
+
 
 ### Getting help for the PowerShell cmdlets
 
@@ -719,16 +717,16 @@ Cmdlet help is available in the following formats:
 
 
 
-
     
    
+
     
    
 
 
 
    On TechNet as web pages
    
-
    See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).
    
+
    See the App-V node under Microsoft Desktop Optimization Pack Automation with Windows PowerShell.
    
 
 
 
 
- 
+
 
 For more information, see [How to Load the PowerShell Cmdlets and Get Cmdlet Help](how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md).
 
@@ -758,11 +756,10 @@ The primary virtual application directory (PVAD) is hidden in App-V 5.0 SP3, but
 
      
 
    1. In the Registry Editor, navigate to: HKLM\SOFTWARE\Microsoft\AppV\Sequencer\Compatibility
      
 
      
-Note  
-
      If the Compatability subkey doesn’t exist, you must create it.
      
+Note
      If the Compatability subkey doesn’t exist, you must create it.
      
 
      
 
      
- 
+
 
      2. 
 
    2. Create a DWORD Value named EnablePVADControl, and set the value to 1.
      
 
      A value of 0 means that PVAD is hidden.
      3. 
@@ -771,7 +768,7 @@ The primary virtual application directory (PVAD) is hidden in App-V 5.0 SP3, but
 
 
 
- 
+
 
 **More about PVAD:** When you use the Sequencer to create a package, you can enter any installation path for the package. In past versions of App-V, you were required to specify the primary virtual application directory (PVAD) of the application as the path. PVAD is the directory to which you would typically install an application on your local computer if you weren’t using App-V. For example, if you were installing Office on a computer, the PVAD typically would be C:\\Program Files\\Microsoft Office\\.
 
@@ -804,7 +801,7 @@ In App-V 5.0 SP3, you must provide the following values in the address when you
 
 
 
- 
+
 
 For syntax and examples of this query, see [Viewing App-V Server Publishing Metadata](viewing-app-v-server-publishing-metadata.md).
 
@@ -832,9 +829,9 @@ App-V is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part
 
 [Release Notes for App-V 5.0 SP3](release-notes-for-app-v-50-sp3.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/about-app-v-50.md b/mdop/appv-v5/about-app-v-50.md
index 7741f64825..3274f24d79 100644
--- a/mdop/appv-v5/about-app-v-50.md
+++ b/mdop/appv-v5/about-app-v-50.md
@@ -56,7 +56,7 @@ The following table displays some of the differences between App-V 4.6 and App-V
 
 
 
-
      Must Use a dedicated drive letter (Q:\).
      
+
      Must Use a dedicated drive letter (Q:</strong>).
      
 
      No dedicated drive letter required.
      
 
 
@@ -69,7 +69,7 @@ The following table displays some of the differences between App-V 4.6 and App-V
 
 
 
      Dynamic Suite Composition enabled interaction with middleware applications.
      
-
      Peer applications are shared using connection groups. For more information about connection groups see, [Managing Connection Groups](managing-connection-groups.md).
      
+
      Peer applications are shared using connection groups. For more information about connection groups see, Managing Connection Groups.
      
 
 
 
      VDI/RDS environments required a read-only shared cache.
      
@@ -86,7 +86,7 @@ The following table displays some of the differences between App-V 4.6 and App-V
 
 
 
- 
+ 
 
 ## How to Get MDOP Technologies
 
@@ -103,9 +103,9 @@ App-V 5.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is p
 
 [Getting Started with App-V 5.0](getting-started-with-app-v-50--rtm.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md
index f5af0a1482..52ce3487de 100644
--- a/mdop/appv-v5/about-app-v-51-dynamic-configuration.md
+++ b/mdop/appv-v5/about-app-v-51-dynamic-configuration.md
@@ -50,10 +50,10 @@ The **PackageId** is the same value as exists in the manifest file.
 
 The body of the dynamic user configuration file can include all the app extension points defined in the manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body:
 
-1.	**[Applications](#applications)** 
-2.	**[Subsystems](#subsystems)**
-3.	**[UserScripts](#userscripts)**
-4.	**[ManagingAuthority](#managingauthority)**
+1.  **[Applications](#applications)** 
+2.  **[Subsystems](#subsystems)**
+3.  **[UserScripts](#userscripts)**
+4.  **[ManagingAuthority](#managingauthority)**
 
 #### Applications
 
@@ -75,7 +75,6 @@ All app-extensions contained in the manifest file within a package have an Appli
 ..
 
 
-
 ```
 
 #### Subsystems
@@ -94,7 +93,6 @@ AppExtensions and other subsystems arranged as subnodes.
 ..
 
 
-
 ```
 
 You can enable or disable each subsystem using the **Enabled** attribute.
@@ -107,40 +105,37 @@ Extension subsystems can be enabled and disabled independently of the content. F
 
 _**Examples:**_ 
 
--	If you define this in either the user or deployment config file, the content in the manifest gets ignored.
+- If you define this in either the user or deployment config file, the content in the manifest gets ignored.
 
-   ```XML
+  ```XML
 
-   
+  
 
-   
+  
 
-   ...
+  ...
 
-   
+  
 
-   
+  
+  ```
+- If you define only the following, the content in the manifest gets integrated during publishing.
 
-   ```
--	If you define only the following, the content in the manifest gets integrated during publishing.
-   
-   ```XML
+  ```XML
 
-   
+  
+  ```
 
-   ```
+- If you define the following, all Shortcuts within the manifest still get ignored. In other words, no Shortcuts get integrated.
 
--	If you define the following, all Shortcuts within the manifest still get ignored. In other words, no Shortcuts get integrated.
+  ```XML
 
-   ```XML
+  
 
-   
+     
 
-       
-
-   
-
-   ```
+  
+  ```
 
 _**Supported extension subsystems:**_ 
 
@@ -162,7 +157,7 @@ _**Supported extension subsystems:**_
 
         [{PackageRoot}]\Contoso\ContosoApp.EXE
 
- 
+
       [{Windows}]\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe
 
         
@@ -176,7 +171,7 @@ _**Supported extension subsystems:**_
         0
 
         1
- 
+
       [{PackageRoot}]\Contoso\ContosoApp.EXE
 
       
@@ -186,7 +181,7 @@ _**Supported extension subsystems:**_
   
 
     
- 
+
     [{AppData}]\Microsoft\Contoso\Recent\Templates.LNK
 
       [{AppData}]\Microsoft\Templates
@@ -214,7 +209,6 @@ _**Supported extension subsystems:**_
  
 
 
-
 ```
 
 **File-Type Associates** extension subsystem associates file types with programs to open by default as well as set up the context menu. 
@@ -239,7 +233,7 @@ _**Supported extension subsystems:**_
       contosowordpad.DocumentMacroEnabled.12
 
       document
- 
+
     application/vnd.ms-contosowordpad.document.macroEnabled.12
 
       
@@ -281,7 +275,7 @@ _**Supported extension subsystems:**_
     
 
        contosowordpad.DocumentMacroEnabled.12
- 
+
       [{Windows}]\Installer\{90140000-0011-0000-0000-000000FF1CE}\contosowordpadicon.exe,15
 
         Blah Blah Blah
@@ -297,19 +291,19 @@ _**Supported extension subsystems:**_
           Open
 
           
- 
+
            {e56fa627-c35f-4a01-9e79-7d36aed8225a}
 
              Edit
 
              &Edit
- 
+
            "[{PackageRoot}]\Contoso\WINcontosowordpad.EXE" /vu "%1"
 
           
 
           
- 
+
           {e56fa627-c35f-4a01-9e79-7d36aed8225a}
 
             Open
@@ -345,7 +339,6 @@ _**Supported extension subsystems:**_
   
 
   
-
 ```
 
 **URL Protocols** extension subsystem controls the URL protocols integrated into the local registry of the client machine, for example, _mailto:_. 
@@ -435,7 +428,6 @@ _**Supported extension subsystems:**_
   
 
   
-
 ```
 
 **Software Clients** extension subsystem allows the app to register as an email client, news reader, media player and makes the app visible in the Set program access and Computer defaults UI. In most cases, you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client.
@@ -447,7 +439,6 @@ _**Supported extension subsystems:**_
   
 
 
-
 ```
 
 **AppPaths** extension subsystem opens apps registered with an application path. For example, if contoso.exe has an apppath name of _myapp_, users can type _myapp_ from the run menu, opening contoso.exe.
@@ -481,19 +472,17 @@ _**Supported extension subsystems:**_
 
 
 
-
 ```
 
 **COM** extensions subsystem allows an application registered to local COM servers. The mode can be:
 
--	Integration
--	Isolated 
--	Off
+-   Integration
+-   Isolated 
+-   Off
 
 ```XML
 
 
-
 ```
 
 **Virtual Kernel Objects**
@@ -501,7 +490,6 @@ _**Supported extension subsystems:**_
 ```XML
 
 
-
 ```
 
 **Virtual Registry** sets a registry in the virtual registry within HKCU.
@@ -525,7 +513,6 @@ _**Supported extension subsystems:**_
 
 
 
-
 ```
 
 **Virtual File System**
@@ -533,7 +520,6 @@ _**Supported extension subsystems:**_
 ```XML
 
     
-
 ```
 
 **Virtual Fonts**
@@ -541,7 +527,6 @@ _**Supported extension subsystems:**_
 ```XML
 
       
-
 ```
 
 **Virtual Environment Variables**
@@ -565,7 +550,6 @@ _**Supported extension subsystems:**_
         
 
         
-
 ```
 
 **Virtual services**
@@ -573,7 +557,6 @@ _**Supported extension subsystems:**_
 ```XML
 
       
-
 ```
 
 #### UserScripts
@@ -588,7 +571,6 @@ Use ManagingAuthority when two versions of your package co-exist on the same mac
 ```XML
 
 
-
 ```
 
 ## Deployment configuration file (DeploymentConfig.xml)
@@ -643,7 +625,6 @@ The body of the dynamic deployment configuration file includes two sections:
 
 
 
-
 ```
 
 ### UserConfiguration
@@ -654,10 +635,10 @@ Refer to [User configuration file contents (UserConfig.xml)](#user-configuration
 
 Use the MachineConfiguration section to configure information for an entire machine; not for a specific user on the computer. For example, HKEY_LOCAL_MACHINE registry keys in the virtual registry. There are four subsections allowed in under this element:
 
-1.	**[Subsystems](#subsystems-1)**
-2.	**[ProductSourceURLOptOut](#productsourceurloptout)**
-3.	**[MachineScripts](#machinescripts)**
-4.	**[TerminateChildProcess](#terminatechildprocess)**
+1.  **[Subsystems](#subsystems-1)**
+2.  **[ProductSourceURLOptOut](#productsourceurloptout)**
+3.  **[MachineScripts](#machinescripts)**
+4.  **[TerminateChildProcess](#terminatechildprocess)**
 
 #### Subsystems
 
@@ -676,7 +657,6 @@ AppExtensions and other subsystems arranged as subnodes.
 …
 
 
-
 ```
 
 You can enable or disable each subsystem using the **Enabled** attribute.
@@ -703,7 +683,7 @@ This extension also makes the virtual application visible in the Set default pro
 
     
 
- 
+
    [{PackageRoot}]\LitView\LitViewBrowser.exe
 
      
@@ -718,10 +698,10 @@ This extension also makes the virtual application visible in the Set default pro
 
     
 
- 
+
    @[{ProgramFilesX86}]\LitView\LitViewBrowser.exe,-12345
 
- 
+
    @[{ProgramFilesX86}]\LitView\LitViewBrowser.exe,-12346
 
      0
@@ -763,7 +743,6 @@ This extension also makes the virtual application visible in the Set default pro
 
 
 
-
 ```
 
 _**Supported extension subsystems:**_ 
@@ -789,7 +768,6 @@ _**Supported extension subsystems:**_
 
 
 
-
 ```
 
 **Machine Wide Virtual Kernel Objects**
@@ -805,7 +783,6 @@ _**Supported extension subsystems:**_
  
 
 
-
 ```
 
 #### ProductSourceURLOptOut
@@ -823,7 +800,6 @@ Use ProductSourceURLOptOut to indicate that the URL for the package can be modif
   ...
 
 
-
 ```
 
 #### MachineScripts
@@ -855,7 +831,6 @@ An application executable can be specified, whose child processes get terminated
   ...
 
 
-
 ```
 
 
@@ -890,11 +865,11 @@ ScriptRunner.exe application. The application then runs each script separately,
 along with the arguments that you specify for each script. Use only one script
 (ScriptRunner.exe) per trigger.
 
->[!NOTE]
-
->We recommended that you run the multi-script line from a command prompt
-first to make sure that all arguments are built correctly before adding them to
-the deployment configuration file.
+> [!NOTE]
+> 
+> We recommended that you run the multi-script line from a command prompt
+> first to make sure that all arguments are built correctly before adding them to
+> the deployment configuration file.
 
 ### Example script and parameter descriptions
 
@@ -926,9 +901,9 @@ Name of the event trigger for which you are running a script, such as adding a p
 
 The script launcher application that is installed as part of the App-V client installation.
 
->[!NOTE]
-
->Although ScriptRunner.exe is installed as part of the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:FilesApplication Virtualizationfolder.
+> [!NOTE]
+> 
+> Although ScriptRunner.exe is installed as part of the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:FilesApplication Virtualizationfolder.
 
 #### \
 
diff --git a/mdop/appv-v5/about-app-v-51-reporting.md b/mdop/appv-v5/about-app-v-51-reporting.md
index d169f6eb72..b667825ee9 100644
--- a/mdop/appv-v5/about-app-v-51-reporting.md
+++ b/mdop/appv-v5/about-app-v-51-reporting.md
@@ -41,7 +41,7 @@ The following list displays the end–to-end high-level workflow for reporting i
     **Note**  
     If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1.
 
-     
+     
 
 4.  After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting:
 
@@ -60,9 +60,11 @@ The following list displays the end–to-end high-level workflow for reporting i
     **Note**  
     By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache.
 
-     
+     
 
-    If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
+~~~
+If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache.
+~~~
 
 ###  App-V 5.1 reporting server frequently asked questions
 
@@ -110,24 +112,23 @@ The following table displays answers to common questions about App-V 5.1 reporti
 
      Yes. Besides manually sending reporting using PowerShell Cmdlets (Send-AppvClientReport), the task can be scheduled so it will happen automatically. There are two ways to schedule the reporting:
      
 
        
 
      1. Using PowerShell cmdlets - Set-AppvClientConfiguration. For example:
        
-
        Set-AppvClientConfiguration -ReportingEnabled 1 - ReportingServerURL http://any.com/appv-reporting
        
+
        Set-AppvClientConfiguration -ReportingEnabled 1 - ReportingServerURL http://any.com/appv-reporting
        
 
        
-
        For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings51.md) and look for the following entries: ReportingEnabled, ReportingServerURL, ReportingDataCacheLimit, ReportingDataBlockSize, ReportingStartTime, ReportingRandomDelay, ReportingInterval.
        
+
        For a complete list of client configuration settings see About Client Configuration Settings and look for the following entries: ReportingEnabled, ReportingServerURL, ReportingDataCacheLimit, ReportingDataBlockSize, ReportingStartTime, ReportingRandomDelay, ReportingInterval.
        
 
        2. 
 
      2. By using Group Policy. If distributed using the domain controller, the settings are the same as previously listed.
        
 
        
-Note  
-
        Group Policy settings override local settings configured using PowerShell.
        
+Note
        Group Policy settings override local settings configured using PowerShell.
        
 
        
 
        
- 
+
 
        3. 
 
      
 
 
 
+ 
 
- 
 
 ##  App-V 5.1 Client Reporting
 
@@ -138,10 +139,10 @@ To use App-V 5.1 reporting you must install and configure the App-V 5.1 client.
 
 The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.1 client.
 
-**Note**  
+**Note**  
 The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md).
+ 
 
- 
 
 **To enable reporting and to initiate data collection on the computer running the App-V 5.1 client**:
 
@@ -155,7 +156,7 @@ Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPor
 
 `-ReportingInterval 1 -ReportingRandomDelay 30`
 
-This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
+This example configures the client to automatically send the reporting data to the reporting server URL http://MyReportingServer:MyPort/. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session.
 
 **To limit the size of the data cache on the client**:
 
@@ -224,8 +225,8 @@ The following table displays the types of information you can collect by using A
 
 
 
+ 
 
- 
 
 The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file.
 
@@ -270,20 +271,19 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
 
 
      If you have an existing App-V 5.1 reporting Server, create a customized scheduled task or script. Specify that the client send the data to the specified location with the desired frequency.
      
 
      If you do not have an existing App-V 5.1 reporting Server, use the –URL parameter to send the data to a specified share. For example:
      
-
      Send-AppVClientReport –URL \\Myshare\MyData\ -DeleteOnSuccess
      
-
      The previous example will send the reporting data to \\MyShare\MyData\ location indicated by the -URL parameter. After the data has been sent, the cache is cleared.
      
+
      Send-AppVClientReport –URL \Myshare\MyData\ -DeleteOnSuccess
      
+
      The previous example will send the reporting data to \MyShare\MyData</strong> location indicated by the -URL parameter. After the data has been sent, the cache is cleared.
      
 
      
-Note  
-
      If a location other than the Reporting Server is specified, the data is sent using .xml format with no additional processing.
      
+Note
      If a location other than the Reporting Server is specified, the data is sent using .xml format with no additional processing.
      
 
      
 
      
- 
+ 
 
      
 
 
 
 
- 
+ 
 
 ### Creating Reports
 
@@ -317,9 +317,9 @@ You should also ensure that the reporting server web service’s **Maximum Concu
 
 [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-app-v-51.md b/mdop/appv-v5/about-app-v-51.md
index 8479cbe469..dc68560972 100644
--- a/mdop/appv-v5/about-app-v-51.md
+++ b/mdop/appv-v5/about-app-v-51.md
@@ -55,17 +55,17 @@ See the following links for the App-V 5.1 software prerequisites and supported c
 
 
 
-
      [App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
      
+
      App-V 5.1 Prerequisites
      
 
      Prerequisite software that you must install before starting the App-V 5.1 installation
      
 
 
-
      [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md)
      
+
      App-V 5.1 Supported Configurations
      
 
      Supported operating systems and hardware requirements for the App-V Server, Sequencer, and Client components
      
 
 
 
 
- 
+
 
 **Support for using Configuration Manager with App-V:** App-V 5.1 supports System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) for information about integrating your App-V environment with Configuration Manager and Configuration Manager.
 
@@ -98,19 +98,18 @@ Review the following information before you start the upgrade:
 
    3. App-V Client or App-V Remote Desktop Services (RDS) Client
      4. 
 
    
 
    
-Note  
-
    Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from [Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186).
    
+Note
    Prior to App-V 5.0 SP2, the Client Management User Interface (UI) was provided with the App-V Client installation. For App-V 5.0 SP2 installations (or later), you can use the Client Management UI by downloading from Application Virtualization 5.0 Client UI Application.
    
 
    
 
    
- 
+
 
    
 
 
 
    Upgrading from App-V 4.x
    
 
    You must first upgrade to App-V 5.0. You cannot upgrade directly from App-V 4.x to App-V 5.1. For more information, see:
    
 
 
    
 
@@ -129,7 +128,7 @@ Review the following information before you start the upgrade:
 
 
 
- 
+
 
 ### Steps to upgrade the App-V infrastructure
 
@@ -150,11 +149,10 @@ Complete the following steps to upgrade each component of the App-V infrastructu
 
 
    Step 1: Upgrade the App-V Server.
    
 
    
-Note  
-
    If you are not using the App-V Server, skip this step and go to the next step.
    
+Note
    If you are not using the App-V Server, skip this step and go to the next step.
    
 
    
 
    
- 
+
 
    
 
    Follow these steps:
    
 
      
@@ -177,36 +175,36 @@ Complete the following steps to upgrade each component of the App-V infrastructu
 
 
 
      SQL scripts
      
-
      Follow the steps in [How to Deploy the App-V Databases by Using SQL Scripts](how-to-deploy-the-app-v-databases-by-using-sql-scripts.md).
      
+
      Follow the steps in How to Deploy the App-V Databases by Using SQL Scripts.
      
 
 
 
-
    1. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section [Check registry keys after installing the App-V 5.0 SP3 Server](check-reg-key-svr.md).
      2. 
-
    2. Follow the steps in [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
      3. 
-
       
      
+
    3. If you are upgrading the App-V Server from App-V 5.0 SP1 Hotfix Package 3 or later, complete the steps in section Check registry keys after installing the App-V 5.0 SP3 Server.
      4. 
+
    4. Follow the steps in How to Deploy the App-V 5.1 Server
      5. 
+
       
      
 
    
 
 
 
    Step 2: Upgrade the App-V Sequencer.
    
-
    See [How to Install the Sequencer](how-to-install-the-sequencer-beta-gb18030.md).
    
+
    See How to Install the Sequencer.
    
 
 
 
    Step 3: Upgrade the App-V Client or App-V RDS Client.
    
-
    See [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md).
    
+
    See How to Deploy the App-V Client.
    
 
 
 
 
- 
+
 
 ### Converting packages created using a prior version of App-V
 
 Use the package converter utility to upgrade virtual application packages created using versions of App-V prior to App-V 5.0. The package converter uses PowerShell to convert packages and can help automate the process if you have many packages that require conversion.
 
-**Note**  
+**Note**  
 App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no change in the package format between the versions and so there is no need to convert App-V 5.0 packages to App-V 5.1 packages.
 
- 
+
 
 ## What’s New in App-V 5.1
 
@@ -249,7 +247,7 @@ The following table lists the Windows 10 support for App-V. Windows 10 is not su
 
 
 
- 
+
 
 ### App-V Management Console Changes
 
@@ -294,7 +292,7 @@ The Management Console UI no longer requires Silverlight. The 5.1 Management Con
 
 
 
- 
+
 
 ### Console pages are now separate URLs
 
@@ -318,7 +316,7 @@ The Management Console UI no longer requires Silverlight. The 5.1 Management Con
 
 
 
- 
+
 
 ### New, separate CONNECTION GROUPS page and menu option
 
@@ -341,7 +339,7 @@ The Management Console UI no longer requires Silverlight. The 5.1 Management Con
 
 
 
- 
+
 
 ### Menu options for packages have changed
 
@@ -397,7 +395,7 @@ The Management Console UI no longer requires Silverlight. The 5.1 Management Con
 
 
 
- 
+
 
 ### Icons in left pane have new colors and text
 
@@ -417,10 +415,10 @@ You can import and export the AppxManifest.xml file. To export the manifest file
 
 After you make your changes, click **Import...** and select the file you edited. After you successfully import it back in, the manifest file is immediately updated within the package editor.
 
-**Caution**  
+**Caution**  
 When you import the file, your changes are validated against the XML schema. If the file is not valid, you will receive an error. Be aware that it is possible to import a file that is validated against the XML schema, but that might still fail to run for other reasons.
 
- 
+
 
 ### Addition of Windows 10 to operating systems list
 
@@ -519,9 +517,9 @@ App-V is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part
 
 [Release Notes for App-V 5.1](release-notes-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/about-client-configuration-settings.md b/mdop/appv-v5/about-client-configuration-settings.md
index b4e710eab0..160b670a59 100644
--- a/mdop/appv-v5/about-client-configuration-settings.md
+++ b/mdop/appv-v5/about-client-configuration-settings.md
@@ -127,153 +127,143 @@ The following table displays information about the App-V 5.0 client configuratio
 
 
    Name
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
 
    PUBLISHINGSERVERNAME
    
 
    Displays the name of publishing server.
    
 
    String
    
-
    Publishing\Servers\{serverId}\FriendlyName
    
+
    Publishing\Servers{serverId}\FriendlyName
    
 
    Policy value not written (same as Not Configured)
    
 
 
 
    URL
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
 
    PUBLISHINGSERVERURL
    
 
    Displays the URL of publishing server.
    
 
    String
    
-
    Publishing\Servers\{serverId}\URL
    
+
    Publishing\Servers{serverId}\URL
    
 
    Policy value not written (same as Not Configured)
    
 
 
 
    GlobalRefreshEnabled
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
 
    GLOBALREFRESHENABLED
    
 
    Enables global publishing refresh (Boolean)
    
 
    True(enabled); False(Disabled state)
    
-
    Publishing\Servers\{serverId}\GlobalEnabled
    
+
    Publishing\Servers{serverId}\GlobalEnabled
    
 
    False
    
 
 
 
    GlobalRefreshOnLogon
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
 
    GLOBALREFRESHONLOGON
    
 
    Triggers a global publishing refresh on logon. ( Boolean)
    
 
    True(enabled); False(Disabled state)
    
-
    Publishing\Servers\{serverId}\GlobalLogonRefresh
    
+
    Publishing\Servers{serverId}\GlobalLogonRefresh
    
 
    False
    
 
 
 
    GlobalRefreshInterval
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
-
    GLOBALREFRESHINTERVAL  
    
+
    GLOBALREFRESHINTERVAL  
    
 
    Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0.
    
 
    Integer (0-744
    
-
    Publishing\Servers\{serverId}\GlobalPeriodicRefreshInterval
    
+
    Publishing\Servers{serverId}\GlobalPeriodicRefreshInterval
    
 
    0
    
 
 
 
    GlobalRefreshIntervalUnit
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
 
    GLOBALREFRESHINTERVALUNI
    
-
    Specifies the interval unit (Hour 0-23, Day 0-31). 
    
+
    Specifies the interval unit (Hour 0-23, Day 0-31). 
    
 
    0 for hour, 1 for day
    
-
    Publishing\Servers\{serverId}\GlobalPeriodicRefreshIntervalUnit
    
+
    Publishing\Servers{serverId}\GlobalPeriodicRefreshIntervalUnit
    
 
    1
    
 
 
 
    UserRefreshEnabled
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
-
    USERREFRESHENABLED 
    
+
    USERREFRESHENABLED 
    
 
    Enables user publishing refresh (Boolean)
    
 
    True(enabled); False(Disabled state)
    
-
    Publishing\Servers\{serverId}\UserEnabled
    
+
    Publishing\Servers{serverId}\UserEnabled
    
 
    False
    
 
 
 
    UserRefreshOnLogon
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
 
    USERREFRESHONLOGON
    
 
    Triggers a user publishing refresh onlogon. ( Boolean)
    
 
    Word count (with spaces): 60
    
 
    True(enabled); False(Disabled state)
    
-
    Publishing\Servers\{serverId}\UserLogonRefresh
    
+
    Publishing\Servers{serverId}\UserLogonRefresh
    
 
    False
    
 
 
 
    UserRefreshInterval
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
-
    USERREFRESHINTERVAL     
    
+
    USERREFRESHINTERVAL     
    
 
    Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.
    
 
    Word count (with spaces): 85
    
 
    Integer (0-744 Hours)
    
-
    Publishing\Servers\{serverId}\UserPeriodicRefreshInterval
    
+
    Publishing\Servers{serverId}\UserPeriodicRefreshInterval
    
 
    0
    
 
 
 
    UserRefreshIntervalUnit
    
 
    
-Note  
-
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
+Note
    This setting cannot be modified using the set-AppvclientConfiguration cmdLet. You must use the Set-AppvPublishingServer cmdlet.
    
 
    
 
    
- 
+
 
    
-
    USERREFRESHINTERVALUNIT  
    
-
    Specifies the interval unit (Hour 0-23, Day 0-31). 
    
+
    USERREFRESHINTERVALUNIT  
    
+
    Specifies the interval unit (Hour 0-23, Day 0-31). 
    
 
    0 for hour, 1 for day
    
-
    Publishing\Servers\{serverId}\UserPeriodicRefreshIntervalUnit
    
+
    Publishing\Servers{serverId}\UserPeriodicRefreshIntervalUnit
    
 
    1
    
 
 
@@ -303,7 +293,7 @@ The following table displays information about the App-V 5.0 client configuratio
 
 
    RoamingFileExclusions
    
 
    ROAMINGFILEEXCLUSIONS
    
-
    Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage:  /ROAMINGFILEEXCLUSIONS='desktop;my pictures'
    
+
    Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage:  /ROAMINGFILEEXCLUSIONS='desktop;my pictures'
    
 
    
 
    
 
    
@@ -311,7 +301,7 @@ The following table displays information about the App-V 5.0 client configuratio
 
 
    RoamingRegistryExclusions
    
 
    ROAMINGREGISTRYEXCLUSIONS
    
-
    Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients
    
+
    Specifies the registry paths that do not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\classes;software\clients
    
 
    String
    
 
    Integration\RoamingReglstryExclusions
    
 
    Policy value not written (same as Not Configured)
    
@@ -337,7 +327,7 @@ The following table displays information about the App-V 5.0 client configuratio
 
    Not available.
    
 
    A comma -delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment.
    
 
    When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application that is associated with the extension point is locally installed. If the extension is located, the RunVirtual command line parameter will be added, and the application will run virtually.
    
-
    For more information about the RunVirtual parameter, see [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md).
    
+
    For more information about the RunVirtual parameter, see Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications.
    
 
    String
    
 
    Integration\VirtualizableExtensions
    
 
    Policy value not written
    
@@ -379,11 +369,10 @@ The following table displays information about the App-V 5.0 client configuratio
 
    Not available.
    
 
    Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0-23 corresponding to the hour of the day. By default the ReportingStartTime will start on the current day at 10 P.M.or 22.
    
 
    
-Note  
-
    You should configure this setting to a time when computers running the App-V 5.0 client are least likely to be offline.
    
+Note
    You should configure this setting to a time when computers running the App-V 5.0 client are least likely to be offline.
    
 
    
 
    
- 
+
 
    
 
    Integer (0 – 23)
    
 
    Reporting\ StartTime
    
@@ -408,11 +397,10 @@ The following table displays information about the App-V 5.0 client configuratio
 
 
    EnableDynamicVirtualization
    
 
    
-Important  
-
    This setting is available only with App-V 5.0 SP2 or later.
    
+Important
    This setting is available only with App-V 5.0 SP2 or later.
    
 
    
 
    
- 
+
 
    
 
    Not available.
    
 
    Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications.
    
@@ -423,11 +411,10 @@ The following table displays information about the App-V 5.0 client configuratio
 
 
    EnablePublishingRefreshUI
    
 
    
-Important  
-
    This setting is available only with App-V 5.0 SP2.
    
+Important
    This setting is available only with App-V 5.0 SP2.
    
 
    
 
    
- 
+
 
    
 
    Not available.
    
 
    Enables the publishing refresh progress bar for the computer running the App-V 5.0 Client.
    
@@ -438,11 +425,10 @@ The following table displays information about the App-V 5.0 client configuratio
 
 
    HideUI
    
 
    
-Important  
-
    This setting is available only with App-V 5.0 SP2.
    
+Important
    This setting is available only with App-V 5.0 SP2.
    
 
    
 
    
- 
+
 
    
 
    Not available.
    
 
    Hides the publishing refresh progress bar.
    
@@ -461,7 +447,7 @@ The following table displays information about the App-V 5.0 client configuratio
 
 
 
- 
+
 
 
 
@@ -477,9 +463,9 @@ The following table displays information about the App-V 5.0 client configuratio
 
 [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/about-the-connection-group-file.md b/mdop/appv-v5/about-the-connection-group-file.md
index 8697d90f82..15f0f698a6 100644
--- a/mdop/appv-v5/about-the-connection-group-file.md
+++ b/mdop/appv-v5/about-the-connection-group-file.md
@@ -47,12 +47,12 @@ ms.date: 06/16/2016
 
 
 
    Example file path
    
-
    %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.
    
+
    %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups{6CCC7575-162E-4152-9407-ED411DA138F4}{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.
    
 
 
 
 
- 
+ 
 
 ## Structure of the connection group XML file
 
@@ -87,7 +87,7 @@ The following table describes the parameters in the XML file that define the con
 
    Schema name
    
 
    Name of the schema.
    
 
    Applicable starting in App-V 5.0 SP3: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:
    
-
    xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
    
+
    xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
    
 
 
 
    AppConnectionGroupId
    
@@ -112,7 +112,7 @@ The following table describes the parameters in the XML file that define the con
 
 
 
- 
+ 
 
 ### Parameters that define the packages in the connection group
 
@@ -146,12 +146,12 @@ In the <Packages> section of the connection group XML file, you list the m
 
  • “true” – package is optional in the connection group
    • 
 
  • “false” – package is required in the connection group
    • 
 
-
    See [How to Use Optional Packages in Connection Groups](how-to-use-optional-packages-in-connection-groups.md).
    
+
    See How to Use Optional Packages in Connection Groups.
    
 
 
 
 
- 
+ 
 
 ### App-V 5.0 SP3 example connection group XML file
 
@@ -179,7 +179,7 @@ You can use the connection group file to configure each connection group by usin
     **Note**  
     Priority is required only if the package is associated with more than one connection group.
 
-     
+     
 
 -   Specify package precedence within the connection group.
 
@@ -274,7 +274,7 @@ The virtual application Microsoft Outlook is running in virtual environment **XY
 
 
 
- 
+ 
 
 
 
@@ -286,9 +286,9 @@ The virtual application Microsoft Outlook is running in virtual environment **XY
 
 [Managing Connection Groups](managing-connection-groups.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/about-the-connection-group-file51.md b/mdop/appv-v5/about-the-connection-group-file51.md
index 3261158e05..e7880a1b2d 100644
--- a/mdop/appv-v5/about-the-connection-group-file51.md
+++ b/mdop/appv-v5/about-the-connection-group-file51.md
@@ -47,12 +47,12 @@ ms.date: 06/16/2016
 
 
 
    Example file path
    
-
    %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups\{6CCC7575-162E-4152-9407-ED411DA138F4}\{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.
    
+
    %APPDATA%\Microsoft\AppV\Client\Catalog\PackageGroups{6CCC7575-162E-4152-9407-ED411DA138F4}{4D1E16E1-8EF8-41ED-92D5-8910A8527F96}.
    
 
 
 
 
- 
+ 
 
 ## Structure of the connection group XML file
 
@@ -87,7 +87,7 @@ The following table describes the parameters in the XML file that define the con
 
    Schema name
    
 
    Name of the schema.
    
 
    Applicable starting in App-V 5.0 SP3: If you want to use the new “optional packages” and “use any version” features that are described in this table, you must specify the following schema in the XML file:
    
-
    xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
    
+
    xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
    
 
 
 
    AppConnectionGroupId
    
@@ -112,7 +112,7 @@ The following table describes the parameters in the XML file that define the con
 
 
 
- 
+ 
 
 ### Parameters that define the packages in the connection group
 
@@ -146,12 +146,12 @@ In the <Packages> section of the connection group XML file, you list the m
 
  • “true” – package is optional in the connection group
    • 
 
  • “false” – package is required in the connection group
    • 
 
-
    See [How to Use Optional Packages in Connection Groups](how-to-use-optional-packages-in-connection-groups51.md).
    
+
    See How to Use Optional Packages in Connection Groups.
    
 
 
 
 
- 
+ 
 
 ### App-V example connection group XML file
 
@@ -179,7 +179,7 @@ You can use the connection group file to configure each connection group by usin
     **Note**  
     Priority is required only if the package is associated with more than one connection group.
 
-     
+     
 
 -   Specify package precedence within the connection group.
 
@@ -274,7 +274,7 @@ The virtual application Microsoft Outlook is running in virtual environment **XY
 
 
 
- 
+ 
 
 
 
@@ -286,9 +286,9 @@ The virtual application Microsoft Outlook is running in virtual environment **XY
 
 [Managing Connection Groups](managing-connection-groups51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/accessibility-for-app-v-50.md b/mdop/appv-v5/accessibility-for-app-v-50.md
index 2e6d737671..212a97c555 100644
--- a/mdop/appv-v5/accessibility-for-app-v-50.md
+++ b/mdop/appv-v5/accessibility-for-app-v-50.md
@@ -25,7 +25,7 @@ Microsoft is committed to making its products and services easier for everyone t
 **Important**  
 The information in this section only applies to the App-V 5.0 sequencer. For specific information about the App-V 5.0 server, see the Keyboard Shortcuts for the App-V 5.0 Management Server section of this document.
 
- 
+ 
 
 Access keys let you quickly use a command by pressing a few keys. You can get to most commands by using two keystrokes. To use an access key:
 
@@ -38,7 +38,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Keyboard Shortcuts for the App-V 5.0 Management Server
 
@@ -80,7 +80,7 @@ Keyboard Shortcuts for the App-V 5.0 Management Server:
 
 
 
- 
+ 
 
 ## Documentation in Alternative Formats
 
@@ -114,13 +114,13 @@ For information about the availability of Microsoft product documentation and bo
 
    (609) 987-8116
    
 
 
-
    [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
    
+
    http://www.learningally.org/
    
 
    Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
    
 
 
 
 
- 
+ 
 
 ## Customer Service for People with Hearing Impairments
 
@@ -143,9 +143,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with App-V 5.0](getting-started-with-app-v-50--rtm.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/accessibility-for-app-v-51.md b/mdop/appv-v5/accessibility-for-app-v-51.md
index bcde953270..4203a2e9ff 100644
--- a/mdop/appv-v5/accessibility-for-app-v-51.md
+++ b/mdop/appv-v5/accessibility-for-app-v-51.md
@@ -51,7 +51,7 @@ Following are the keyboard Shortcuts for the App-V 5.1 Management Server:
 
 
 
- 
+ 
 
 ## Keyboard Shortcuts for the App-V 5.1 Sequencer
 
@@ -81,14 +81,14 @@ Following are the keyboard shortcuts for the Virtual Registry tab in the package
 
 
 
- 
+ 
 
 ### Access Any Command with a Few Keystrokes
 
 **Important**  
 The information in this section only applies to the App-V 5.1 sequencer. For specific information about the App-V 5.1 server, see the Keyboard Shortcuts for the App-V 5.1 Management Server section of this document.
 
- 
+ 
 
 Access keys let you quickly use a command by pressing a few keys. You can get to most commands by using two keystrokes. To use an access key:
 
@@ -101,7 +101,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Documentation in Alternative Formats
 
@@ -135,13 +135,13 @@ For information about the availability of Microsoft product documentation and bo
 
    (609) 987-8116
    
 
 
-
    [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
    
+
    http://www.learningally.org/
    
 
    Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
    
 
 
 
 
- 
+ 
 
 ## Customer Service for People with Hearing Impairments
 
@@ -164,9 +164,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with App-V 5.1](getting-started-with-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/administering-app-v-51-by-using-powershell.md b/mdop/appv-v5/administering-app-v-51-by-using-powershell.md
index 02dc48a963..f886b1e0a0 100644
--- a/mdop/appv-v5/administering-app-v-51-by-using-powershell.md
+++ b/mdop/appv-v5/administering-app-v-51-by-using-powershell.md
@@ -37,54 +37,54 @@ Use the following PowerShell procedures to perform various App-V 5.1 tasks.
 
 
 
-
    [How to Load the PowerShell Cmdlets and Get Cmdlet Help](how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md)
    
+
    How to Load the PowerShell Cmdlets and Get Cmdlet Help
    
 
    Describes how to install the PowerShell cmdlets and find cmdlet help and examples.
    
 
 
-
    [How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md)
    
+
    How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell
    
 
    Describes how to manage the client package lifecycle on a stand-alone computer using PowerShell.
    
 
 
-
    [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md)
    
+
    How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell
    
 
    Describes how to manage connection groups using PowerShell.
    
 
 
-
    [How to Modify Client Configuration by Using PowerShell](how-to-modify-client-configuration-by-using-powershell51.md)
    
+
    How to Modify Client Configuration by Using PowerShell
    
 
    Describes how to modify the client using PowerShell.
    
 
 
-
    [How to Apply the User Configuration File by Using PowerShell](how-to-apply-the-user-configuration-file-by-using-powershell51.md)
    
+
    How to Apply the User Configuration File by Using PowerShell
    
 
    Describes how to apply a user configuration file using PowerShell.
    
 
 
-
    [How to Apply the Deployment Configuration File by Using PowerShell](how-to-apply-the-deployment-configuration-file-by-using-powershell51.md)
    
+
    How to Apply the Deployment Configuration File by Using PowerShell
    
 
    Describes how to apply a deployment configuration file using PowerShell.
    
 
 
-
    [How to Sequence a Package by Using PowerShell](how-to-sequence-a-package--by-using-powershell-51.md)
    
+
    How to Sequence a Package by Using PowerShell
    
 
    Describes how to create a new package using PowerShell.
    
 
 
-
    [How to Create a Package Accelerator by Using PowerShell](how-to-create-a-package-accelerator-by-using-powershell51.md)
    
+
    How to Create a Package Accelerator by Using PowerShell
    
 
    Describes how to create a package accelerator using PowerShell. You can use package accelerators automatically sequence large, complex applications.
    
 
 
-
    [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md)
    
+
    How to Enable Reporting on the App-V 5.1 Client by Using PowerShell
    
 
    Describes how to enable the computer running the App-V 5.1 to send reporting information.
    
 
 
-
    [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md)
    
+
    How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell
    
 
    Describes how to take an array of account names and to convert each of them to the corresponding SID in standard and hexadecimal formats.
    
 
 
 
 
- 
+ 
 
 **Important**  
 Make sure that any script you execute with your App-V packages matches the execution policy that you have configured for PowerShell.
 
- 
+ 
 
 ## PowerShell Error Handling
 
@@ -121,7 +121,7 @@ Use the following table for information about App-V 5.1 PowerShell error handlin
 
 
 
- 
+ 
 
 
 
@@ -133,9 +133,9 @@ Use the following table for information about App-V 5.1 PowerShell error handlin
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md b/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md
index 779a16968f..c7353edde7 100644
--- a/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md
+++ b/mdop/appv-v5/administering-app-v-51-virtual-applications-by-using-the-management-console.md
@@ -89,12 +89,12 @@ The main elements of the App-V 5.1 Management Console are:
 
 
 
- 
+ 
 
 **Important**  
 JavaScript must be enabled on the browser that opens the Web Management Console.
 
- 
+ 
 
 
 
@@ -108,9 +108,9 @@ JavaScript must be enabled on the browser that opens the Web Management Console.
 
 -   [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/administering-app-v-by-using-powershell.md b/mdop/appv-v5/administering-app-v-by-using-powershell.md
index 8ad909ee12..bb48457dc6 100644
--- a/mdop/appv-v5/administering-app-v-by-using-powershell.md
+++ b/mdop/appv-v5/administering-app-v-by-using-powershell.md
@@ -37,49 +37,49 @@ Use the following PowerShell procedures to perform various App-V 5.0 tasks.
 
 
 
-
    [How to Load the PowerShell Cmdlets and Get Cmdlet Help](how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md)
    
+
    How to Load the PowerShell Cmdlets and Get Cmdlet Help
    
 
    Describes how to install the PowerShell cmdlets and find cmdlet help and examples.
    
 
 
-
    [How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md)
    
+
    How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell
    
 
    Describes how to manage the client package lifecycle on a stand-alone computer using PowerShell.
    
 
 
-
    [How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell](how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell.md)
    
+
    How to Manage Connection Groups on a Stand-alone Computer by Using PowerShell
    
 
    Describes how to manage connection groups using PowerShell.
    
 
 
-
    [How to Modify Client Configuration by Using PowerShell](how-to-modify-client-configuration-by-using-powershell.md)
    
+
    How to Modify Client Configuration by Using PowerShell
    
 
    Describes how to modify the client using PowerShell.
    
 
 
-
    [How to Apply the User Configuration File by Using PowerShell](how-to-apply-the-user-configuration-file-by-using-powershell.md)
    
+
    How to Apply the User Configuration File by Using PowerShell
    
 
    Describes how to apply a user configuration file using PowerShell.
    
 
 
-
    [How to Apply the Deployment Configuration File by Using PowerShell](how-to-apply-the-deployment-configuration-file-by-using-powershell.md)
    
+
    How to Apply the Deployment Configuration File by Using PowerShell
    
 
    Describes how to apply a deployment configuration file using PowerShell.
    
 
 
-
    [How to Sequence a Package by Using PowerShell](how-to-sequence-a-package--by-using-powershell-50.md)
    
+
    How to Sequence a Package by Using PowerShell
    
 
    Describes how to create a new package using PowerShell.
    
 
 
-
    [How to Create a Package Accelerator by Using PowerShell](how-to-create-a-package-accelerator-by-using-powershell.md)
    
+
    How to Create a Package Accelerator by Using PowerShell
    
 
    Describes how to create a package accelerator using PowerShell. You can use package accelerators automatically sequence large, complex applications.
    
 
 
-
    [How to Enable Reporting on the App-V 5.0 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-50-client-by-using-powershell.md)
    
+
    How to Enable Reporting on the App-V 5.0 Client by Using PowerShell
    
 
    Describes how to enable the computer running the App-V 5.0 to send reporting information.
    
 
 
-
    [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md)
    
+
    How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell
    
 
    Describes how to take an array of account names and to convert each of them to the corresponding SID in standard and hexadecimal formats.
    
 
 
 
 
- 
+ 
 
 ## PowerShell Error Handling
 
@@ -116,7 +116,7 @@ Use the following table for information about App-V 5.0 PowerShell error handlin
 
 
 
- 
+ 
 
 
 
@@ -128,9 +128,9 @@ Use the following table for information about App-V 5.0 PowerShell error handlin
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/app-v-50-capacity-planning.md b/mdop/appv-v5/app-v-50-capacity-planning.md
index 7e3145dd58..08dd56a49b 100644
--- a/mdop/appv-v5/app-v-50-capacity-planning.md
+++ b/mdop/appv-v5/app-v-50-capacity-planning.md
@@ -22,7 +22,7 @@ The following recommendations can be used as a baseline to help determine capaci
 **Important**  
 Use the information in this section only as a general guide for planning your App-V 5.0 deployment. Your system capacity requirements will depend on the specific details of your hardware and application environment. Additionally, the performance numbers displayed in this document are examples and your results may vary.
 
- 
+ 
 
 ## Determine the Project Scope
 
@@ -52,7 +52,7 @@ Before you design the App-V 5.0 infrastructure, you must determine the project
 
 
 
- 
+ 
 
 ## Determine Which App-V 5.0 Infrastructure is Required
 
@@ -62,7 +62,7 @@ Both of the following models require the App-V 5.0 client to be installed on the
 
 You can also manage your App-V 5.0 environment using an Electronic Software Distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information see [Deploying App-V 5.0 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md).
 
- 
+ 
 
 -   **Standalone Model** - The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V 5.0 in Standalone Mode consists of the sequencer and the client; no additional components are required. Applications are prepared for virtualization using a process called sequencing. For more information see, [Planning for the App-V 5.0 Sequencer and Client Deployment](planning-for-the-app-v-50-sequencer-and-client-deployment.md). The stand-alone model is recommended for the following scenarios:
 
@@ -77,7 +77,7 @@ You can also manage your App-V 5.0 environment using an Electronic Software Dist
     **Important**  
     The App-V 5.0 full infrastructure model requires Microsoft SQL Server to store configuration data. For more information see [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
 
-     
+     
 
     -   When you want to use the Management Server to publish the application to target computers.
 
@@ -93,7 +93,7 @@ The following section provides information about end-to-end App-V 5.0 sizing and
 **Note**  
 Round trip response time on the client is the time taken by the computer running the App-V 5.0 client to receive a successful notification from the publishing server. Round trip response time on the publishing server is the time taken by the computer running the publishing server to receive a successful package metadata update from the management server.
 
- 
+ 
 
 -   20,000 clients can target a single publishing server to obtain the package refreshes in an acceptable round trip time. (<3 seconds)
 
@@ -107,7 +107,7 @@ The App-V 5.0 publishing servers require the management server for package refre
 **Note**  
 The default refresh time on the App-V 5.0 publishing server is ten minutes.
 
- 
+ 
 
 When multiple simultaneous publishing servers contact a single management server for package metadata refreshes, the following three factors influence the round trip response time on the publishing server:
 
@@ -122,7 +122,7 @@ The following table displays more information about each factor that impacts rou
 **Note**  
 Round trip response time is the time taken by the computer running the App-V 5.0 publishing server to receive a successful package metadata update from the management server.
 
- 
+ 
 
 @@ -166,7 +166,7 @@ Round trip response time is the time taken by the computer running the App-V 5.0
 
    
 

 
    
 
- 
+ 
 
 The following table displays sample values for each of the previous factors. In each variation, 120 packages are refreshed from the App-V 5.0management server.
 
@@ -359,7 +359,7 @@ The following table displays sample values for each of the previous factors. In
 
 
 
- 
+ 
 
 The CPU utilization of the computer running the management server is around 25% irrespective of the number of publishing servers targeting it. The Microsoft SQL Server database transactions/sec, batch requests/sec and user connections are identical irrespective of the number of publishing servers. For example: Transactions/sec is ~30, batch requests ~200, and user connects ~6.
 
@@ -460,7 +460,7 @@ Using a geographically distributed deployment, where the management server & pub
 
 
 
- 
+ 
 
 Whether the management server and publishing servers are connected over a slow link network, or a high speed network, the management server can handle approximately 15,000 package refresh requests in 30 minutes.
 
@@ -472,7 +472,7 @@ App-V 5.0 clients send reporting data to the reporting server. The reporting ser
 **Note**  
 Round trip response time is the time taken by the computer running the App-V 5.0 client to send the reporting information to the reporting server and receive a successful notification from the reporting server.
 
- 
+ 
 
 @@ -518,7 +518,7 @@ Round trip response time is the time taken by the computer running the App-V 5.0
 
    
 

 
    
 
- 
+ 
 
 **Calculating random delay**:
 
@@ -542,7 +542,7 @@ The following list displays the main factors to consider when setting up the App
 
 -   The available network bandwidth in your environment between the client and the App-V 5.0 publishing server.
 
- 
+ 
 
 @@ -585,12 +585,12 @@ The following list displays the main factors to consider when setting up the App
 
    
 

 
    
 
- 
+ 
 
 **Note**  
 The publishing server CPU usage is always high during the time interval when it has to process simultaneous requests (>90% in most cases). The publishing server can handle ~1500 client requests in 1 second.
 
- 
+ 
 
 @@ -732,7 +732,7 @@ The publishing server CPU usage is always high during the time interval when it
 
    
 

 
    
 
- 
+ 
 
 ##  App-V 5.0 Streaming Capacity Planning Recommendations
 
@@ -748,7 +748,7 @@ The following list identifies the main factors to consider when setting up the A
 
 -   The available network bandwidth in your environment between the client and the streaming server.
 
- 
+ 
 
 @@ -788,7 +788,7 @@ The following list identifies the main factors to consider when setting up the A
 
    
 

 
    
 
- 
+ 
 
 The following table displays sample values for each of the factors in the previous list:
 
@@ -917,14 +917,14 @@ The following table displays sample values for each of the factors in the previo
 
 
 
- 
+ 
 
 Each App-V 5.0 streaming server should be able to handle a minimum of 200 clients concurrently streaming virtualized applications.
 
 **Note**  
 The actual time to it will take to stream is determined primarily by the number of clients streaming simultaneously, number of packages, package size, the server’s network activity, and network conditions.
 
- 
+ 
 
 For example, an average user can stream a 100 MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real world environments streaming demand is not uniformly distributed, you will need to understand the approximate peak streaming requirements present in your environment in order to properly size the number of required streaming servers.
 
@@ -953,9 +953,9 @@ Although there are a number of fault-tolerance strategies and technologies avail
 
 [Planning to Deploy App-V](planning-to-deploy-app-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/app-v-50-deployment-checklist.md b/mdop/appv-v5/app-v-50-deployment-checklist.md
index 66951808f4..7c93ec0b2e 100644
--- a/mdop/appv-v5/app-v-50-deployment-checklist.md
+++ b/mdop/appv-v5/app-v-50-deployment-checklist.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 This checklist can be used to help you during Microsoft Application Virtualization (App-V) 5.0 deployment.
 
-**Note**  
+**Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when deploying App-V 5.0 features. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+
 
 @@ -43,37 +43,36 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
    
 

    
 Checklist box
 
    Complete the planning phase to prepare the computing environment for App-V 5.0 deployment.
    [App-V 5.0 Planning Checklist](app-v-50-planning-checklist.md)
    App-V 5.0 Planning Checklist
    		
 
    		
 
    
 
    
 Checklist box
 
    Review the App-V 5.0 supported configurations information to make sure selected client and server computers are supported for App-V 5.0 feature installation.
    [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md)
    App-V 5.0 Supported Configurations
    		
 
    		
 
    
 
    
 Checklist box
 
    Run App-V 5.0 Setup to deploy the required App-V 5.0 features for your environment.
    
 
    
-Note  
-
    Keep track of the names of the servers and associated URL’s created during installation. This information will be used throughout the installation process.
    
+Note
    Keep track of the names of the servers and associated URL’s created during installation. This information will be used throughout the installation process.
    
 
    
 
    
- 
+
 
    		
 
    
     		
 
    		
 
    
     
 
    
 
- 
+
 
 
 
@@ -85,9 +84,9 @@ This checklist outlines the recommended steps and a high-level list of items to
 
 [Deploying App-V 5.0](deploying-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-50-planning-checklist.md b/mdop/appv-v5/app-v-50-planning-checklist.md
index fdf893496a..30a1d1f33e 100644
--- a/mdop/appv-v5/app-v-50-planning-checklist.md
+++ b/mdop/appv-v5/app-v-50-planning-checklist.md
@@ -22,7 +22,7 @@ This checklist can be used to help you plan for preparing your computing environ
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.0 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -43,43 +43,43 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
-
+
-
+
-
+
    
 

    
 Checklist box
 
    Review the getting started information about App-V 5.0 to gain a basic understanding of the product before beginning deployment planning.
    [Getting Started with App-V 5.0](getting-started-with-app-v-50--rtm.md)
    Getting Started with App-V 5.0
    		
 
    		
 
    
 
    
 Checklist box
 
    Plan for App-V 5.0 1.0 Deployment Prerequisites and prepare your computing environment.
    [App-V 5.0 Prerequisites](app-v-50-prerequisites.md)
    App-V 5.0 Prerequisites
    		
 
    		
 
    
 
    
 Checklist box
 
    If you plan to use the App-V 5.0 management server, plan for the required roles.
    [Planning for the App-V 5.0 Server Deployment](planning-for-the-app-v-50-server-deployment.md)
    Planning for the App-V 5.0 Server Deployment
    		
 
    		
 
    
 
    
 Checklist box
 
    Plan for the App-V 5.0 sequencer and client so you to create and run virtualized applications.
    [Planning for the App-V 5.0 Sequencer and Client Deployment](planning-for-the-app-v-50-sequencer-and-client-deployment.md)
    Planning for the App-V 5.0 Sequencer and Client Deployment
    		
 
    		
 
    
 
    
 Checklist box
 
    If applicable, review the options and steps for migrating from a previous version of App-V.
    [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v.md)
    Planning for Migrating from a Previous Version of App-V
    		
 
    		
 
    
 
    
 Checklist box
 
    Plan for running App-V 5.0 clients using in shared content store mode.
    [How to Install the App-V 5.0 Client for Shared Content Store Mode](how-to-install-the-app-v-50-client-for-shared-content-store-mode.md)
    How to Install the App-V 5.0 Client for Shared Content Store Mode
    		
 
    		
 
    
     
 
    
 
- 
+ 
 
 
 
@@ -91,9 +91,9 @@ This checklist outlines the recommended steps and a high-level list of items to
 
 [Planning for App-V 5.0](planning-for-app-v-50-rc.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/app-v-50-prerequisites.md b/mdop/appv-v5/app-v-50-prerequisites.md
index 369819039b..2ec3a98531 100644
--- a/mdop/appv-v5/app-v-50-prerequisites.md
+++ b/mdop/appv-v5/app-v-50-prerequisites.md
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
 
 Before you begin the Microsoft Application Virtualization (App-V) 5.0 Setup, you should make sure that you have met the prerequisites to install the product. This topic contains information to help you successfully plan for preparing your computing environment before you deploy the App-V 5.0 features.
 
-**Important**  
+**Important**  
 **The prerequisites in this article apply only to App-V 5.0**. For additional prerequisites that apply to App-V 5.0 Service Packs, see the following web pages:
 
 -   [What's new in App-V 5.0 SP1](whats-new-in-app-v-50-sp1.md)
@@ -28,7 +28,7 @@ Before you begin the Microsoft Application Virtualization (App-V) 5.0 Setup, you
 
 -   [App-V 5.0 SP3 Prerequisites](app-v-50-sp3-prerequisites.md)
 
- 
+
 
 The following table lists prerequisite information that pertains to specific operating systems.
 
@@ -53,7 +53,7 @@ The following table lists prerequisite information that pertains to specific ope
 
    The following prerequisites are already installed:
    
 
      
 
    • Microsoft .NET Framework 4.5 – you do not need Microsoft .NET Framework 4
      • 
-
    • Windows PowerShell 3.0
      • 
+
    • Windows PowerShell 3.0
      • 
 
    
 
 
@@ -63,21 +63,21 @@ The following table lists prerequisite information that pertains to specific ope
 
  • Windows Server 2008
    • 
 
 
    You may want to download the following KB:
    
-
    [Microsoft Security Advisory: Insecure library loading could allow remote code execution](https://support.microsoft.com/kb/2533623)
    
+
    Microsoft Security Advisory: Insecure library loading could allow remote code execution
    
 
    Be sure to check for subsequent KBs that have superseded this one, and note that some KBs may require that you uninstall previous updates.
    
 
 
 
 
- 
+
 
 ## Installation prerequisites for App-V 5.0
 
 
-**Note**  
-The following prerequisites are already installed for computers that run Windows 8.
+**Note**  
+The following prerequisites are already installed for computers that run Windows 8.
+
 
- 
 
 Each of the App-V 5.0 features have specific prerequisites that must be met before the App-V 5.0 features can be successfully installed.
 
@@ -100,48 +100,46 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
 
 
    Software requirements
    
 
 
 
 
 
- 
+
 
 ### Prerequisites for the App-V 5.0 Remote Desktop Services client
 
-**Note**  
-The following prerequisites are already installed for computers that run Windows Server 2012.
+**Note**  
+The following prerequisites are already installed for computers that run Windows Server 2012.
+
 
- 
 
 The following table lists the installation prerequisites for the App-V 5.0 Remote Desktop Services client:
 
@@ -160,55 +158,53 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot
 
 
    Software requirements
    
 
 
 
 
 
- 
+
 
 ### Prerequisites for the App-V 5.0 Sequencer
 
-**Note**  
-The following prerequisites are already installed for computers that run Windows 8 and Windows Server 2012.
+**Note**  
+The following prerequisites are already installed for computers that run Windows 8 and Windows Server 2012.
+
 
- 
 
 The following table lists the installation prerequisites for the App-V 5.0 Sequencer. If possible, the computer that runs the Sequencer should have the same hardware and software configurations as the computers that will run the virtual applications.
 
-**Note**  
+**Note**  
 If the system requirements of a locally installed application exceed the requirements of the Sequencer, you must meet the requirements of that application. Additionally, because the sequencing process is system resource-intensive, we recommend that the computer that runs the Sequencer has plenty of memory, a fast processor, and a fast hard drive. For more information see [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
 
- 
+
 
 @@ -225,62 +221,61 @@ If the system requirements of a locally installed application exceed the require
 
    
 

    
 
    Software requirements
    		
 
 
    
     
 
    
 
- 
+
 
 ### Prerequisites for the App-V 5.0 server
 
-**Note**  
-The following prerequisites are already installed for computers that run Windows Server 2012:
+**Note**  
+The following prerequisites are already installed for computers that run Windows Server 2012:
 
 -   Microsoft .NET Framework 4.5. This eliminates the Microsoft .NET Framework 4 requirement.
 
--   Windows PowerShell 3.0
+-   Windows PowerShell 3.0
 
 -   Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)
 
-    **Important**  
+    **Important**  
     You can still download install the previous KB. However, it may have been replaced with a more recent version.
 
-     
 
- 
+
+
 
 The following table lists the installation prerequisites for the App-V 5.0 server. The account that you use to install the server components must have administrative rights on the computer that you are installing on. This account must also have the ability to query Active Directory Directory Services. Before you install and configure the App-V 5.0 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to the specified ports.
 
-**Note**  
+**Note**  
 Web Distributed Authoring and Versioning (WebDAV) is automatically disabled for the Management Service.
 
- 
+
 
 The App-V 5.0 server is supported for a standalone deployment, where all the components are deployed on the same server, and a distributed deployment. Depending on the topology that you use to deploy the App-V 5.0 server, the data that you will need for each component will slightly change.
 
-**Important**  
+**Important**  
 The installation of the App-V 5.0 server on a computer that runs any previous version or component of App-V is not supported. Additionally, the installation of the server components on a computer that runs Server Core or a Domain Controller is also not supported.
 
- 
+
 
 @@ -297,27 +292,25 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
@@ -423,7 +412,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
    
 

    
 
    Management Server
    		
 
 
    The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management server.
    
@@ -326,11 +319,10 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
  • Location of the App-V 5.0 management database - SQL Server Name, SQL Instance Name, Database Name.
    • 
 
  • Access rights for the App-V 5.0 management console - This is the user or the group that should be granted access to the management console at the end of the deployment. After the deployment, only these users will have access to the management console until additional administrators are added through the management console.
    
 
    
-Note  
-
    Security groups and single users are not supported. You must specify an AD DS group.
    
+Note
    Security groups and single users are not supported. You must specify an AD DS group.
    
 
    
 
    
- 
+
 
    • 
 
  • App-V 5.0 management service website name – specify a name for the website or use the default name.
    • 
 
  • App-V 5.0 management service port binding - this should be a unique port number that is not used by another website on the computer.
    • 
@@ -341,15 +333,14 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
    Management Database
    		
 
    
 
    
-Note  
-
    The database is required only when using the App-V 5.0 management server.
    
+Note
    The database is required only when using the App-V 5.0 management server.
    
 
    
 
    
- 
+
 
    
 
 
    The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management database.
    
 
      
@@ -358,20 +349,19 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
    • Custom App-V 5.0 database name (if applicable) – you must specify a unique database name. The default value for the management database is AppVManagement.
      • 
 
    • App-V 5.0 management server location – specifies the machine account on which the management server is deployed. This should be specified in the following format Domain\MachineAccount.
      • 
 
    • App-V 5.0 management server installation administrator - specifies the account that will be used to install the App-V 5.0 management server. You should use the following format: Domain\AdministratorLoginName.
      • 
-
    • Microsoft SQL Server Service Agent - configure the computer running the App-V 5.0 Management Database so that Microsoft SQL Server Agent service is restarted automatically. For more information see [Configure SQL Server Agent to Restart Services Automatically](https://go.microsoft.com/fwlink/?LinkId=273725) (https://go.microsoft.com/fwlink/?LinkId=273725).
      • 
+
    • Microsoft SQL Server Service Agent - configure the computer running the App-V 5.0 Management Database so that Microsoft SQL Server Agent service is restarted automatically. For more information see Configure SQL Server Agent to Restart Services Automatically (https://go.microsoft.com/fwlink/?LinkId=273725).
      • 
 
    		
 
    
 
    
 
    Reporting Server
    		
 
      
-
    • [Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718) (http://www.microsoft.com/download/details.aspx?id=17718)
      • 
-
    • [Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)(https://go.microsoft.com/fwlink/?LinkId=267110)
      • 
+
    • Microsoft .NET Framework 4 (Full Package) (http://www.microsoft.com/download/details.aspx?id=17718)
      • 
+
    • Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)(https://go.microsoft.com/fwlink/?LinkId=267110)
      • 
 
    • 
-Note  
-
      To help reduce the risk of unwanted or malicious data being sent to the reporting server, you should restrict access to the Reporting Web Service per your corporate security policy.
      
+Note
      To help reduce the risk of unwanted or malicious data being sent to the reporting server, you should restrict access to the Reporting Web Service per your corporate security policy.
      
 
      
 
      
- 
+
 
      
 
      Windows Web Server with the IIS role with the following features: Common HTTP Features (static content and default document), Application Development (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), Security (Windows Authentication, Request Filtering), Security (Windows Authentication, Request Filtering), Management Tools (IIS Management Console)
      • 
 
    • 64-bit ASP.NET registration
      • 
@@ -384,15 +374,14 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
    Reporting Database
    		
 
    
 
    
-Note  
-
    The database is required only when using the App-V 5.0 reporting server.
    
+Note
    The database is required only when using the App-V 5.0 reporting server.
    
 
    
 
    
- 
+
 
    
 
 
    The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 reporting database.
    
 
      
@@ -407,15 +396,15 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
    
 
    Publishing Server
    		
 
 
    The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 publishing server.
    
 
      
 
    • Installation location - by default this component is installed to %PROGRAMFILES%\Microsoft Application Virtualization Server.
      • 
-
    • App-V 5.0 management service URL – specifies the URL of the App-V 5.0 management service. This is the port that the publishing server communicates with, and it should be specified using the following format: http://localhost:12345.
      • 
+
    • App-V 5.0 management service URL – specifies the URL of the App-V 5.0 management service. This is the port that the publishing server communicates with, and it should be specified using the following format: http://localhost:12345.
      • 
 
    • App-V 5.0 publishing service website name – specifies the name of the website or the default name that will be used.
      • 
 
    • App-V 5.0 publishing service port binding - This should be a unique port number that is not already used by another website that runs on the computer.
      • 
 
    
 
    
 
- 
+
 
 
 
@@ -437,9 +426,9 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 
 [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-50-security-considerations.md b/mdop/appv-v5/app-v-50-security-considerations.md
index 1d1ed5cebd..851f1204db 100644
--- a/mdop/appv-v5/app-v-50-security-considerations.md
+++ b/mdop/appv-v5/app-v-50-security-considerations.md
@@ -19,10 +19,10 @@ ms.date: 08/30/2016
 
 This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for App-V 5.0.
 
-**Important**  
+**Important**  
 App-V 5.0 is not a security product and does not provide any guarantees for a secure environment.
 
- 
+
 
 ## PackageStoreAccessControl (PSAC) feature has been deprecated
 
@@ -45,14 +45,14 @@ Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature that wa
 
 A best practice for user account management is to create domain global groups and add user accounts to them. Then, add the domain global accounts to the necessary App-V 5.0 local groups on the App-V 5.0 servers.
 
-**Note**  
+**Note**  
 App-V client computer accounts that need to connect to the publishing server must be part of the publishing server’s **Users** local group. By default, all computers in the domain are part of the **Authorized Users** group, which is part of the **Users** local group.
 
- 
+
 
 ###  App-V 5.0 server security
 
-No groups are created automatically during App-V 5.0 Setup. You should create the following Active Directory Domain Services global groups to manage App-V 5.0 server operations.
+No groups are created automatically during App-V 5.0 Setup. You should create the following Active Directory Domain Services global groups to manage App-V 5.0 server operations.
 
 @@ -70,11 +70,10 @@ No groups are created automatically during App-V 5.0 Setup. You should create th
 
@@ -84,38 +83,36 @@ No groups are created automatically during App-V 5.0 Setup. You should create th
 
    
 

    App-V Management Admin group
    		
 
    Used to manage the App-V 5.0 management server. This group is created during the App-V 5.0 Management Server installation.
    
 
    
-Important  
-
    There is no method to create the group using the management console after you have completed the installation.
    
+Important
    There is no method to create the group using the management console after you have completed the installation.
    
 
    
 
    
- 
+
 
    		
 
    
 
    
 
    App-V Management Service install admin account
    
 
    
-Note  
-
    This is only required if management database is being installed separately from the service.
    
+Note
    This is only required if management database is being installed separately from the service.
    
 
    
 
    
- 
+
 
    		
 
    Provides public access to schema-version table in management database. This account should be created during the App-V 5.0 management database installation.
    		
 
    
 
    
 
    App-V Reporting Service install admin account
    
 
    
-Note  
-
    This is only required if reporting database is being installed separately from the service.
    
+Note
    This is only required if reporting database is being installed separately from the service.
    
 
    
 
    
- 
+
 
    		
 
    Public access to schema-version table in reporting database. This account should be created during the App-V 5.0 reporting database installation.
    		
 
    
     
 
    
 
- 
+
 
 Consider the following additional information:
 
 -   Access to the package shares - If a share exists on the same computer as the management Server, the **Network** service requires read access to the share. In addition, each App-V client computer must have read access to the package share.
 
-    **Note**  
+    **Note**  
     In previous versions of App-V, package share was referred to as content share.
 
-     
+
 
 -   Registering publishing servers with Management Server - A publishing server must be registered with the Management server. For example, it must be added to the database, so that the Publishing server machine accounts are able to call into the Management service API.
 
@@ -153,9 +150,9 @@ During App-V 5.0 Setup, setup log files are created in the **%temp%** folder of
 
 
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-50-sp3-prerequisites.md b/mdop/appv-v5/app-v-50-sp3-prerequisites.md
index 7cb8c9b98f..c8c4111e86 100644
--- a/mdop/appv-v5/app-v-50-sp3-prerequisites.md
+++ b/mdop/appv-v5/app-v-50-sp3-prerequisites.md
@@ -48,13 +48,12 @@ The following table indicates the software that is already installed for differe
 
    The following prerequisite software is already installed:
    
 
      
 
    • Microsoft .NET Framework 4.5
      • 
-
    • Windows PowerShell 3.0
      
+
    • Windows PowerShell 3.0
      
 
      
-Note  
-
      Installing PowerShell 3.0 requires a restart.
      
+Note
      Installing PowerShell 3.0 requires a restart.
      
 
      
 
      
- 
+
 
      • 
 
    
 
@@ -65,7 +64,7 @@ The following table indicates the software that is already installed for differe
 
 
 
- 
+
 
 ## App-V Server prerequisite software
 
@@ -117,7 +116,7 @@ Install the required prerequisite software for the App-V 5.0 SP3 Server componen
 
 
 
- 
+
 
 ### Management server prerequisite software
 
@@ -135,22 +134,22 @@ Install the required prerequisite software for the App-V 5.0 SP3 Server componen
 
 
 
    Supported version of SQL Server
    
-
    For supported versions, see [App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md).
    
+
    For supported versions, see App-V 5.0 SP3 Supported Configurations.
    
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Windows PowerShell 3.0
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    Download and install [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    Download and install KB2533623
    
 
    Applies to Windows 7 only.
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -216,7 +215,7 @@ Install the required prerequisite software for the App-V 5.0 SP3 Server componen
 
 
 
- 
+
 
 ### Management server database prerequisite software
 
@@ -235,11 +234,11 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -269,12 +268,12 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana
 
 
 
    Microsoft SQL Server Service Agent
    
-
    Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to Restart Services Automatically](https://technet.microsoft.com/magazine/gg313742.aspx).
    
+
    Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see Configure SQL Server Agent to Restart Services Automatically.
    
 
 
 
 
- 
+
 
 ### Publishing server prerequisite software
 
@@ -291,11 +290,11 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -355,15 +354,15 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana
 
 
 
    Management server and Publishing server are installed on the same server
    
-
    http://localhost:12345
    
+
    http://localhost:12345
    
 
 
 
    Management server and Publishing server are installed on different servers
    
-
    http://MyAppvServer.MyDomain.com
    
+
    http://MyAppvServer.MyDomain.com
    
 
 
 
-
     
    
+
     
    
 
    
 
 
@@ -377,7 +376,7 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana
 
 
 
- 
+
 
 ### Reporting server prerequisite software
 
@@ -395,14 +394,14 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana
 
 
 
    Supported version of SQL Server
    
-
    For supported versions, see [App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md).
    
+
    For supported versions, see App-V 5.0 SP3 Supported Configurations.
    
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -457,7 +456,7 @@ The Management database is required only if you are using the App-V 5.0 SP3 Mana
 
 
 
- 
+
 
 ### Reporting database prerequisite software
 
@@ -476,11 +475,11 @@ The Reporting database is required only if you are using the App-V 5.0 SP3 Repor
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -515,7 +514,7 @@ The Reporting database is required only if you are using the App-V 5.0 SP3 Repor
 
 
 
- 
+
 
 ## App-V client prerequisite software
 
@@ -535,26 +534,26 @@ Install the following prerequisite software for the App-V client.
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
+
    Windows PowerShell 3.0
    
 
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    KB2533623
    
 
    Applies to Windows 7 only: Download and install the KB.
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
 
 
- 
+
 
 ## Remote Desktop Services client prerequisite software
 
@@ -574,26 +573,26 @@ Install the following prerequisite software for the App-V Remote Desktop Service
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
+
    Windows PowerShell 3.0
    
 
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    KB2533623
    
 
    Applies to Windows 7 only: Download and install the KB.
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
 
 
- 
+
 
 ## Sequencer prerequisite software
 
@@ -617,26 +616,26 @@ Install the following prerequisite software for the App-V Remote Desktop Service
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
+
    Windows PowerShell 3.0
    
 
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    KB2533623
    
 
    Applies to Windows 7 only: Download and install the KB.
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
 
 
- 
+
 
 
 
@@ -650,9 +649,9 @@ Install the following prerequisite software for the App-V Remote Desktop Service
 
 [App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-50-sp3-supported-configurations.md b/mdop/appv-v5/app-v-50-sp3-supported-configurations.md
index a8333064ff..fd9359c9d4 100644
--- a/mdop/appv-v5/app-v-50-sp3-supported-configurations.md
+++ b/mdop/appv-v5/app-v-50-sp3-supported-configurations.md
@@ -47,7 +47,7 @@ The following table lists the operating systems that are supported for the App-V
 **Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). See [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976) for more information.
 
- 
+ 
 
 @@ -81,12 +81,12 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
    
 
- 
+ 
 
 **Important**  
 Deployment of the Management server role to a computer with Remote Desktop Sharing (RDS) enabled is not supported.
 
- 
+ 
 
 ### Management server hardware requirements
 
@@ -132,7 +132,7 @@ The following table lists the SQL Server versions that are supported for the App
 
 
 
- 
+ 
 
 ### Publishing server operating system requirements
 
@@ -170,7 +170,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 ### Publishing server hardware requirements
 
@@ -218,7 +218,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 ### Reporting server hardware requirements
 
@@ -266,7 +266,7 @@ The following table lists the SQL Server versions that are supported for the App
 
 
 
- 
+ 
 
 ## App-V client system requirements
 
@@ -305,7 +305,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 The following App-V client installation scenarios are not supported, except as noted:
 
@@ -362,7 +362,7 @@ The following table lists the operating systems that are supported for App-V 5.0
 
 
 
- 
+ 
 
 ### Remote Desktop Services client hardware requirements
 
@@ -426,7 +426,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 ### Sequencer hardware requirements
 
@@ -457,9 +457,9 @@ For more information about how Configuration Manager integrates with App-V, see
 
 [App-V 5.0 SP3 Prerequisites](app-v-50-sp3-prerequisites.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/app-v-50-supported-configurations.md b/mdop/appv-v5/app-v-50-supported-configurations.md
index a5feb193ce..b70976d075 100644
--- a/mdop/appv-v5/app-v-50-supported-configurations.md
+++ b/mdop/appv-v5/app-v-50-supported-configurations.md
@@ -19,7 +19,7 @@ ms.date: 08/30/2016
 
 This topic specifies the requirements that are necessary to install and run Microsoft Application Virtualization (App-V) 5.0 in your environment.
 
-**Important**  
+**Important**  
 **The supported configurations in this article apply only to App-V 5.0**. For supported configurations that apply to App-V 5.0 Service Packs, see the following web pages:
 
 -   [What's new in App-V 5.0 SP1](whats-new-in-app-v-50-sp1.md)
@@ -28,24 +28,24 @@ This topic specifies the requirements that are necessary to install and run Micr
 
 -   [App-V 5.0 SP3 Supported Configurations](app-v-50-sp3-supported-configurations.md)
 
- 
+
 
 ##  App-V 5.0 server system requirements
 
 
-**Important**  
+**Important**  
 The App-V 5.0 server does not support the following scenarios:
 
- 
+
 
 -   Deployment to a computer that runs Microsoft Windows Server Core.
 
 -   Deployment to a computer that runs a previous version of App-V 5.0 server components.
 
-    **Note**  
-    You can install App-V 5.0 side-by-side with the App-V 4.5 Lightweight Streaming Server (LWS) server only. Deployment of App-V 5.0 side-by-side with the App-V 4.5 Application Virtualization Management Service (HWS) server is not supported.
+    **Note**  
+    You can install App-V 5.0 side-by-side with the App-V 4.5 Lightweight Streaming Server (LWS) server only. Deployment of App-V 5.0 side-by-side with the App-V 4.5 Application Virtualization Management Service (HWS) server is not supported.
+
 
-     
 
 -   Deployment to a computer that runs Microsoft SQL Server Express edition.
 
@@ -59,10 +59,10 @@ The App-V 5.0 server does not support the following scenarios:
 
 The following table lists the operating systems that are supported for the App-V 5.0 management server installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 @@ -81,19 +81,19 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
-
+
@@ -101,12 +101,12 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
 
    Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, or Web Server)
    Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, or Web Server)
    		
 
    R2
    		
 
    SP1 and higher
    		
 
    64-bit
    		
 
    
 
    Microsoft Windows Server 2012 (Standard, Datacenter)
    Microsoft Windows Server 2012 (Standard, Datacenter)
    		
 
    		
 
 
    64-bit
    		
 
    
 
    Microsoft Windows Server 2012 (Standard, Datacenter)
    Microsoft Windows Server 2012 (Standard, Datacenter)
    		
 
    R2
    		
 
 
    64-bit
    
 
    
 
- 
 
-**Important**  
+
+**Important**  
 Deployment of the management server role to a computer with Remote Desktop Sharing (RDS) enabled is not supported.
 
- 
+
 
 ### Management Server hardware requirements
 
@@ -120,10 +120,10 @@ Deployment of the management server role to a computer with Remote Desktop Shari
 
 The following table lists the operating systems that are supported for the App-V 5.0 publishing server installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 @@ -142,19 +142,19 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
-
+
@@ -162,7 +162,7 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
 
    Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, or Web Server)
    Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, or Web Server)
    		
 
    R2
    		
 
    		
 
    64-bit
    		
 
    
 
    Microsoft Windows Server 2012 (Standard, Datacenter)
    Microsoft Windows Server 2012 (Standard, Datacenter)
    		
 
    		
 
 
    64-bit
    		
 
    
 
    Microsoft Windows Server 2012 (Standard, Datacenter)
    Microsoft Windows Server 2012 (Standard, Datacenter)
    		
 
    R2
    		
 
 
    64-bit
    
 
    
 
- 
+
 
 ### Publishing Server hardware requirements
 
@@ -176,10 +176,10 @@ Microsoft provides support for the current service pack and, in some cases, the
 
 The following table lists the operating systems that are supported for the App-V 5.0 reporting server installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 @@ -198,19 +198,19 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
-
+
@@ -218,7 +218,7 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
 
    Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, or Web Server)
    Microsoft Windows Server 2008 (Standard, Enterprise, Datacenter, or Web Server)
    		
 
    R2
    		
 
    		
 
    64-bit
    		
 
    
 
    Microsoft Windows Server 2012 (Standard, Datacenter)
    Microsoft Windows Server 2012 (Standard, Datacenter)
    		
 
    		
 
 
    64-bit
    		
 
    
 
    Microsoft Windows Server 2012 (Standard, Datacenter)
    Microsoft Windows Server 2012 (Standard, Datacenter)
    		
 
    R2
    		
 
 
    64-bit
    
 
    
 
- 
+
 
 ### Reporting Server hardware requirements
 
@@ -228,9 +228,9 @@ Microsoft provides support for the current service pack and, in some cases, the
 
 -   Disk space—200 MB available hard disk space
 
-### SQL Server database requirements
+### SQL Server database requirements
 
-The following table lists the SQL Server versions that are supported for the App-V 5.0 database and server installation.
+The following table lists the SQL Server versions that are supported for the App-V 5.0 database and server installation.
 
 @@ -252,7 +252,7 @@ The following table lists the SQL Server versions that are supported for the Ap
 
-
@@ -260,7 +260,7 @@ The following table lists the SQL Server versions that are supported for the Ap
 
-
@@ -268,7 +268,7 @@ The following table lists the SQL Server versions that are supported for the Ap
 
-
@@ -277,17 +277,17 @@ The following table lists the SQL Server versions that are supported for the Ap
 
    
 

 
    
 
    Management / Reporting
    Microsoft SQL Server 2008
    
+
    Microsoft SQL Server 2008
    
 
    (Standard, Enterprise, Datacenter, or the Developer Edition with the following feature: Database Engine Services.)
    		
 
    		
 
    
 
    
 
    Management / Reporting
    Microsoft SQL Server 2008 
    
+
    Microsoft SQL Server 2008 
    
 
    (Standard, Enterprise, Datacenter, or the Developer Edition with the following feature: Database Engine Services.)
    		
 
    R2
    		
 
    SP2
    
 
    
 
    Management / Reporting
    Microsoft SQL Server 2012
    
+
    Microsoft SQL Server 2012
    
 
    (Standard, Enterprise, Datacenter, or the Developer Edition with the following feature: Database Engine Services.)
    		
 
    		
 
    
 
    
 
- 
+
 
 ##  App-V 5.0 client system requirements
 
 
 The following table lists the operating systems that are supported for the App-V 5.0 client installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 @@ -304,22 +304,21 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
@@ -328,13 +327,13 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
 
    Microsoft Windows 7
    Microsoft Windows 7
    		
 
    SP1
    		
 
    32-bit or 64-bit
    		
 
    
 
    Microsoft Windows 8
    Microsoft Windows 8
    		
 
    		
 
    32-bit or 64-bit
    		
 
    
 
    
 
    
-Important  
-
    Windows 8.1 is only supported by App-V 5.0 SP2
    
+Important
    Windows 8.1 is only supported by App-V 5.0 SP2
    
 
    
 
    
- 
+
 
    
 
    Windows 8.1
    		
 
    
 
    
 
- 
+
 
 The following App-V client installation scenarios are not supported, except as noted:
 
 -   Computers that run Windows Server
 
--   Computers that run App-V 4.6 SP1 or earlier versions
+-   Computers that run App-V 4.6 SP1 or earlier versions
 
 -   The App-V 5.0 Remote Desktop services client is supported only for RDS-enabled servers
 
@@ -353,34 +352,34 @@ The following list displays the supported hardware configuration for the App-V 5
 
 The following table lists the operating systems that are supported for App-V 5.0 Remote Desktop client installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 Operating system
 Edition
 Service pack
-Microsoft Windows Server 2008
+Microsoft Windows Server 2008
 
 R2
 
 SP1
 
-Microsoft Windows Server 2012
+Microsoft Windows Server 2012
 
-**Important**  
-Windows Server 2012 R2 is only supported by App-V 5.0 SP2
+**Important**  
+Windows Server 2012 R2 is only supported by App-V 5.0 SP2
 
- 
 
-Microsoft Windows Server 2012 (Standard, Datacenter)
+
+Microsoft Windows Server 2012 (Standard, Datacenter)
 
 R2
 
 64-bit
 
- 
+
 
 ### Remote Desktop client hardware requirements
 
@@ -397,10 +396,10 @@ The following list displays the supported hardware configuration for the App-V 5
 
 The following table lists the operating systems that are supported for App-V 5.0 Sequencer installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 @@ -419,24 +418,23 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
@@ -444,26 +442,25 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
+
    Microsoft Windows Server 2012
    
@@ -471,12 +468,12 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
 
    Microsoft Windows 7
    Microsoft Windows 7
    		
 
 
    SP1
    		
 
    32-bit and 64-bit
    		
 
    
 
    Microsoft Windows 8
    Microsoft Windows 8
    		
 
 
    		
 
    32-bit and 64-bit
    		
 
    
 
    
 
    
-Important  
-
    Windows 8.1 is only supported by App-V 5.0 SP2
    
+Important
    Windows 8.1 is only supported by App-V 5.0 SP2
    
 
    
 
    
- 
+
 
    
 
    Windows 8.1
    		
 
    32-bit or 64-bit
    		
 
    
 
    Microsoft Windows Server 2008
    Microsoft Windows Server 2008
    		
 
    R2
    		
 
    SP1
    		
 
    32-bit and 64-bit
    		
 
    
 
    Microsoft Windows Server 2012
    Microsoft Windows Server 2012
    		
 
 
    		
 
    32-bit and 64-bit
    		
 
    
 
    
 
    
-Important  
-
    Windows Server 2012 R2 is only supported by App-V 5.0 SP2
    
+Important
    Windows Server 2012 R2 is only supported by App-V 5.0 SP2
    
 
    
 
    
- 
+
 
    
-
    Microsoft Windows Server 2012
    		
 
    R2
    		
 
 
    64-bit
    
 
    
 
- 
+
 
 ## Supported versions of System Center Configuration Manager
 
 
-You can use Microsoft System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager to manage App-V virtual applications, reporting, and other functions. The following table lists the supported versions of Configuration Manager for each applicable version of App-V.
+You can use Microsoft System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager to manage App-V virtual applications, reporting, and other functions. The following table lists the supported versions of Configuration Manager for each applicable version of App-V.
 
 @@ -491,7 +488,7 @@ You can use Microsoft System Center 2012 Configuration Manager or System Cen
 
-
+
    
 

 
 
    Microsoft System Center 2012 Configuration Manager
    Microsoft System Center 2012 Configuration Manager
    		
 
      
 
    • App-V 5.0
      • 
 
    • App-V 5.0 SP1
      • 
@@ -509,7 +506,7 @@ You can use Microsoft System Center 2012 Configuration Manager or System Cen
 
    
 
    
 
- 
+
 
 For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx).
 
@@ -525,9 +522,9 @@ For more information about how Configuration Manager integrates with App-V, see
 
 [App-V 5.0 Prerequisites](app-v-50-prerequisites.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-51-capacity-planning.md b/mdop/appv-v5/app-v-51-capacity-planning.md
index fd58ec34a1..70a60911a1 100644
--- a/mdop/appv-v5/app-v-51-capacity-planning.md
+++ b/mdop/appv-v5/app-v-51-capacity-planning.md
@@ -22,7 +22,7 @@ The following recommendations can be used as a baseline to help determine capaci
 **Important**  
 Use the information in this section only as a general guide for planning your App-V 5.1 deployment. Your system capacity requirements will depend on the specific details of your hardware and application environment. Additionally, the performance numbers displayed in this document are examples and your results may vary.
 
- 
+ 
 
 ## Determine the Project Scope
 
@@ -52,7 +52,7 @@ Before you design the App-V 5.1 infrastructure, you must determine the project
 
 
 
- 
+ 
 
 ## Determine Which App-V 5.1 Infrastructure is Required
 
@@ -62,7 +62,7 @@ Both of the following models require the App-V 5.1 client to be installed on the
 
 You can also manage your App-V 5.1 environment using an Electronic Software Distribution (ESD) solution such as Microsoft Systems Center Configuration Manager. For more information see [How to deploy App-V 5.1 Packages Using Electronic Software Distribution](how-to-deploy-app-v-51-packages-using-electronic-software-distribution.md).
 
- 
+ 
 
 -   **Standalone Model** - The standalone model allows virtual applications to be Windows Installer-enabled for distribution without streaming. App-V 5.1 in Standalone Mode consists of the sequencer and the client; no additional components are required. Applications are prepared for virtualization using a process called sequencing. For more information see, [Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md). The stand-alone model is recommended for the following scenarios:
 
@@ -77,7 +77,7 @@ You can also manage your App-V 5.1 environment using an Electronic Software Dist
     **Important**  
     The App-V 5.1 full infrastructure model requires Microsoft SQL Server to store configuration data. For more information see [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md).
 
-     
+     
 
     -   When you want to use the Management Server to publish the application to target computers.
 
@@ -93,7 +93,7 @@ The following section provides information about end-to-end App-V 5.1 sizing and
 **Note**  
 Round trip response time on the client is the time taken by the computer running the App-V 5.1 client to receive a successful notification from the publishing server. Round trip response time on the publishing server is the time taken by the computer running the publishing server to receive a successful package metadata update from the management server.
 
- 
+ 
 
 -   20,000 clients can target a single publishing server to obtain the package refreshes in an acceptable round trip time. (<3 seconds)
 
@@ -107,7 +107,7 @@ The App-V 5.1 publishing servers require the management server for package refre
 **Note**  
 The default refresh time on the App-V 5.1 publishing server is ten minutes.
 
- 
+ 
 
 When multiple simultaneous publishing servers contact a single management server for package metadata refreshes, the following three factors influence the round trip response time on the publishing server:
 
@@ -122,7 +122,7 @@ The following table displays more information about each factor that impacts rou
 **Note**  
 Round trip response time is the time taken by the computer running the App-V 5.1 publishing server to receive a successful package metadata update from the management server.
 
- 
+ 
 
 @@ -166,7 +166,7 @@ Round trip response time is the time taken by the computer running the App-V 5.1
 
    
 

 
    
 
- 
+ 
 
 The following table displays sample values for each of the previous factors. In each variation, 120 packages are refreshed from the App-V 5.1management server.
 
@@ -359,7 +359,7 @@ The following table displays sample values for each of the previous factors. In
 
 
 
- 
+ 
 
 The CPU utilization of the computer running the management server is around 25% irrespective of the number of publishing servers targeting it. The Microsoft SQL Server database transactions/sec, batch requests/sec and user connections are identical irrespective of the number of publishing servers. For example: Transactions/sec is ~30, batch requests ~200, and user connects ~6.
 
@@ -460,7 +460,7 @@ Using a geographically distributed deployment, where the management server & pub
 
 
 
- 
+ 
 
 Whether the management server and publishing servers are connected over a slow link network, or a high speed network, the management server can handle approximately 15,000 package refresh requests in 30 minutes.
 
@@ -472,7 +472,7 @@ App-V 5.1 clients send reporting data to the reporting server. The reporting ser
 **Note**  
 Round trip response time is the time taken by the computer running the App-V 5.1 client to send the reporting information to the reporting server and receive a successful notification from the reporting server.
 
- 
+ 
 
 @@ -518,7 +518,7 @@ Round trip response time is the time taken by the computer running the App-V 5.1
 
    
 

 
    
 
- 
+ 
 
 **Calculating random delay**:
 
@@ -542,7 +542,7 @@ The following list displays the main factors to consider when setting up the App
 
 -   The available network bandwidth in your environment between the client and the App-V 5.1 publishing server.
 
- 
+ 
 
 @@ -585,12 +585,12 @@ The following list displays the main factors to consider when setting up the App
 
    
 

 
    
 
- 
+ 
 
 **Note**  
 The publishing server CPU usage is always high during the time interval when it has to process simultaneous requests (>90% in most cases). The publishing server can handle ~1500 client requests in 1 second.
 
- 
+ 
 
 @@ -732,7 +732,7 @@ The publishing server CPU usage is always high during the time interval when it
 
    
 

 
    
 
- 
+ 
 
 ##  App-V 5.1 Streaming Capacity Planning Recommendations
 
@@ -748,7 +748,7 @@ The following list identifies the main factors to consider when setting up the A
 
 -   The available network bandwidth in your environment between the client and the streaming server.
 
- 
+ 
 
 @@ -788,7 +788,7 @@ The following list identifies the main factors to consider when setting up the A
 
    
 

 
    
 
- 
+ 
 
 The following table displays sample values for each of the factors in the previous list:
 
@@ -917,14 +917,14 @@ The following table displays sample values for each of the factors in the previo
 
 
 
- 
+ 
 
 Each App-V 5.1 streaming server should be able to handle a minimum of 200 clients concurrently streaming virtualized applications.
 
 **Note**  
 The actual time to it will take to stream is determined primarily by the number of clients streaming simultaneously, number of packages, package size, the server’s network activity, and network conditions.
 
- 
+ 
 
 For example, an average user can stream a 100 MB package in less than 2 minutes, when 100 simultaneous clients are streaming from the server. However, a package of size 1 GB could take up to 30 minutes. In most real world environments streaming demand is not uniformly distributed, you will need to understand the approximate peak streaming requirements present in your environment in order to properly size the number of required streaming servers.
 
@@ -953,9 +953,9 @@ Although there are a number of fault-tolerance strategies and technologies avail
 
 [Planning to Deploy App-V](planning-to-deploy-app-v51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/app-v-51-deployment-checklist.md b/mdop/appv-v5/app-v-51-deployment-checklist.md
index ce77e53a6c..47165a6b5b 100644
--- a/mdop/appv-v5/app-v-51-deployment-checklist.md
+++ b/mdop/appv-v5/app-v-51-deployment-checklist.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 This checklist can be used to help you during Microsoft Application Virtualization (App-V) 5.1 deployment.
 
-**Note**  
+**Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when deploying App-V 5.1 features. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+
 
 @@ -43,37 +43,36 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
    
 

    
 Checklist box
 
    Complete the planning phase to prepare the computing environment for App-V 5.1 deployment.
    [App-V 5.1 Planning Checklist](app-v-51-planning-checklist.md)
    App-V 5.1 Planning Checklist
    		
 
    		
 
    
 
    
 Checklist box
 
    Review the App-V 5.1 supported configurations information to make sure selected client and server computers are supported for App-V 5.1 feature installation.
    [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md)
    App-V 5.1 Supported Configurations
    		
 
    		
 
    
 
    
 Checklist box
 
    Run App-V 5.1 Setup to deploy the required App-V 5.1 features for your environment.
    
 
    
-Note  
-
    Keep track of the names of the servers and associated URL’s created during installation. This information will be used throughout the installation process.
    
+Note
    Keep track of the names of the servers and associated URL’s created during installation. This information will be used throughout the installation process.
    
 
    
 
    
- 
+
 
    		
 
    
     		
 
    		
 
    
     
 
    
 
- 
+
 
 
 
@@ -85,9 +84,9 @@ This checklist outlines the recommended steps and a high-level list of items to
 
 [Deploying App-V 5.1](deploying-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-51-planning-checklist.md b/mdop/appv-v5/app-v-51-planning-checklist.md
index 0d2300b51e..c2dab9f0b8 100644
--- a/mdop/appv-v5/app-v-51-planning-checklist.md
+++ b/mdop/appv-v5/app-v-51-planning-checklist.md
@@ -22,7 +22,7 @@ This checklist can be used to help you plan for preparing your computing environ
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -43,43 +43,43 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
-
+
-
+
-
+
    
 

    
 Checklist box
 
    Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.
    [Getting Started with App-V 5.1](getting-started-with-app-v-51.md)
    Getting Started with App-V 5.1
    		
 
    		
 
    
 
    
 Checklist box
 
    Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.
    [App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
    App-V 5.1 Prerequisites
    		
 
    		
 
    
 
    
 Checklist box
 
    If you plan to use the App-V 5.1 management server, plan for the required roles.
    [Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)
    Planning for the App-V 5.1 Server Deployment
    		
 
    		
 
    
 
    
 Checklist box
 
    Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.
    [Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)
    Planning for the App-V 5.1 Sequencer and Client Deployment
    		
 
    		
 
    
 
    
 Checklist box
 
    If applicable, review the options and steps for migrating from a previous version of App-V.
    [Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)
    Planning for Migrating from a Previous Version of App-V
    		
 
    		
 
    
 
    
 Checklist box
 
    Plan for running App-V 5.1 clients using in shared content store mode.
    [How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)
    How to Install the App-V 5.1 Client for Shared Content Store Mode
    		
 
    		
 
    
     
 
    
 
- 
+ 
 
 
 
@@ -91,9 +91,9 @@ This checklist outlines the recommended steps and a high-level list of items to
 
 [Planning for App-V 5.1](planning-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/app-v-51-prerequisites.md b/mdop/appv-v5/app-v-51-prerequisites.md
index af9b51188d..7931176dcc 100644
--- a/mdop/appv-v5/app-v-51-prerequisites.md
+++ b/mdop/appv-v5/app-v-51-prerequisites.md
@@ -46,11 +46,10 @@ The following table indicates the software that is already installed for differe
 
    Windows 8.1
    
 
    All of the prerequisite software is already installed.
    
 
    
-Note  
-
    If you are running Windows 8, upgrade to Windows 8.1 before using App-V 5.1.
    
+Note
    If you are running Windows 8, upgrade to Windows 8.1 before using App-V 5.1.
    
 
    
 
    
- 
+
 
    
 
 
@@ -58,13 +57,12 @@ The following table indicates the software that is already installed for differe
 
    The following prerequisite software is already installed:
    
 
      
 
    • Microsoft .NET Framework 4.5
      • 
-
    • Windows PowerShell 3.0
      
+
    • Windows PowerShell 3.0
      
 
      
-Note  
-
      Installing PowerShell 3.0 requires a restart.
      
+Note
      Installing PowerShell 3.0 requires a restart.
      
 
      
 
      
- 
+
 
      • 
 
    
 
@@ -75,7 +73,7 @@ The following table indicates the software that is already installed for differe
 
 
 
- 
+
 
 ## App-V Server prerequisite software
 
@@ -127,7 +125,7 @@ Install the required prerequisite software for the App-V 5.1 Server components.
 
 
 
- 
+
 
 ### Management server prerequisite software
 
@@ -145,22 +143,22 @@ Install the required prerequisite software for the App-V 5.1 Server components.
 
 
 
    Supported version of SQL Server
    
-
    For supported versions, see [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md).
    
+
    For supported versions, see App-V 5.1 Supported Configurations.
    
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Windows PowerShell 3.0
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    Download and install [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    Download and install KB2533623
    
 
    Applies to Windows 7 only.
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -222,12 +220,12 @@ Install the required prerequisite software for the App-V 5.1 Server components.
 
 
 
- 
 
-**Important**  
+
+**Important**  
 JavaScript must be enabled on the browser that opens the Web Management Console.
 
- 
+
 
 ### Management server database prerequisite software
 
@@ -246,11 +244,11 @@ The Management database is required only if you are using the App-V 5.1 Manageme
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -280,12 +278,12 @@ The Management database is required only if you are using the App-V 5.1 Manageme
 
 
 
    Microsoft SQL Server Service Agent
    
-
    Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to Restart Services Automatically](https://technet.microsoft.com/magazine/gg313742.aspx).
    
+
    Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see Configure SQL Server Agent to Restart Services Automatically.
    
 
 
 
 
- 
+
 
 ### Publishing server prerequisite software
 
@@ -302,11 +300,11 @@ The Management database is required only if you are using the App-V 5.1 Manageme
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -366,15 +364,15 @@ The Management database is required only if you are using the App-V 5.1 Manageme
 
 
 
    Management server and Publishing server are installed on the same server
    
-
    http://localhost:12345
    
+
    http://localhost:12345
    
 
 
 
    Management server and Publishing server are installed on different servers
    
-
    http://MyAppvServer.MyDomain.com
    
+
    http://MyAppvServer.MyDomain.com
    
 
 
 
-
     
    
+
     
    
 
    
 
 
@@ -388,7 +386,7 @@ The Management database is required only if you are using the App-V 5.1 Manageme
 
 
 
- 
+
 
 ### Reporting server prerequisite software
 
@@ -406,14 +404,14 @@ The Management database is required only if you are using the App-V 5.1 Manageme
 
 
 
    Supported version of SQL Server
    
-
    For supported versions, see [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md).
    
+
    For supported versions, see App-V 5.1 Supported Configurations.
    
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -468,7 +466,7 @@ The Management database is required only if you are using the App-V 5.1 Manageme
 
 
 
- 
+
 
 ### Reporting database prerequisite software
 
@@ -487,11 +485,11 @@ The Reporting database is required only if you are using the App-V 5.1 Reporting
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
@@ -526,7 +524,7 @@ The Reporting database is required only if you are using the App-V 5.1 Reporting
 
 
 
- 
+
 
 ## App-V client prerequisite software
 
@@ -546,26 +544,26 @@ Install the following prerequisite software for the App-V client.
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
+
    Windows PowerShell 3.0
    
 
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    KB2533623
    
 
    Applies to Windows 7 only: Download and install the KB.
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
 
 
- 
+
 
 ## Remote Desktop Services client prerequisite software
 
@@ -585,26 +583,26 @@ Install the following prerequisite software for the App-V Remote Desktop Service
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
+
    Windows PowerShell 3.0
    
 
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    KB2533623
    
 
    Applies to Windows 7 only: Download and install the KB.
    
 
 
-
    [Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)
    
+
    Visual C++ Redistributable Packages for Visual Studio 2013
    
 
    
 
 
 
 
- 
+
 
 ## Sequencer prerequisite software
 
@@ -628,22 +626,22 @@ Install the following prerequisite software for the App-V Remote Desktop Service
 
 
 
-
    [Microsoft .NET Framework 4.5.1 (Web Installer)](https://www.microsoft.com//download/details.aspx?id=40773)
    
+
    Microsoft .NET Framework 4.5.1 (Web Installer)
    
 
    
 
 
-
    [Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)
    
+
    Windows PowerShell 3.0
    
 
    
-
    Installing PowerShell 3.0 requires a restart.
    
+
    Installing PowerShell 3.0 requires a restart.
    
 
 
-
    [KB2533623](https://support.microsoft.com/kb/2533623)
    
+
    KB2533623
    
 
    Applies to Windows 7 only: Download and install the KB.
    
 
 
 
 
- 
+
 
 
 
@@ -657,9 +655,9 @@ Install the following prerequisite software for the App-V Remote Desktop Service
 
 [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-51-security-considerations.md b/mdop/appv-v5/app-v-51-security-considerations.md
index 0afb1b8b1f..9b8aaf264e 100644
--- a/mdop/appv-v5/app-v-51-security-considerations.md
+++ b/mdop/appv-v5/app-v-51-security-considerations.md
@@ -19,10 +19,10 @@ ms.date: 08/30/2016
 
 This topic contains a brief overview of the accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V) 5.1.
 
-**Important**  
+**Important**  
 App-V 5.1 is not a security product and does not provide any guarantees for a secure environment.
 
- 
+
 
 ## PackageStoreAccessControl (PSAC) feature has been deprecated
 
@@ -45,14 +45,14 @@ Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature that wa
 
 A best practice for user account management is to create domain global groups and add user accounts to them. Then, add the domain global accounts to the necessary App-V 5.1 local groups on the App-V 5.1 servers.
 
-**Note**  
+**Note**  
 App-V client computer accounts that need to connect to the publishing server must be part of the publishing server’s **Users** local group. By default, all computers in the domain are part of the **Authorized Users** group, which is part of the **Users** local group.
 
- 
+
 
 ###  App-V 5.1 server security
 
-No groups are created automatically during App-V 5.1 Setup. You should create the following Active Directory Domain Services global groups to manage App-V 5.1 server operations.
+No groups are created automatically during App-V 5.1 Setup. You should create the following Active Directory Domain Services global groups to manage App-V 5.1 server operations.
 
 @@ -70,11 +70,10 @@ No groups are created automatically during App-V 5.1 Setup. You should create th
 
@@ -84,38 +83,36 @@ No groups are created automatically during App-V 5.1 Setup. You should create th
 
    
 

    App-V Management Admin group
    		
 
    Used to manage the App-V 5.1 management server. This group is created during the App-V 5.1 Management Server installation.
    
 
    
-Important  
-
    There is no method to create the group using the management console after you have completed the installation.
    
+Important
    There is no method to create the group using the management console after you have completed the installation.
    
 
    
 
    
- 
+
 
    		
 
    
 
    
 
    App-V Management Service install admin account
    
 
    
-Note  
-
    This is only required if management database is being installed separately from the service.
    
+Note
    This is only required if management database is being installed separately from the service.
    
 
    
 
    
- 
+
 
    		
 
    Provides public access to schema-version table in management database. This account should be created during the App-V 5.1 management database installation.
    		
 
    
 
    
 
    App-V Reporting Service install admin account
    
 
    
-Note  
-
    This is only required if reporting database is being installed separately from the service.
    
+Note
    This is only required if reporting database is being installed separately from the service.
    
 
    
 
    
- 
+
 
    		
 
    Public access to schema-version table in reporting database. This account should be created during the App-V 5.1 reporting database installation.
    		
 
    
     
 
    
 
- 
+
 
 Consider the following additional information:
 
 -   Access to the package shares - If a share exists on the same computer as the management Server, the **Network** service requires read access to the share. In addition, each App-V client computer must have read access to the package share.
 
-    **Note**  
+    **Note**  
     In previous versions of App-V, package share was referred to as content share.
 
-     
+
 
 -   Registering publishing servers with Management Server - A publishing server must be registered with the Management server. For example, it must be added to the database, so that the Publishing server machine accounts are able to call into the Management service API.
 
@@ -140,9 +137,9 @@ During App-V 5.1 Setup, setup log files are created in the **%temp%** folder of
 
 [Preparing Your Environment for App-V 5.1](preparing-your-environment-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md
index ca5ceb725b..f8debb839c 100644
--- a/mdop/appv-v5/app-v-51-supported-configurations.md
+++ b/mdop/appv-v5/app-v-51-supported-configurations.md
@@ -45,7 +45,7 @@ The following table lists the operating systems that are supported for the App-V
 **Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). See [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976) for more information.
 
- 
+ 
 
 @@ -84,12 +84,12 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
    
 
- 
+ 
 
 **Important**  
 Deployment of the Management server role to a computer with Remote Desktop Sharing (RDS) enabled is not supported.
 
- 
+ 
 
 ### Management server hardware requirements
 
@@ -135,7 +135,7 @@ The following table lists the SQL Server versions that are supported for the App
 
 
 
- 
+ 
 
 ### Publishing server operating system requirements
 
@@ -178,7 +178,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 ### Publishing server hardware requirements
 
@@ -231,7 +231,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 ### Reporting server hardware requirements
 
@@ -279,7 +279,7 @@ The following table lists the SQL Server versions that are supported for the App
 
 
 
- 
+ 
 
 ## App-V client system requirements
 
@@ -320,7 +320,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 The following App-V client installation scenarios are not supported, except as noted:
 
@@ -382,7 +382,7 @@ The following table lists the operating systems that are supported for App-V 5.1
 
 
 
- 
+ 
 
 ### Remote Desktop Services client hardware requirements
 
@@ -451,7 +451,7 @@ The following table lists the operating systems that are supported for the App-V
 
 
 
- 
+ 
 
 ### Sequencer hardware requirements
 
@@ -519,7 +519,7 @@ The following App-V and System Center Configuration Manager version matrix shows
 
 
 
- 
+ 
 
 For more information about how Configuration Manager integrates with App-V, see [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx).
 
@@ -535,9 +535,9 @@ For more information about how Configuration Manager integrates with App-V, see
 
 [App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/application-publishing-and-client-interaction.md b/mdop/appv-v5/application-publishing-and-client-interaction.md
index 0ff69d39a0..9245cdf4aa 100644
--- a/mdop/appv-v5/application-publishing-and-client-interaction.md
+++ b/mdop/appv-v5/application-publishing-and-client-interaction.md
@@ -94,7 +94,7 @@ The Sequencer creates App-V packages and produces a virtualized application. The
 
 
 
- 
+ 
 
 For information about sequencing, see [Application Virtualization 5.0 Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760).
 
@@ -164,7 +164,7 @@ The appv file contains the following folder and files, which are used when creat
 
 
 
- 
+ 
 
 ## App-V client data storage locations
 
@@ -233,7 +233,7 @@ The App-V client performs tasks to ensure that virtual applications run properly
 
 
 
- 
+ 
 
 Additional details for the table are provided in the section below and throughout the document.
 
@@ -256,7 +256,7 @@ If the App-V Client is configured in Shared Content Store mode, no data is writt
 **Note**  
 The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client.
 
- 
+ 
 
 ### Package catalogs
 
@@ -282,7 +282,7 @@ The App-V Client manages the following two file-based locations:
 
 
 
    Default storage location
    
-
    %programdata%\Microsoft\AppV\Client\Catalog\
    
+
    %programdata%\Microsoft\AppV\Client\Catalog</code>
    
 
    This location is not the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.
    
 
 
@@ -309,7 +309,7 @@ The App-V Client manages the following two file-based locations:
 
 
 
- 
+ 
 
 ### User catalog
 
@@ -348,7 +348,7 @@ The App-V Client manages the following two file-based locations:
 
 
 
- 
+ 
 
 ### Shortcut backups
 
@@ -383,12 +383,12 @@ When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file
 
 
    Registry.dat from Package Store
    
 
     > 
    
-
    %ProgramData%\Microsoft\AppV\Client\Vreg\{VersionGuid}.dat
    
+
    %ProgramData%\Microsoft\AppV\Client\Vreg{VersionGuid}.dat
    
 
 
 
 
- 
+ 
 
 When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGuid\REGISTRY`. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a userspecific location `HKCU\Software\Microsoft\AppV\Client\Packages\PackageGuid\Registry\User`. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation.
 
@@ -442,9 +442,9 @@ There are two package registry locations and two connection group locations wher
 
 
 
- 
+ 
 
- 
+ 
 
 **Connection Group VReg:**
 
@@ -482,9 +482,9 @@ There are two package registry locations and two connection group locations wher
 
 
 
- 
+ 
 
- 
+ 
 
 There are two COW locations for HKLM; elevated and non-elevated processes. Elevated processes always write HKLM changes to the secure COW under HKLM. Non-elevated processes always write HKLM changes to the non-secure COW under HKCU\\Software\\Classes. When an application reads changes from HKLM, elevated processes will read changes from the secure COW under HKLM. Non-elevated reads from both, favoring the changes made in the unsecure COW first.
 
@@ -569,9 +569,9 @@ The App-V Client can be configured to change the default behavior of streaming.
 
 
 
- 
+ 
 
- 
+ 
 
 These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors around streaming packages that must be explained:
 
@@ -623,7 +623,7 @@ Together, these files and registry settings represent the user’s catalog, so e
 **Note**  
 The **Repair-AppvClientPackage** cmdlet does not repair the publishing state of packages, where the user’s App-V state under `HKEY_CURRENT_USER` is missing or mismatched with the data in %appdata%.
 
- 
+ 
 
 ### Registry-based data
 
@@ -645,8 +645,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table
 
    Applications that are run as standard users
    
 
    When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:
    
 
      
-
    • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
      • 
-
    • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\REGISTRY\USER\{UserSID}\SOFTWARE
      • 
+
    • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
      • 
+
    • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages{PkgGUID}\REGISTRY\USER{UserSID}\SOFTWARE
      • 
 
    
 
    The locations are enabled for roaming based on the operating system settings.
    
 
@@ -659,14 +659,14 @@ App-V registry roaming falls into two scenarios, as shown in the following table
 
 
    In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following location:
    
 
      
-
    • HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\{UserSID}\REGISTRY\MACHINE\SOFTWARE
      • 
-
    • HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\Registry\User\{UserSID}\SOFTWARE
      • 
+
    • HKLM\SOFTWARE\Microsoft\AppV\Client\Packages{PkgGUID}{UserSID}\REGISTRY\MACHINE\SOFTWARE
      • 
+
    • HKCU\SOFTWARE\Microsoft\AppV\Client\Packages{PkgGUID}\Registry\User{UserSID}\SOFTWARE
      • 
 
    
 
 
 
 
- 
+ 
 
 ### App-V and folder redirection
 
@@ -690,30 +690,30 @@ The following table shows local and roaming locations, when folder redirection h
 
 
 
    ProgramFilesX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\ProgramFilesX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\ProgramFilesX86
    
 
 
 
    SystemX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\SystemX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\SystemX86
    
 
 
 
    Windows
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\Windows
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\Windows
    
 
 
 
    appv_ROOT
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\appv_ROOT
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\appv_ROOT
    
 
 
 
    AppData
    
-
    C:\users\jsmith\AppData\Roaming\Microsoft\AppV\Client\VFS\<GUID>\AppData
    
+
    C:\users\jsmith\AppData<strong>Roaming\Microsoft\AppV\Client\VFS&lt;GUID>\AppData
    
 
 
 
 
- 
+ 
 
- 
+ 
 
 The following table shows local and roaming locations, when folder redirection has been implemented for %AppData%, and the location has been redirected (typically to a network location).
 
@@ -731,30 +731,30 @@ The following table shows local and roaming locations, when folder redirection h
 
 
 
    ProgramFilesX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\ProgramFilesX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\ProgramFilesX86
    
 
 
 
    SystemX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\SystemX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\SystemX86
    
 
 
 
    Windows
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\Windows
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\Windows
    
 
 
 
    appv_ROOT
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\appv_ROOT
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\appv_ROOT
    
 
 
 
    AppData
    
-
    \\Fileserver\users\jsmith\roaming\Microsoft\AppV\Client\VFS\<GUID>\AppData
    
+
    \Fileserver\users\jsmith\roaming\Microsoft\AppV\Client\VFS&lt;GUID>\AppData
    
 
 
 
 
- 
+ 
 
- 
+ 
 
 The current App-V Client VFS driver cannot write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. The detailed steps of the processes are:
 
@@ -888,7 +888,7 @@ Adding an App-V package to the client is the first step of the publishing refres
     **Note**  
     This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published).
 
-     
+     
 
 6.  Invoke background load mounting based on client configuration.
 
@@ -897,7 +897,7 @@ Adding an App-V package to the client is the first step of the publishing refres
     **Note**  
     This condition occurs as a product of removal without unpublishing with background addition of the package.
 
-     
+     
 
 This completes an App-V package add of the publishing refresh process. The next step is publishing the package to the specific target (machine or user).
 
@@ -926,7 +926,7 @@ During the Publishing Refresh operation, the specific publishing operation (Publ
         **Note**  
         This enables restore extension points if the package is unpublished.
 
-         
+         
 
     3.  Run scripts targeted for publishing timing.
 
@@ -1017,7 +1017,7 @@ The App-V 5 package upgrade process differs from the older versions of App-V. Ap
 
 
 
- 
+ 
 
 When a task is placed in a pending state, the App-V client also generates a registry key for the pending task, as follows:
 
@@ -1044,7 +1044,7 @@ When a task is placed in a pending state, the App-V client also generates a regi
 
 
 
- 
+ 
 
 The following operations must be completed before users can use the newer version of the package:
 
@@ -1071,7 +1071,7 @@ The following operations must be completed before users can use the newer versio
 
 
 
- 
+ 
 
 Use the following example scenarios as a guide for updating packages.
 
@@ -1101,7 +1101,7 @@ Use the following example scenarios as a guide for updating packages.
 
 
 
- 
+ 
 
 ### Global vs user publishing
 
@@ -1240,7 +1240,7 @@ In this example:
 
 -   `"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"` is the command line, which points to the application executable
 
- 
+ 
 
 ### Shell extensions
 
@@ -1307,7 +1307,7 @@ The following table displays the supported shell extensions.
 
 
 
- 
+ 
 
 ### COM
 
@@ -1372,7 +1372,7 @@ In this example:
 
 -   `[{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll` is the MAPI dll registration
 
- 
+ 
 
 ### URL Protocol handler
 
@@ -1493,7 +1493,7 @@ Extension points are not all published the same way, where some extension points
 
 
 
- 
+ 
 
 ## Dynamic configuration processing
 
@@ -1596,7 +1596,7 @@ During publishing of an App-V package with SxS assemblies the App-V Client will
 **Note**  
 UnPublishing or removing a package with an assembly does not remove the assemblies for that package.
 
- 
+ 
 
 ## Client logging
 
@@ -1610,7 +1610,7 @@ In App-V 5.0 SP3, some logs have been consolidated and moved to the following lo
 
 For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).
 
- 
+ 
 
 There are three specific categories of events recorded described below.
 
@@ -1625,9 +1625,9 @@ There are three specific categories of events recorded described below.
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/application-publishing-and-client-interaction51.md b/mdop/appv-v5/application-publishing-and-client-interaction51.md
index cf17ccd5ba..02452e7e45 100644
--- a/mdop/appv-v5/application-publishing-and-client-interaction51.md
+++ b/mdop/appv-v5/application-publishing-and-client-interaction51.md
@@ -94,7 +94,7 @@ The Sequencer creates App-V packages and produces a virtualized application. The
 
 
 
- 
+ 
 
 For information about sequencing, see [Application Virtualization Sequencing Guide](https://go.microsoft.com/fwlink/?LinkID=269810).
 
@@ -164,7 +164,7 @@ The appv file contains the following folder and files, which are used when creat
 
 
 
- 
+ 
 
 ## App-V client data storage locations
 
@@ -233,7 +233,7 @@ The App-V client performs tasks to ensure that virtual applications run properly
 
 
 
- 
+ 
 
 Additional details for the table are provided in the section below and throughout the document.
 
@@ -256,7 +256,7 @@ If the App-V Client is configured in Shared Content Store mode, no data is writt
 **Note**  
 The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client.
 
- 
+ 
 
 ### Package catalogs
 
@@ -282,7 +282,7 @@ The App-V Client manages the following two file-based locations:
 
 
 
    Default storage location
    
-
    %programdata%\Microsoft\AppV\Client\Catalog\
    
+
    %programdata%\Microsoft\AppV\Client\Catalog</code>
    
 
    This location is not the same as the Package Store location. The Package Store is the golden or pristine copy of the package files.
    
 
 
@@ -309,7 +309,7 @@ The App-V Client manages the following two file-based locations:
 
 
 
- 
+ 
 
 ### User catalog
 
@@ -348,7 +348,7 @@ The App-V Client manages the following two file-based locations:
 
 
 
- 
+ 
 
 ### Shortcut backups
 
@@ -383,12 +383,12 @@ When a new package is added to the App-V Client, a copy of the REGISTRY.DAT file
 
 
    Registry.dat from Package Store
    
 
     > 
    
-
    %ProgramData%\Microsoft\AppV\Client\Vreg\{VersionGuid}.dat
    
+
    %ProgramData%\Microsoft\AppV\Client\Vreg{VersionGuid}.dat
    
 
 
 
 
- 
+ 
 
 When the first application from the package is launched on the client, the client stages or copies the contents out of the hive file, re-creating the package registry data in an alternate location `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\Packages\PackageGuid\Versions\VersionGuid\REGISTRY`. The staged registry data has two distinct types of machine data and user data. Machine data is shared across all users on the machine. User data is staged for each user to a userspecific location `HKCU\Software\Microsoft\AppV\Client\Packages\PackageGuid\Registry\User`. The machine data is ultimately removed at package removal time, and the user data is removed on a user unpublish operation.
 
@@ -442,9 +442,9 @@ There are two package registry locations and two connection group locations wher
 
 
 
- 
+ 
 
- 
+ 
 
 **Connection Group VReg:**
 
@@ -482,9 +482,9 @@ There are two package registry locations and two connection group locations wher
 
 
 
- 
+ 
 
- 
+ 
 
 There are two COW locations for HKLM; elevated and non-elevated processes. Elevated processes always write HKLM changes to the secure COW under HKLM. Non-elevated processes always write HKLM changes to the non-secure COW under HKCU\\Software\\Classes. When an application reads changes from HKLM, elevated processes will read changes from the secure COW under HKLM. Non-elevated reads from both, favoring the changes made in the unsecure COW first.
 
@@ -569,9 +569,9 @@ The App-V Client can be configured to change the default behavior of streaming.
 
 
 
- 
+ 
 
- 
+ 
 
 These settings affect the behavior of streaming App-V package assets to the client. By default, App-V only downloads the assets required after downloading the initial publishing and primary feature blocks. There are three specific behaviors around streaming packages that must be explained:
 
@@ -623,7 +623,7 @@ Together, these files and registry settings represent the user’s catalog, so e
 **Note**  
 The **Repair-AppvClientPackage** cmdlet does not repair the publishing state of packages, where the user’s App-V state under `HKEY_CURRENT_USER` is missing or mismatched with the data in %appdata%.
 
- 
+ 
 
 ### Registry-based data
 
@@ -645,8 +645,8 @@ App-V registry roaming falls into two scenarios, as shown in the following table
 
    Applications that are run as standard users
    
 
    When a standard user launches an App-V application, both HKLM and HKCU for App-V applications are stored in the HKCU hive on the machine. This presents as two distinct paths:
    
 
      
-
    • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages\{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
      • 
-
    • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\REGISTRY\USER\{UserSID}\SOFTWARE
      • 
+
    • HKLM: HKCU\SOFTWARE\Classes\AppV\Client\Packages{PkgGUID}\REGISTRY\MACHINE\SOFTWARE
      • 
+
    • HKCU: HKCU\SOFTWARE\Microsoft\AppV\Client\Packages{PkgGUID}\REGISTRY\USER{UserSID}\SOFTWARE
      • 
 
    
 
    The locations are enabled for roaming based on the operating system settings.
    
 
@@ -659,14 +659,14 @@ App-V registry roaming falls into two scenarios, as shown in the following table
 
 
    In this scenario, these settings are not roamed with normal operating system roaming configurations, and the resulting registry keys and values are stored in the following location:
    
 
      
-
    • HKLM\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\{UserSID}\REGISTRY\MACHINE\SOFTWARE
      • 
-
    • HKCU\SOFTWARE\Microsoft\AppV\Client\Packages\{PkgGUID}\Registry\User\{UserSID}\SOFTWARE
      • 
+
    • HKLM\SOFTWARE\Microsoft\AppV\Client\Packages{PkgGUID}{UserSID}\REGISTRY\MACHINE\SOFTWARE
      • 
+
    • HKCU\SOFTWARE\Microsoft\AppV\Client\Packages{PkgGUID}\Registry\User{UserSID}\SOFTWARE
      • 
 
    
 
 
 
 
- 
+ 
 
 ### App-V and folder redirection
 
@@ -690,30 +690,30 @@ The following table shows local and roaming locations, when folder redirection h
 
 
 
    ProgramFilesX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\ProgramFilesX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\ProgramFilesX86
    
 
 
 
    SystemX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\SystemX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\SystemX86
    
 
 
 
    Windows
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\Windows
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\Windows
    
 
 
 
    appv_ROOT
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\appv_ROOT
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\appv_ROOT
    
 
 
 
    AppData
    
-
    C:\users\jsmith\AppData\Roaming\Microsoft\AppV\Client\VFS\<GUID>\AppData
    
+
    C:\users\jsmith\AppData<strong>Roaming\Microsoft\AppV\Client\VFS&lt;GUID>\AppData
    
 
 
 
 
- 
+ 
 
- 
+ 
 
 The following table shows local and roaming locations, when folder redirection has been implemented for %AppData%, and the location has been redirected (typically to a network location).
 
@@ -731,30 +731,30 @@ The following table shows local and roaming locations, when folder redirection h
 
 
 
    ProgramFilesX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\ProgramFilesX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\ProgramFilesX86
    
 
 
 
    SystemX86
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\SystemX86
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\SystemX86
    
 
 
 
    Windows
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\Windows
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\Windows
    
 
 
 
    appv_ROOT
    
-
    C:\users\jsmith\AppData\Local\Microsoft\AppV\Client\VFS\<GUID>\appv_ROOT
    
+
    C:\users\jsmith\AppData<strong>Local\Microsoft\AppV\Client\VFS&lt;GUID>\appv_ROOT
    
 
 
 
    AppData
    
-
    \\Fileserver\users\jsmith\roaming\Microsoft\AppV\Client\VFS\<GUID>\AppData
    
+
    \Fileserver\users\jsmith\roaming\Microsoft\AppV\Client\VFS&lt;GUID>\AppData
    
 
 
 
 
- 
+ 
 
- 
+ 
 
 The current App-V Client VFS driver cannot write to network locations, so the App-V Client detects the presence of folder redirection and copies the data on the local drive during publishing and when the virtual environment starts. After the user closes the App-V application and the App-V Client closes the virtual environment, the local storage of the VFS AppData is copied back to the network, enabling roaming to additional machines, where the process will be repeated. The detailed steps of the processes are:
 
@@ -888,7 +888,7 @@ Adding an App-V package to the client is the first step of the publishing refres
     **Note**  
     This will not perform a package deletion but rather remove integration points for the specific target (user or machine) and remove user catalog files (machine catalog files for globally published).
 
-     
+     
 
 6.  Invoke background load mounting based on client configuration.
 
@@ -897,7 +897,7 @@ Adding an App-V package to the client is the first step of the publishing refres
     **Note**  
     This condition occurs as a product of removal without unpublishing with background addition of the package.
 
-     
+     
 
 This completes an App-V package add of the publishing refresh process. The next step is publishing the package to the specific target (machine or user).
 
@@ -926,7 +926,7 @@ During the Publishing Refresh operation, the specific publishing operation (Publ
         **Note**  
         This enables restore extension points if the package is unpublished.
 
-         
+         
 
     3.  Run scripts targeted for publishing timing.
 
@@ -1017,7 +1017,7 @@ The App-V 5 package upgrade process differs from the older versions of App-V. Ap
 
 
 
- 
+ 
 
 When a task is placed in a pending state, the App-V client also generates a registry key for the pending task, as follows:
 
@@ -1044,7 +1044,7 @@ When a task is placed in a pending state, the App-V client also generates a regi
 
 
 
- 
+ 
 
 The following operations must be completed before users can use the newer version of the package:
 
@@ -1071,7 +1071,7 @@ The following operations must be completed before users can use the newer versio
 
 
 
- 
+ 
 
 Use the following example scenarios as a guide for updating packages.
 
@@ -1101,7 +1101,7 @@ Use the following example scenarios as a guide for updating packages.
 
 
 
- 
+ 
 
 ### Global vs user publishing
 
@@ -1240,7 +1240,7 @@ In this example:
 
 -   `"[{AppVPackageRoot}]\Reader\AcroRd32.exe" "%1"` is the command line, which points to the application executable
 
- 
+ 
 
 ### Shell extensions
 
@@ -1307,7 +1307,7 @@ The following table displays the supported shell extensions.
 
 
 
- 
+ 
 
 ### COM
 
@@ -1372,7 +1372,7 @@ In this example:
 
 -   `[{ProgramFilesX86}]\Mozilla Thunderbird\mozMapi32_InUse.dll` is the MAPI dll registration
 
- 
+ 
 
 ### URL Protocol handler
 
@@ -1493,7 +1493,7 @@ Extension points are not all published the same way, where some extension points
 
 
 
- 
+ 
 
 ## Dynamic configuration processing
 
@@ -1596,7 +1596,7 @@ During publishing of an App-V package with SxS assemblies the App-V Client will
 **Note**  
 UnPublishing or removing a package with an assembly does not remove the assemblies for that package.
 
- 
+ 
 
 ## Client logging
 
@@ -1610,7 +1610,7 @@ In App-V 5.0 SP3, some logs were consolidated and moved to the following locatio
 
 For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).
 
- 
+ 
 
 There are three specific categories of events recorded described below.
 
@@ -1625,9 +1625,9 @@ There are three specific categories of events recorded described below.
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md
index c9b1def61b..ca24494376 100644
--- a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md
+++ b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md
@@ -22,7 +22,7 @@ After you have properly deployed the Microsoft Application Virtualization (App-V
 **Note**  
 For more information about configuring the Microsoft Application Virtualization (App-V) 5.0 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx) (http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).
 
- 
+ 
 
 ## Sequencing an application
 
@@ -38,7 +38,7 @@ You can use the App-V 5.0 Sequencer to perform the following tasks:
     **Note**  
     You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V 5.0 client.
 
-     
+     
 
 -   Convert existing virtual packages.
 
@@ -59,7 +59,7 @@ When you use the sequencer to create a new virtual application, the following li
 **Important**  
 You must configure the %TMP% and %TEMP% folders that the package converter uses to be a secure location and directory. A secure location is only accessible by an administrator. Additionally, when you sequence the package you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion and monitoring process.
 
- 
+ 
 
 The **Options** dialog box in the sequencer console contains the following tabs:
 
@@ -68,7 +68,7 @@ The **Options** dialog box in the sequencer console contains the following tabs:
     **Important**  
     Package Accelerators created using App-V 4.6 are not supported by App-V 5.0.
 
-     
+     
 
 -   **Parse Items**. This tab displays the associated file path locations that will be parsed or tokenized into in the virtual environment. Tokens are useful for adding files using the **Package Files** tab in **Advanced Editing**.
 
@@ -146,7 +146,7 @@ The following table lists the supported shell extensions:
 
 
 
- 
+ 
 
 ## Copy on Write (CoW) file extension support
 
@@ -273,7 +273,7 @@ The following table displays the file types that can exist in a virtual package
 
 .wsh
 
- 
+ 
 
 ## Modifying an existing virtual application package
 
@@ -305,7 +305,7 @@ A template can specify and store multiple settings as follows:
 **Note**  
 Package accelerators created using a previous version of App-V must be recreated using App-V 5.0.
 
- 
+ 
 
 You can use App-V 5.0 package accelerators to automatically generate a new virtual application packages. After you have successfully created a package accelerator, you can reuse and share the package accelerator.
 
@@ -334,9 +334,9 @@ You can also find additional information about sequencing errors using the Windo
 
 -   [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
index aa070a51f5..c781eb4fea 100644
--- a/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
+++ b/mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md
@@ -38,7 +38,7 @@ You can use the App-V 5.1 Sequencer to perform the following tasks:
 
     **Note**  
     You must create shortcuts and save them to an available network location to allow roaming. If a shortcut is created and saved in a private location, the package must be published locally to the computer running the App-V 5.1 client.
- 
+ 
 -   Convert existing virtual packages.
 
 The sequencer uses the **%TMP% \\ Scratch** or **%TEMP% \\ Scratch** directory and the **Temp** directory to store temporary files during sequencing. On the computer that runs the sequencer, you should configure these directories with free disk space equivalent to the estimated application installation requirements. Configuring the temp directories and the Temp directory on different hard drive partitions can help improve performance during sequencing.
diff --git a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md
index ba43f84195..88c3436957 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v.md
@@ -70,7 +70,7 @@ The following table shows the App-V versions, methods of Office package creation
 
 
 
- 
+ 
 
 ## Creating Office 2010 App-V 5.0 using the sequencer
 
@@ -182,7 +182,7 @@ The following table provides a full list of supported integration points for Off
 
 
 
    Active X Controls:
    
-
    For more information on ActiveX controls, refer to [ActiveX Control API Reference](https://go.microsoft.com/fwlink/p/?LinkId=331361).
    
+
    For more information on ActiveX controls, refer to ActiveX Control API Reference.
    
 
    
 
 
@@ -273,7 +273,7 @@ The following table provides a full list of supported integration points for Off
 
 
 
- 
+ 
 
 ## Additional resources
 
@@ -305,9 +305,9 @@ The following table provides a full list of supported integration points for Off
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md
index d41897ce13..8e68496eec 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2010-by-using-app-v51.md
@@ -71,7 +71,7 @@ The following table shows the App-V versions, methods of Office package creation
 
 
 
- 
+ 
 
 ## Creating Office 2010 App-V 5.1 using the sequencer
 
@@ -183,7 +183,7 @@ The following table provides a full list of supported integration points for Off
 
 
 
    Active X Controls:
    
-
    For more information on ActiveX controls, refer to [ActiveX Control API Reference](https://go.microsoft.com/fwlink/p/?LinkId=331361).
    
+
    For more information on ActiveX controls, refer to ActiveX Control API Reference.
    
 
    
 
 
@@ -274,7 +274,7 @@ The following table provides a full list of supported integration points for Off
 
 
 
- 
+ 
 
 ## Additional resources
 
@@ -306,9 +306,9 @@ The following table provides a full list of supported integration points for Off
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
index ce433a1185..cd697fed7c 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v.md
@@ -51,7 +51,7 @@ Use the following table to get information about supported versions of Office an
 
 
 
-
    [Planning for Using App-V with Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)
    
+
    Planning for Using App-V with Office
    
 
      
 
    • Supported versions of Office
      • 
 
    • Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
      • 
@@ -59,13 +59,13 @@ Use the following table to get information about supported versions of Office an
 
    
 
 
-
    [Planning for Using App-V with Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)
    
+
    Planning for Using App-V with Office
    
 
    Considerations for installing different versions of Office on the same computer
    
 
 
 
 
- 
+
 
 ### Packaging, publishing, and deployment requirements
 
@@ -88,7 +88,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
      
 
    • All of the Office applications that you want to deploy to users must be in a single package.
      • 
 
    • In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
      • 
-
    • If you are deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project).
      • 
+
    • If you are deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see Deploying Visio 2013 and Project 2013 with Office.
      • 
 
    
 
 
@@ -105,7 +105,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
  • Visio Pro for Office 365
    • 
 
  • Project Pro for Office 365
    • 
 
-
    You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).
    
+
    You must enable shared computer activation.
    
 
    You don’t use shared computer activation if you’re deploying a volume licensed product, such as:
    
 
      
 
    • Office Professional Plus 2013
      • 
@@ -116,7 +116,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
 
 
- 
+
 
 ### Excluding Office applications from a package
 
@@ -138,27 +138,27 @@ The following table describes the recommended methods for excluding specific Off
 
      Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.
      
 
        
 
      • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
        • 
-
      • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
        • 
+
      • For more information, see ExcludeApp element.
        • 
 
      
 
 
 
      Modify the DeploymentConfig.xml file
      
 
        
 
      • Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
        • 
-
      • For more information, see [Disabling Office 2013 applications](#bkmk-disable-office-apps).
        • 
+
      • For more information, see Disabling Office 2013 applications.
        • 
 
      
 
 
 
 
- 
+
 
 ## Creating an Office 2013 package for App-V with the Office Deployment Tool
 
 
 Complete the following steps to create an Office 2013 package for App-V 5.0 or later.
 
-**Important**  
+**Important**  
 In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 
 
@@ -193,9 +193,9 @@ The computer on which you are installing the Office Deployment Tool must have:
 
 
 
-**Note**  
+**Note**  
 In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing.
- 
+
 
 ### Create Office 2013 App-V Packages Using Office Deployment Tool
 
@@ -221,120 +221,120 @@ After you download the Office Deployment Tool, you can use it to get the latest
 
 The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
 
-1.  **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
 
-    1.  Open the sample XML file in Notepad or your favorite text editor.
+   1. Open the sample XML file in Notepad or your favorite text editor.
 
-    2.  With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file:
+   2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2013 applications. The following is a basic example of the configuration.xml file:
 
-        ``` syntax
-        
-           
-            
-              
-            
-            
-              
-            
-          
-        
-        ```
+      ``` syntax
+      
+         
+          
+            
+          
+          
+            
+          
+        
+      
+      ```
 
-        **Note**  
-        The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
+      **Note**  
+      The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
 
-        The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+      The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
 
-        
-        -        -        -        -        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
      




      InputDescriptionExample
      Add element
      Specifies the products and languages to include in the package.
      N/A
      OfficeClientEdition (attribute of Add element)
      Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
      OfficeClientEdition="32"
      
-        
      OfficeClientEdition="64"
      Product element
      Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.
      Product ID ="O365ProPlusRetail "
      
-        
      Product ID ="VisioProRetail"
      
-        
      Product ID ="ProjectProRetail"
      
-        
      Product ID ="ProPlusVolume"
      
-        
      Product ID ="VisioProVolume"
      
-        
      Product ID = "ProjectProVolume"
      Language element
      Specifies the language supported in the applications
      Language ID="en-us"
      Version (attribute of Add element)
      Optional. Specifies a build to use for the package
      
-        
      Defaults to latest advertised build (as defined in v32.CAB at the Office source).
      15.1.2.3
      SourcePath (attribute of Add element)
      Specifies the location in which the applications will be saved to.
      Sourcepath = "\\Server\Office2013”
      
+      
+      +      +      +      +      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
      




      InputDescriptionExample
      Add element
      Specifies the products and languages to include in the package.
      N/A
      OfficeClientEdition (attribute of Add element)
      Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
      OfficeClientEdition="32"
      
+      
      OfficeClientEdition="64"
      Product element
      Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.
      Product ID ="O365ProPlusRetail "
      
+      
      Product ID ="VisioProRetail"
      
+      
      Product ID ="ProjectProRetail"
      
+      
      Product ID ="ProPlusVolume"
      
+      
      Product ID ="VisioProVolume"
      
+      
      Product ID = "ProjectProVolume"
      Language element
      Specifies the language supported in the applications
      Language ID="en-us"
      Version (attribute of Add element)
      Optional. Specifies a build to use for the package
      
+      
      Defaults to latest advertised build (as defined in v32.CAB at the Office source).
      15.1.2.3
      SourcePath (attribute of Add element)
      Specifies the location in which the applications will be saved to.
      Sourcepath = "\Server\Office2013”
      
 
-        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+      After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
 
-2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
 
-    ``` syntax
-    \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml
-    ```
+   ``` syntax
+   \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml
+   ```
 
-    In the example:
+   In the example:
+
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
      



      \server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Setup.exe
      is the Office Deployment Tool.
      /download
      downloads the Office 2013 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.
      \server\Office2013\Customconfig.xml
      passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \Server\Office2013.
      
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
      



      \\server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Setup.exe
      is the Office Deployment Tool.
      /download
      downloads the Office 2013 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.
      \\server\Office2013\Customconfig.xml
      passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2013.
      
 
-     
 
 ### Convert the Office applications into an App-V package
 
@@ -386,180 +386,181 @@ After you download the Office 2013 applications through the Office Deployment To
 
 
 
- 
+
 
 **How to convert the Office applications into an App-V package**
 
-1.  In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
      



      ParameterWhat to change the value to
      SourcePath
      Point to the Office applications downloaded earlier.
      ProductID
      Specify the type of licensing, as shown in the following examples:
      
-    
        
-    
      • Subscription Licensing
        
-    
        <Configuration>
-       <Add SourcePath= "\\server\Office 2013" OfficeClientEdition="32" >
-        <Product ID="O365ProPlusRetail">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProRetail">
-          <Language ID="en-us" />
-        </Product>
-      </Add>
-    </Configuration> 
        
-    
        In this example, the following changes were made to create a package with Subscription licensing:
        
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to O365ProPlusRetail.
        Product ID
        for Visio was changed to VisioProRetail.
        
-    
         
        
-    
        • 
-    
      • Volume Licensing
        
-    
        <Configuration>
-       <Add SourcePath= "\\Server\Office2013" OfficeClientEdition="32" >
-        <Product ID="ProPlusVolume">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProVolume">
-          <Language ID="en-us" />
-        </Product>
-      </Add>
-    </Configuration>
        
-    
        In this example, the following changes were made to create a package with Volume licensing:
        
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to ProPlusVolume.
        Product ID
        for Visio was changed to VisioProVolume.
        
-    
         
        
-    
        • 
-    
      ExcludeApp (optional)
      Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
      PACKAGEGUID (optional)
      By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
      
-    
      An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
      
-    
      
-    Note  
-    
      Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
      
-    
      
-    
      
-     
-    
      
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
      



      ParameterWhat to change the value to
      SourcePath
      Point to the Office applications downloaded earlier.
      ProductID
      Specify the type of licensing, as shown in the following examples:
      
+   
        
+   
      • Subscription Licensing
        
+   
        <Configuration>
+      <Add SourcePath= "\server\Office 2013" OfficeClientEdition="32" >
+       <Product ID="O365ProPlusRetail">
+         <Language ID="en-us" />
+       </Product>
+       <Product ID="VisioProRetail">
+         <Language ID="en-us" />
+       </Product>
+     </Add>
+   </Configuration> 
        
+   
        In this example, the following changes were made to create a package with Subscription licensing:
        
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to O365ProPlusRetail.
        Product ID
        for Visio was changed to VisioProRetail.
        
+   
         
        
+   
        • 
+   
      • Volume Licensing
        
+   
        <Configuration>
+      <Add SourcePath= "\Server\Office2013" OfficeClientEdition="32" >
+       <Product ID="ProPlusVolume">
+         <Language ID="en-us" />
+       </Product>
+       <Product ID="VisioProVolume">
+         <Language ID="en-us" />
+       </Product>
+     </Add>
+   </Configuration>
        
+   
        In this example, the following changes were made to create a package with Volume licensing:
        
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to ProPlusVolume.
        Product ID
        for Visio was changed to VisioProVolume.
        
+   
         
        
+   
        • 
+   
      ExcludeApp (optional)
      Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
      PACKAGEGUID (optional)
      By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
      
+   
      An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
      
+   
      
+   Note
      Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
      
+   
      
+   
      
 
-     
+   
      
 
-2.  Use the /packager command to convert the Office applications to an Office 2013 App-V package.
 
-    For example:
 
-    ``` syntax
-    \\server\Office2013\setup.exe /packager \\server\Office2013\Customconfig.xml  \\server\share\Office2013AppV
-    ```
+2. Use the /packager command to convert the Office applications to an Office 2013 App-V package.
 
-    In the example:
+   For example:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
      



      \\server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Setup.exe
      is the Office Deployment Tool.
      /packager
      creates the Office 2013 App-V package with Volume Licensing as specified in the customConfig.xml file.
      \\server\Office2013\Customconfig.xml
      passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
      \\server\share\Office 2013AppV
      specifies the location of the newly created Office App-V package.
      
+   ``` syntax
+   \\server\Office2013\setup.exe /packager \\server\Office2013\Customconfig.xml  \\server\share\Office2013AppV
+   ```
 
-     
+   In the example:
 
-    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
      



      \server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Setup.exe
      is the Office Deployment Tool.
      /packager
      creates the Office 2013 App-V package with Volume Licensing as specified in the customConfig.xml file.
      \server\Office2013\Customconfig.xml
      passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
      \server\share\Office 2013AppV
      specifies the location of the newly created Office App-V package.
      
 
-    -   **App-V Packages** – contains an Office 2013 App-V package and two deployment configuration files.
 
-    -   **WorkingDir**
 
-    **Note**  
-    To troubleshoot any issues, see the log files in the %temp% directory (default).
+~~~
+After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
 
-     
+-   **App-V Packages** – contains an Office 2013 App-V package and two deployment configuration files.
 
-3.  Verify that the Office 2013 App-V package works correctly:
+-   **WorkingDir**
 
-    1.  Publish the Office 2013 App-V package, which you created globally, to a test computer, and verify that the Office 2013 shortcuts appear.
+**Note**  
+To troubleshoot any issues, see the log files in the %temp% directory (default).
+~~~
 
-    2.  Start a few Office 2013 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+
+3. Verify that the Office 2013 App-V package works correctly:
+
+   1.  Publish the Office 2013 App-V package, which you created globally, to a test computer, and verify that the Office 2013 shortcuts appear.
+
+   2.  Start a few Office 2013 applications, such as Excel or Word, to ensure that your package is working as expected.
 
 ## Publishing the Office package for App-V 5.0
 
@@ -604,7 +605,7 @@ Deploy the App-V package for Office 2013 by using the same methods you use for a
 
 
 
- 
+
 
 ### How to publish an Office package
 
@@ -647,10 +648,10 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 5.  Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created.
 
-    **Important**  
+    **Important**  
     The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2013 App-V package first, and then add the plug-in App-V package.
 
-     
+
 
 6.  Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2013 App-V package.
 
@@ -670,10 +671,10 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
 
-**Note**  
+**Note**  
 To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](https://technet.microsoft.com/library/jj219426.aspx).
 
- 
+
 
 **To disable an Office 2013 application**
 
@@ -758,14 +759,14 @@ To upgrade an Office 2013 package, use the Office Deployment Tool. To upgrade a
 
 1.  Create a new Office 2013 package through the Office Deployment Tool that uses the most recent Office 2013 application software. The most recent Office 2013 bits can always be obtained through the download stage of creating an Office 2013 App-V Package. The newly created Office 2013 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
 
-    **Note**  
+    **Note**  
     Office App-V packages have two Version IDs:
 
     -   An Office 2013 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
 
     -   A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2013 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2013 package.
 
-     
+
 
 2.  Globally publish the newly created Office 2013 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2013 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 
@@ -808,7 +809,7 @@ The following table describes the requirements and options for deploying Visio 2
 
 
      How do I package and publish Visio 2013 and Project 2013 with Office?
      
 
      You must include Visio 2013 and Project 2013 in the same package with Office.
      
-
      If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
      
+
      If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow Deploying Microsoft Office 2010 by Using App-V.
      
 
 
 
      How can I deploy Visio 2013 and Project 2013 to specific users?
      
@@ -839,17 +840,17 @@ The following table describes the requirements and options for deploying Visio 2
 
        
 
      1. Create a package that contains Office, Visio, and Project.
        2. 
 
      2. Deploy the package to all users.
        3. 
-
      3. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.
        4. 
+
      4. Use Microsoft AppLocker to prevent specific users from using Visio and Project.
        5. 
 
      
 
 
 
-
       
      
+
       
      
 
 
 
 
- 
+
 
 ## Additional resources
 
@@ -883,9 +884,9 @@ The following table describes the requirements and options for deploying Visio 2
 
 
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
index 3cdaab8529..a5afa4ef90 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2013-by-using-app-v51.md
@@ -51,7 +51,7 @@ Use the following table to get information about supported versions of Office an
 
 
 
-
      [Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-office-vers-supp-appv)
      
+
      Planning for Using App-V with Office
      
 
        
 
      • Supported versions of Office
        • 
 
      • Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
        • 
@@ -59,13 +59,13 @@ Use the following table to get information about supported versions of Office an
 
      
 
 
-
      [Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-plan-coexisting)
      
+
      Planning for Using App-V with Office
      
 
      Considerations for installing different versions of Office on the same computer
      
 
 
 
 
- 
+
 ### Packaging, publishing, and deployment requirements
 
 Before you deploy Office by using App-V, review the following requirements.
@@ -87,7 +87,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
        
 
      • All of the Office applications that you want to deploy to users must be in a single package.
        • 
 
      • In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
        • 
-
      • If you are deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project).
        • 
+
      • If you are deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see Deploying Visio 2013 and Project 2013 with Office.
        • 
 
      
 
 
@@ -104,7 +104,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
    • Visio Pro for Office 365
      • 
 
    • Project Pro for Office 365
      • 
 
    
-
    You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).
    
+
    You must enable shared computer activation.
    
 
    You don’t use shared computer activation if you’re deploying a volume licensed product, such as:
    
 
      
 
    • Office Professional Plus 2013
      • 
@@ -115,7 +115,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
 
 
- 
+
 
 ### Excluding Office applications from a package
 
@@ -137,30 +137,30 @@ The following table describes the recommended methods for excluding specific Off
 
      Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.
      
 
        
 
      • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
        • 
-
      • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
        • 
+
      • For more information, see ExcludeApp element.
        • 
 
      
 
 
 
      Modify the DeploymentConfig.xml file
      
 
        
 
      • Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
        • 
-
      • For more information, see [Disabling Office 2013 applications](#bkmk-disable-office-apps).
        • 
+
      • For more information, see Disabling Office 2013 applications.
        • 
 
      
 
 
 
 
- 
+
 
 ## Creating an Office 2013 package for App-V with the Office Deployment Tool
 
 
 Complete the following steps to create an Office 2013 package for App-V 5.1 or later.
 
-**Important**  
+**Important**  
 In App-V 5.1 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages.
 
- 
+
 
 ### Review prerequisites for using the Office Deployment Tool
 
@@ -192,12 +192,12 @@ The computer on which you are installing the Office Deployment Tool must have:
 
 
 
- 
 
-**Note**  
+
+**Note**  
 In this topic, the term “Office 2013 App-V package” refers to subscription licensing and volume licensing.
 
- 
+
 
 ### Create Office 2013 App-V Packages Using Office Deployment Tool
 
@@ -242,105 +242,107 @@ The XML file that is included in the Office Deployment Tool specifies the produc
         
         ```
 
-        **Note**  
+        **Note**  
         The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file.
 
-         
 
-        The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
 
-        
-        -        -        -        -        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
      




      InputDescriptionExample
      Add element
      Specifies the products and languages to include in the package.
      N/A
      OfficeClientEdition (attribute of Add element)
      Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
      OfficeClientEdition="32"
      
-        
      OfficeClientEdition="64"
      Product element
      Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.
      Product ID ="O365ProPlusRetail "
      
-        
      Product ID ="VisioProRetail"
      
-        
      Product ID ="ProjectProRetail"
      
-        
      Product ID ="ProPlusVolume"
      
-        
      Product ID ="VisioProVolume"
      
-        
      Product ID = "ProjectProVolume"
      Language element
      Specifies the language supported in the applications
      Language ID="en-us"
      Version (attribute of Add element)
      Optional. Specifies a build to use for the package
      
-        
      Defaults to latest advertised build (as defined in v32.CAB at the Office source).
      15.1.2.3
      SourcePath (attribute of Add element)
      Specifies the location in which the applications will be saved to.
      Sourcepath = "\\Server\Office2013”
      
-
-         
-
-        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
-
-2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
-
-    ``` syntax
-    \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml
-    ```
-
-    In the example:
+~~~
+    The above XML configuration file specifies that Office 2013 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2013, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2013 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
 
     -    -    +    +    +    
+    
+    
+    
+    
+    
+    
+    
-    
-    
+    
+    
+    
-    
-    
+    
+    
+    
-    
-    
+    
+    
+    
-    
-    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
      
     





     
      InputDescriptionExample
      
     
     
      \\server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Add element
      Specifies the products and languages to include in the package.
      N/A
      		
     
      
     
      Setup.exe
      is the Office Deployment Tool.
      OfficeClientEdition (attribute of Add element)
      Specifies the edition of Office 2013 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
      OfficeClientEdition="32"
      
+    
      OfficeClientEdition="64"
      		
     
      
     
      /download
      downloads the Office 2013 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.
      Product element
      Specifies the application. Project 2013 and Visio 2013 must be specified here as an added product to be included in the applications.
      Product ID ="O365ProPlusRetail "
      
+    
      Product ID ="VisioProRetail"
      
+    
      Product ID ="ProjectProRetail"
      
+    
      Product ID ="ProPlusVolume"
      
+    
      Product ID ="VisioProVolume"
      
+    
      Product ID = "ProjectProVolume"
      		
     
      
     
      \\server\Office2013\Customconfig.xml
      passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2013.
      Language element
      Specifies the language supported in the applications
      Language ID="en-us"
      Version (attribute of Add element)
      Optional. Specifies a build to use for the package
      
+    
      Defaults to latest advertised build (as defined in v32.CAB at the Office source).
      15.1.2.3
      SourcePath (attribute of Add element)
      Specifies the location in which the applications will be saved to.
      Sourcepath = "\\Server\Office2013”
      		
     
      
           
     
      
 
-     
+
+
+    After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2013 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+~~~
+
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2013 applications that will later be converted into an App-V package. Below is an example command with description of details:
+
+   ``` syntax
+   \\server\Office2013\setup.exe /download \\server\Office2013\Customconfig.xml
+   ```
+
+   In the example:
+
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
      



      \server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Setup.exe
      is the Office Deployment Tool.
      /download
      downloads the Office 2013 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2013 App-V package with Volume Licensing.
      \server\Office2013\Customconfig.xml
      passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \Server\Office2013.
      
+
+
 
 ### Convert the Office applications into an App-V package
 
@@ -392,180 +394,181 @@ After you download the Office 2013 applications through the Office Deployment To
 
 
 
- 
+
 
 **How to convert the Office applications into an App-V package**
 
-1.  In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
      



      ParameterWhat to change the value to
      SourcePath
      Point to the Office applications downloaded earlier.
      ProductID
      Specify the type of licensing, as shown in the following examples:
      
-    
        
-    
      • Subscription Licensing
        
-    
        <Configuration>
-       <Add SourcePath= "\\server\Office 2013" OfficeClientEdition="32" >
-        <Product ID="O365ProPlusRetail">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProRetail">
-          <Language ID="en-us" />
-        </Product>
-      </Add>
-    </Configuration> 
        
-    
        In this example, the following changes were made to create a package with Subscription licensing:
        
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to O365ProPlusRetail.
        Product ID
        for Visio was changed to VisioProRetail.
        
-    
         
        
-    
        • 
-    
      • Volume Licensing
        
-    
        <Configuration>
-       <Add SourcePath= "\\Server\Office2013" OfficeClientEdition="32" >
-        <Product ID="ProPlusVolume">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProVolume">
-          <Language ID="en-us" />
-        </Product>
-      </Add>
-    </Configuration>
        
-    
        In this example, the following changes were made to create a package with Volume licensing:
        
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to ProPlusVolume.
        Product ID
        for Visio was changed to VisioProVolume.
        
-    
         
        
-    
        • 
-    
      ExcludeApp (optional)
      Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
      PACKAGEGUID (optional)
      By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
      
-    
      An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
      
-    
      
-    Note  
-    
      Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
      
-    
      
-    
      
-     
-    
      
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
      



      ParameterWhat to change the value to
      SourcePath
      Point to the Office applications downloaded earlier.
      ProductID
      Specify the type of licensing, as shown in the following examples:
      
+   
        
+   
      • Subscription Licensing
        
+   
        <Configuration>
+      <Add SourcePath= "\server\Office 2013" OfficeClientEdition="32" >
+       <Product ID="O365ProPlusRetail">
+         <Language ID="en-us" />
+       </Product>
+       <Product ID="VisioProRetail">
+         <Language ID="en-us" />
+       </Product>
+     </Add>
+   </Configuration> 
        
+   
        In this example, the following changes were made to create a package with Subscription licensing:
        
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to O365ProPlusRetail.
        Product ID
        for Visio was changed to VisioProRetail.
        
+   
         
        
+   
        • 
+   
      • Volume Licensing
        
+   
        <Configuration>
+      <Add SourcePath= "\Server\Office2013" OfficeClientEdition="32" >
+       <Product ID="ProPlusVolume">
+         <Language ID="en-us" />
+       </Product>
+       <Product ID="VisioProVolume">
+         <Language ID="en-us" />
+       </Product>
+     </Add>
+   </Configuration>
        
+   
        In this example, the following changes were made to create a package with Volume licensing:
        
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        



        SourcePath
        is the path, which was changed to point to the Office applications that were downloaded earlier.
        Product ID
        for Office was changed to ProPlusVolume.
        Product ID
        for Visio was changed to VisioProVolume.
        
+   
         
        
+   
        • 
+   
      ExcludeApp (optional)
      Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
      PACKAGEGUID (optional)
      By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
      
+   
      An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
      
+   
      
+   Note
      Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
      
+   
      
+   
      
 
-     
+   
      
 
-2.  Use the /packager command to convert the Office applications to an Office 2013 App-V package.
 
-    For example:
 
-    ``` syntax
-    \\server\Office2013\setup.exe /packager \\server\Office2013\Customconfig.xml  \\server\share\Office2013AppV
-    ```
+2. Use the /packager command to convert the Office applications to an Office 2013 App-V package.
 
-    In the example:
+   For example:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
      



      \\server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Setup.exe
      is the Office Deployment Tool.
      /packager
      creates the Office 2013 App-V package with Volume Licensing as specified in the customConfig.xml file.
      \\server\Office2013\Customconfig.xml
      passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
      \\server\share\Office 2013AppV
      specifies the location of the newly created Office App-V package.
      
+   ``` syntax
+   \\server\Office2013\setup.exe /packager \\server\Office2013\Customconfig.xml  \\server\share\Office2013AppV
+   ```
 
-     
+   In the example:
 
-    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
      



      \server\Office2013
      is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
      Setup.exe
      is the Office Deployment Tool.
      /packager
      creates the Office 2013 App-V package with Volume Licensing as specified in the customConfig.xml file.
      \server\Office2013\Customconfig.xml
      passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
      \server\share\Office 2013AppV
      specifies the location of the newly created Office App-V package.
      
 
-    -   **App-V Packages** – contains an Office 2013 App-V package and two deployment configuration files.
 
-    -   **WorkingDir**
 
-    **Note**  
-    To troubleshoot any issues, see the log files in the %temp% directory (default).
+~~~
+After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
 
-     
+-   **App-V Packages** – contains an Office 2013 App-V package and two deployment configuration files.
 
-3.  Verify that the Office 2013 App-V package works correctly:
+-   **WorkingDir**
 
-    1.  Publish the Office 2013 App-V package, which you created globally, to a test computer, and verify that the Office 2013 shortcuts appear.
+**Note**  
+To troubleshoot any issues, see the log files in the %temp% directory (default).
+~~~
 
-    2.  Start a few Office 2013 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+
+3. Verify that the Office 2013 App-V package works correctly:
+
+   1.  Publish the Office 2013 App-V package, which you created globally, to a test computer, and verify that the Office 2013 shortcuts appear.
+
+   2.  Start a few Office 2013 applications, such as Excel or Word, to ensure that your package is working as expected.
 
 ## Publishing the Office package for App-V 5.1
 
@@ -610,7 +613,7 @@ Deploy the App-V package for Office 2013 by using the same methods you use for a
 
 
 
- 
+
 
 ### How to publish an Office package
 
@@ -653,10 +656,10 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 5.  Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created.
 
-    **Important**  
+    **Important**  
     The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2013 App-V package first, and then add the plug-in App-V package.
 
-     
+
 
 6.  Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2013 App-V package.
 
@@ -676,10 +679,10 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
 
-**Note**  
+**Note**  
 To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](https://technet.microsoft.com/library/jj219426.aspx).
 
- 
+
 
 **To disable an Office 2013 application**
 
@@ -764,14 +767,14 @@ To upgrade an Office 2013 package, use the Office Deployment Tool. To upgrade a
 
 1.  Create a new Office 2013 package through the Office Deployment Tool that uses the most recent Office 2013 application software. The most recent Office 2013 bits can always be obtained through the download stage of creating an Office 2013 App-V Package. The newly created Office 2013 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
 
-    **Note**  
+    **Note**  
     Office App-V packages have two Version IDs:
 
     -   An Office 2013 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
 
     -   A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2013 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2013 package.
 
-     
+
 
 2.  Globally publish the newly created Office 2013 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2013 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 
@@ -814,7 +817,7 @@ The following table describes the requirements and options for deploying Visio 2
 
 
      How do I package and publish Visio 2013 and Project 2013 with Office?
      
 
      You must include Visio 2013 and Project 2013 in the same package with Office.
      
-
      If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).
      
+
      If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow Deploying Microsoft Office 2010 by Using App-V.
      
 
 
 
      How can I deploy Visio 2013 and Project 2013 to specific users?
      
@@ -845,17 +848,17 @@ The following table describes the requirements and options for deploying Visio 2
 
        
 
      1. Create a package that contains Office, Visio, and Project.
        2. 
 
      2. Deploy the package to all users.
        3. 
-
      3. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.
        4. 
+
      4. Use Microsoft AppLocker to prevent specific users from using Visio and Project.
        5. 
 
      
 
 
 
-
       
      
+
       
      
 
 
 
 
- 
+
 
 ## Additional resources
 
@@ -889,9 +892,9 @@ The following table describes the requirements and options for deploying Visio 2
 
 
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
index d66760f8e6..b60166ff33 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md
@@ -51,7 +51,7 @@ Use the following table to get information about supported versions of Office an
 
 
 
-
      [Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)
      
+
      Supported versions of Microsoft Office
      
 
        
 
      • Supported versions of Office
        • 
 
      • Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
        • 
@@ -59,13 +59,13 @@ Use the following table to get information about supported versions of Office an
 
      
 
 
-
      [Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)
      
+
      Planning for Using App-V with coexisting versions of Office
      
 
      Considerations for installing different versions of Office on the same computer
      
 
 
 
 
- 
+
 
 ### Packaging, publishing, and deployment requirements
 
@@ -89,7 +89,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
        
 
      • All of the Office applications that you want to deploy to users must be in a single package.
        • 
 
      • In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
        • 
-
      • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
        • 
+
      • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see Deploying Visio 2016 and Project 2016 with Office.
        • 
 
      
 
 
@@ -106,13 +106,13 @@ Before you deploy Office by using App-V, review the following requirements.
 
    • Visio Pro for Office 365
      • 
 
    • Project Pro for Office 365
      • 
 
    
-
    You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).
    
+
    You must enable shared computer activation.
    
 
 
 
 
 
- 
+
 
 ### Excluding Office applications from a package
 
@@ -134,20 +134,20 @@ The following table describes the recommended methods for excluding specific Off
 
    Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.
    
 
      
 
    • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
      • 
-
    • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
      • 
+
    • For more information, see ExcludeApp element.
      • 
 
    
 
 
 
    Modify the DeploymentConfig.xml file
    
 
      
 
    • Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
      • 
-
    • For more information, see [Disabling Office 2016 applications](#bkmk-disable-office-apps).
      • 
+
    • For more information, see Disabling Office 2016 applications.
      • 
 
    
 
 
 
 
- 
+
 
 ## Creating an Office 2016 package for App-V with the Office Deployment Tool
 
@@ -188,8 +188,8 @@ The computer on which you are installing the Office Deployment Tool must have:
 
 
 
->**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
- 
+>**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
+
 
 ### Create Office 2016 App-V Packages Using Office Deployment Tool
 
@@ -203,12 +203,12 @@ Office 2016 App-V Packages are created using the Office Deployment Tool, which g
 
 1.  Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
 
->**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
-2.  Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
+> **Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
+> 2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
 
     Example: \\\\Server\\Office2016
 
-3.  Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
+3. Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
 
 ### Download Office 2016 applications
 
@@ -216,125 +216,125 @@ After you download the Office Deployment Tool, you can use it to get the latest
 
 The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
 
-1.  **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
 
-    1.  Open the sample XML file in Notepad or your favorite text editor.
+   1. Open the sample XML file in Notepad or your favorite text editor.
 
-    2.  With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
+   2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
 
-        ``` syntax
-        
-           
-            
-              
-            
-            
-              
-            
-          
-        
-        ```
+      ``` syntax
+      
+         
+          
+            
+          
+          
+            
+          
+        
+      
+      ```
 
-        >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
+      >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
 
-        The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+      The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
 
-        
-        -        -        -        -        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
    




    InputDescriptionExample
    Add element
    Specifies the products and languages to include in the package.
    N/A
    OfficeClientEdition (attribute of Add element)
    Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
    OfficeClientEdition="32"
    
-        
    OfficeClientEdition="64"
    Product element
    Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
+      
+      +      +      +      +      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
    




    InputDescriptionExample
    Add element
    Specifies the products and languages to include in the package.
    N/A
    OfficeClientEdition (attribute of Add element)
    Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
    OfficeClientEdition="32"
    
+      
    OfficeClientEdition="64"
    Product element
    Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
 
-        For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297)
-        
    Product ID ="O365ProPlusRetail "
    
-        
    Product ID ="VisioProRetail"
    
-        
    Product ID ="ProjectProRetail"
    
-        
    Language element
    Specifies the language supported in the applications
    Language ID="en-us"
    Version (attribute of Add element)
    Optional. Specifies a build to use for the package
    
-        
    Defaults to latest advertised build (as defined in v32.CAB at the Office source).
    16.1.2.3
    SourcePath (attribute of Add element)
    Specifies the location in which the applications will be saved to.
    Sourcepath = "\\Server\Office2016”
    Channel (attribute of Add element)
    Optional. Specifies the update channel for the product that you want to download or install. 
    For more information about update channels, see Overview of update channels for Office 365 ProPlus.
    Channel="Deferred"
    
+      For more information about the product IDs, see Product IDs that are supported by the Office Deployment Tool for Click-to-Run
+      
    Product ID ="O365ProPlusRetail "
    
+      
    Product ID ="VisioProRetail"
    
+      
    Product ID ="ProjectProRetail"
    
+      
    Language element
    Specifies the language supported in the applications
    Language ID="en-us"
    Version (attribute of Add element)
    Optional. Specifies a build to use for the package
    
+      
    Defaults to latest advertised build (as defined in v32.CAB at the Office source).
    16.1.2.3
    SourcePath (attribute of Add element)
    Specifies the location in which the applications will be saved to.
    Sourcepath = "\Server\Office2016”
    Channel (attribute of Add element)
    Optional. Specifies the update channel for the product that you want to download or install. 
    For more information about update channels, see Overview of update channels for Office 365 ProPlus.
    Channel="Deferred"
    
 
-        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+      After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
 
-2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details:
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details:
 
-    ``` syntax
-    \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
-    ```
+   ``` syntax
+   \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
+   ```
 
-    In the example:
+   In the example:
+
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    \server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /download
    downloads the Office 2016 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2016 App-V package with Volume Licensing.
    \server\Office2016\Customconfig.xml
    passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \Server\Office2016.
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    \\server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /download
    downloads the Office 2016 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2016 App-V package with Volume Licensing.
    \\server\Office2016\Customconfig.xml
    passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2016.
    
 
-     
 
 ### Convert the Office applications into an App-V package
 
@@ -380,135 +380,137 @@ After you download the Office 2016 applications through the Office Deployment To
 
 
 
- 
+
 
 **How to convert the Office applications into an App-V package**
 
-1.  In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterWhat to change the value to
    SourcePath
    Point to the Office applications downloaded earlier.
    ProductID
    Specify Subscription licensing, as shown in the following example:
    
-    
    <Configuration>
-       <Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
-        <Product ID="O365ProPlusRetail">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProRetail">
-          <Language ID="en-us" />
-        </Product>
-      </Add>
-    </Configuration> 
    
-    
    In this example, the following changes were made to create a package with Subscription licensing:
    
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    SourcePath
    is the path, which was changed to point to the Office applications that were downloaded earlier.
    Product ID
    for Office was changed to O365ProPlusRetail.
    Product ID
    for Visio was changed to VisioProRetail.
    
-    
    
-    
    ExcludeApp (optional)
    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
    PACKAGEGUID (optional)
    By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
    
-    
    An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
    
->**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
-    
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    ParameterWhat to change the value to
    SourcePath
    Point to the Office applications downloaded earlier.
    ProductID
    Specify Subscription licensing, as shown in the following example:
    
+   
    <Configuration>
+      <Add SourcePath= "\server\Office 2016" OfficeClientEdition="32" >
+       <Product ID="O365ProPlusRetail">
+         <Language ID="en-us" />
+       </Product>
+       <Product ID="VisioProRetail">
+         <Language ID="en-us" />
+       </Product>
+     </Add>
+   </Configuration> 
    
+   
    In this example, the following changes were made to create a package with Subscription licensing:
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    SourcePath
    is the path, which was changed to point to the Office applications that were downloaded earlier.
    Product ID
    for Office was changed to O365ProPlusRetail.
    Product ID
    for Visio was changed to VisioProRetail.
    
+   
    
+   
    ExcludeApp (optional)
    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
    PACKAGEGUID (optional)
    By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
    
+   
    An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
    
+   >Note Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+   
    
 
-     
 
-2.  Use the /packager command to convert the Office applications to an Office 2016 App-V package.
 
-    For example:
+2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
 
-    ``` syntax
-    \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml  \\server\share\Office2016AppV
-    ```
+   For example:
 
-    In the example:
+   ``` syntax
+   \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml  \\server\share\Office2016AppV
+   ```
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    \\server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /packager
    creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.
    \\server\Office2016\Customconfig.xml
    passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
    \\server\share\Office 2016AppV
    specifies the location of the newly created Office App-V package.
    
+   In the example:
 
-     
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    \server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /packager
    creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.
    \server\Office2016\Customconfig.xml
    passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
    \server\share\Office 2016AppV
    specifies the location of the newly created Office App-V package.
    
 
-    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
 
-    -   **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
 
-    -   **WorkingDir**
+~~~
+After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
 
-    **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).
+-   **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
 
-     
+-   **WorkingDir**
 
-3.  Verify that the Office 2016 App-V package works correctly:
+**Note** To troubleshoot any issues, see the log files in the %temp% directory (default).
+~~~
 
-    1.  Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
 
-    2.  Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+3. Verify that the Office 2016 App-V package works correctly:
+
+   1.  Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
+
+   2.  Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
 
 ## Publishing the Office package for App-V
 
@@ -553,7 +555,7 @@ Deploy the App-V package for Office 2016 by using the same methods you use for a
 
 
 
- 
+
 
 ### How to publish an Office package
 
@@ -594,9 +596,9 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 5.  Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
 
-    >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+    >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+
 
-     
 
 6.  Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
 
@@ -616,8 +618,8 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
 
->**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
- 
+>**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
+
 
 **To disable an Office 2016 application**
 
@@ -693,18 +695,18 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a
 
 **How to upgrade a previously deployed Office 2016 package**
 
-1.  Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
+1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
 
-    >**Note** Office App-V packages have two Version IDs:
-    
      
-    
    • An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
      • 
-    
    • A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
      • 
-    
    
-     
+   > **Note** Office App-V packages have two Version IDs:
+   > 
      
+   > 
    • An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
      • 
+   > 
    • A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
      • 
+   > 
    
 
-2.  Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 
-3.  Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
+2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
+
+3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
 
 
 ### Deploying Visio 2016 and Project 2016 with Office
@@ -757,17 +759,17 @@ The following table describes the requirements and options for deploying Visio 2
 
      
 
    1. Create a package that contains Office, Visio, and Project.
      2. 
 
    2. Deploy the package to all users.
      3. 
-
    3. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.
      4. 
+
    4. Use Microsoft AppLocker to prevent specific users from using Visio and Project.
      5. 
 
    
 
 
 
-
     
    
+
     
    
 
 
 
 
- 
+
 
 ## Additional resources
 
diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
index ea9194d26f..e13e27d1f9 100644
--- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
+++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md
@@ -51,7 +51,7 @@ Use the following table to get information about supported versions of Office an
 
 
 
-
    [Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)
    
+
    Supported versions of Microsoft Office
    
 
      
 
    • Supported versions of Office
      • 
 
    • Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)
      • 
@@ -59,13 +59,13 @@ Use the following table to get information about supported versions of Office an
 
    
 
 
-
    [Planning for Using App-V with coexisting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)
    
+
    Planning for Using App-V with coexisting versions of Office
    
 
    Considerations for installing different versions of Office on the same computer
    
 
 
 
 
- 
+
 
 ### Packaging, publishing, and deployment requirements
 
@@ -89,7 +89,7 @@ Before you deploy Office by using App-V, review the following requirements.
 
      
 
    • All of the Office applications that you want to deploy to users must be in a single package.
      • 
 
    • In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.
      • 
-
    • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).
      • 
+
    • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see Deploying Visio 2016 and Project 2016 with Office.
      • 
 
    
 
 
@@ -106,13 +106,13 @@ Before you deploy Office by using App-V, review the following requirements.
 
  • Visio Pro for Office 365
    • 
 
  • Project Pro for Office 365
    • 
 
-
    You must enable [shared computer activation](https://technet.microsoft.com/library/dn782860.aspx).
    
+
    You must enable shared computer activation.
    
 
 
 
 
 
- 
+
 
 ### Excluding Office applications from a package
 
@@ -134,20 +134,20 @@ The following table describes the recommended methods for excluding specific Off
 
    Use the ExcludeApp setting when you create the package by using the Office Deployment Tool.
    
 
      
 
    • Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
      • 
-
    • For more information, see [ExcludeApp element](https://technet.microsoft.com/library/jj219426.aspx#bkmk-excludeappelement).
      • 
+
    • For more information, see ExcludeApp element.
      • 
 
    
 
 
 
    Modify the DeploymentConfig.xml file
    
 
      
 
    • Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
      • 
-
    • For more information, see [Disabling Office 2016 applications](#bkmk-disable-office-apps).
      • 
+
    • For more information, see Disabling Office 2016 applications.
      • 
 
    
 
 
 
 
- 
+
 
 ## Creating an Office 2016 package for App-V with the Office Deployment Tool
 
@@ -188,8 +188,8 @@ The computer on which you are installing the Office Deployment Tool must have:
 
 
 
->**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
- 
+>**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.
+
 
 ### Create Office 2016 App-V Packages Using Office Deployment Tool
 
@@ -203,12 +203,12 @@ Office 2016 App-V Packages are created using the Office Deployment Tool, which g
 
 1.  Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117).
 
->**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
-2.  Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
+> **Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages.
+> 2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved.
 
     Example: \\\\Server\\Office2016
 
-3.  Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
+3. Check that a setup.exe and a configuration.xml file exist and are in the location you specified.
 
 ### Download Office 2016 applications
 
@@ -216,125 +216,125 @@ After you download the Office Deployment Tool, you can use it to get the latest
 
 The XML file that is included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
 
-1.  **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
+1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
 
-    1.  Open the sample XML file in Notepad or your favorite text editor.
+   1. Open the sample XML file in Notepad or your favorite text editor.
 
-    2.  With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
+   2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file:
 
-        ``` syntax
-        
-           
-            
-              
-            
-            
-              
-            
-          
-        
-        ```
+      ``` syntax
+      
+         
+          
+            
+          
+          
+            
+          
+        
+      
+      ```
 
-        >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
+      >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line.
 
-        The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
+      The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file:
 
-        
-        -        -        -        -        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
    




    InputDescriptionExample
    Add element
    Specifies the products and languages to include in the package.
    N/A
    OfficeClientEdition (attribute of Add element)
    Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
    OfficeClientEdition="32"
    
-        
    OfficeClientEdition="64"
    Product element
    Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
+      
+      +      +      +      +      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
+      
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
    




    InputDescriptionExample
    Add element
    Specifies the products and languages to include in the package.
    N/A
    OfficeClientEdition (attribute of Add element)
    Specifies the edition of Office 2016 product to use: 32-bit or 64-bit. The operation fails if OfficeClientEdition is not set to a valid value.
    OfficeClientEdition="32"
    
+      
    OfficeClientEdition="64"
    Product element
    Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.
 
-        For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297)
-        
    Product ID ="O365ProPlusRetail "
    
-        
    Product ID ="VisioProRetail"
    
-        
    Product ID ="ProjectProRetail"
    
-        
    Language element
    Specifies the language supported in the applications
    Language ID="en-us"
    Version (attribute of Add element)
    Optional. Specifies a build to use for the package
    
-        
    Defaults to latest advertised build (as defined in v32.CAB at the Office source).
    16.1.2.3
    SourcePath (attribute of Add element)
    Specifies the location in which the applications will be saved to.
    Sourcepath = "\\Server\Office2016”
    Branch (attribute of Add element)
    Optional. Specifies the update branch for the product that you want to download or install. 
    For more information about update branches, see Overview of update branches for Office 365 ProPlus.
    Branch = "Business"
    
+      For more information about the product IDs, see Product IDs that are supported by the Office Deployment Tool for Click-to-Run
+      
    Product ID ="O365ProPlusRetail "
    
+      
    Product ID ="VisioProRetail"
    
+      
    Product ID ="ProjectProRetail"
    
+      
    Language element
    Specifies the language supported in the applications
    Language ID="en-us"
    Version (attribute of Add element)
    Optional. Specifies a build to use for the package
    
+      
    Defaults to latest advertised build (as defined in v32.CAB at the Office source).
    16.1.2.3
    SourcePath (attribute of Add element)
    Specifies the location in which the applications will be saved to.
    Sourcepath = "\Server\Office2016”
    Branch (attribute of Add element)
    Optional. Specifies the update branch for the product that you want to download or install. 
    For more information about update branches, see Overview of update branches for Office 365 ProPlus.
    Branch = "Business"
    
 
-        After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
+      After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml.
 
-2.  **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details:
+2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details:
 
-    ``` syntax
-    \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
-    ```
+   ``` syntax
+   \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml
+   ```
 
-    In the example:
+   In the example:
+
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    \server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /download
    downloads the Office 2016 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2016 App-V package with Volume Licensing.
    \server\Office2016\Customconfig.xml
    passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \Server\Office2016.
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    \\server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /download
    downloads the Office 2016 applications that you specify in the customConfig.xml file. These bits can be later converted in an Office 2016 App-V package with Volume Licensing.
    \\server\Office2016\Customconfig.xml
    passes the XML configuration file required to complete the download process, in this example, customconfig.xml. After using the download command, Office applications should be found in the location specified in the configuration xml file, in this example \\Server\Office2016.
    
 
-     
 
 ### Convert the Office applications into an App-V package
 
@@ -380,135 +380,137 @@ After you download the Office 2016 applications through the Office Deployment To
 
 
 
- 
+
 
 **How to convert the Office applications into an App-V package**
 
-1.  In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
+1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
+   
+   
+   
    



    ParameterWhat to change the value to
    SourcePath
    Point to the Office applications downloaded earlier.
    ProductID
    Specify Subscription licensing, as shown in the following example:
    
-    
    <Configuration>
-       <Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
-        <Product ID="O365ProPlusRetail">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProRetail">
-          <Language ID="en-us" />
-        </Product>
-      </Add>
-    </Configuration> 
    
-    
    In this example, the following changes were made to create a package with Subscription licensing:
    
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    SourcePath
    is the path, which was changed to point to the Office applications that were downloaded earlier.
    Product ID
    for Office was changed to O365ProPlusRetail.
    Product ID
    for Visio was changed to VisioProRetail.
    
-    
    
-    
    ExcludeApp (optional)
    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
    PACKAGEGUID (optional)
    By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
    
-    
    An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
-    
-    
-    
    



    ParameterWhat to change the value to
    SourcePath
    Point to the Office applications downloaded earlier.
    ProductID
    Specify Subscription licensing, as shown in the following example:
    
+   
    <Configuration>
+      <Add SourcePath= "\server\Office 2016" OfficeClientEdition="32" >
+       <Product ID="O365ProPlusRetail">
+         <Language ID="en-us" />
+       </Product>
+       <Product ID="VisioProRetail">
+         <Language ID="en-us" />
+       </Product>
+     </Add>
+   </Configuration> 
    
+   
    In this example, the following changes were made to create a package with Subscription licensing:
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    SourcePath
    is the path, which was changed to point to the Office applications that were downloaded earlier.
    Product ID
    for Office was changed to O365ProPlusRetail.
    Product ID
    for Visio was changed to VisioProRetail.
    
+   
    
+   
    ExcludeApp (optional)
    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
    PACKAGEGUID (optional)
    By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
    
+   
    An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
    
 
-    >**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
-    
    
+   >Note Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+   
    
 
-     
-2.  Use the /packager command to convert the Office applications to an Office 2016 App-V package.
 
-    For example:
+2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
 
-    ``` syntax
-    \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml  \\server\share\Office2016AppV
-    ```
+   For example:
 
-    In the example:
+   ``` syntax
+   \\server\Office2016\setup.exe /packager \\server\Office2016\Customconfig.xml  \\server\share\Office2016AppV
+   ```
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    \\server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /packager
    creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.
    \\server\Office2016\Customconfig.xml
    passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
    \\server\share\Office 2016AppV
    specifies the location of the newly created Office App-V package.
    
+   In the example:
 
-     
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    \server\Office2016
    is the network share location that contains the Office Deployment Tool and the custom Configuration.xml file, Customconfig.xml.
    Setup.exe
    is the Office Deployment Tool.
    /packager
    creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.
    \server\Office2016\Customconfig.xml
    passes the configuration XML file (in this case customConfig) that has been prepared for the packaging stage.
    \server\share\Office 2016AppV
    specifies the location of the newly created Office App-V package.
    
 
-    After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
 
-    -   **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
 
-    -   **WorkingDir**
+~~~
+After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
 
-    **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).
+-   **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files.
 
-     
+-   **WorkingDir**
 
-3.  Verify that the Office 2016 App-V package works correctly:
+**Note** To troubleshoot any issues, see the log files in the %temp% directory (default).
+~~~
 
-    1.  Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
 
-    2.  Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
+
+3. Verify that the Office 2016 App-V package works correctly:
+
+   1.  Publish the Office 2016 App-V package, which you created globally, to a test computer, and verify that the Office 2016 shortcuts appear.
+
+   2.  Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected.
 
 ## Publishing the Office package for App-V
 
@@ -553,7 +555,7 @@ Deploy the App-V package for Office 2016 by using the same methods you use for a
 
 
 
- 
+
 
 ### How to publish an Office package
 
@@ -594,9 +596,9 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 5.  Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created.
 
-    >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+    >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.
+
 
-     
 
 6.  Ensure that both packages are published to the target computer and that the plug-in package is published globally to match the global settings of the published Office 2016 App-V package.
 
@@ -616,8 +618,8 @@ Use the steps in this section to enable Office plug-ins with your Office package
 
 You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications.
 
->**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
- 
+>**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.
+
 
 **To disable an Office 2016 application**
 
@@ -693,18 +695,18 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a
 
 **How to upgrade a previously deployed Office 2016 package**
 
-1.  Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
+1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
 
-    >**Note** Office App-V packages have two Version IDs:
-    
      
-    
    • An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
      • 
-    
    • A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
      • 
-    
    
-     
+   > **Note** Office App-V packages have two Version IDs:
+   > 
      
+   > 
    • An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
      • 
+   > 
    • A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
      • 
+   > 
    
 
-2.  Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 
-3.  Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
+2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
+
+3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
 
 
 ### Deploying Visio 2016 and Project 2016 with Office
@@ -757,12 +759,12 @@ The following table describes the requirements and options for deploying Visio 2
 
      
 
    1. Create a package that contains Office, Visio, and Project.
      2. 
 
    2. Deploy the package to all users.
      3. 
-
    3. Use [Microsoft AppLocker](https://technet.microsoft.com/library/dd723678.aspx) to prevent specific users from using Visio and Project.
      4. 
+
    4. Use Microsoft AppLocker to prevent specific users from using Visio and Project.
      5. 
 
    
 
 
 
-
     
    
+
     
    
 
 
 
diff --git a/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md b/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md
index db13ee2df3..1ad01a6915 100644
--- a/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md
+++ b/mdop/appv-v5/deploying-the-app-v-50-sequencer-and-client.md
@@ -45,7 +45,7 @@ You can use the Microsoft ADMX template to configure the client settings for the
 **Important**  
 You can obtain the App-V 5.0 ADMX template from the Microsoft Download Center.
 
- 
+ 
 
 After you download and install the ADMX template, perform the following steps on the computer that you will use to manage Group Policy. This is typically the Domain Controller.
 
@@ -67,7 +67,7 @@ The App-V 5.0 Shared Content Store (SCS) mode enables the SCS App-V 5.0 clients
 **Important**  
 If the App-V 5.0 client is configured to run in the SCS mode, the location where the App-V 5.0 packages are streamed from must be available, otherwise, the virtualized package will fail. Additionally, we do not recommend deployment of virtualized applications to computers that run the App-V 5.0 client in the SCS mode across the internet.
 
- 
+ 
 
 Additionally, the SCS is not a physical location that contains virtualized packages. It is a mode that allows the App-V 5.0 client to stream the required virtualized package data across the network.
 
@@ -115,9 +115,9 @@ In App-V 5.0 SP3, some logs have been consolidated. See [About App-V 5.0 SP3](ab
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/deploying-the-app-v-50-server.md b/mdop/appv-v5/deploying-the-app-v-50-server.md
index 41f8698647..a9c5cecc6e 100644
--- a/mdop/appv-v5/deploying-the-app-v-50-server.md
+++ b/mdop/appv-v5/deploying-the-app-v-50-server.md
@@ -24,7 +24,7 @@ For information about deploying the App-V 5.0 SP3 Server, see [About App-V 5.0 S
 **Important**  
 Before you install and configure the App-V 5.0 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
 
- 
+ 
 
 ##  App-V 5.0 Server overview
 
@@ -73,7 +73,7 @@ You can also deploy the App-V 5.0 clients and packages by using an ESD without h
 **Note**  
 The App-V 5.0 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.0 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality.
 
- 
+ 
 
 [Deploying App-V 5.0 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-50-packages-by-using-electronic-software-distribution--esd-.md)
 
@@ -119,9 +119,9 @@ Use the following link for more information [About App-V 5.0 Reporting](about-ap
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md b/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md
index 6c98f04e77..0811cc8ca8 100644
--- a/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md
+++ b/mdop/appv-v5/deploying-the-app-v-51-sequencer-and-client.md
@@ -45,7 +45,7 @@ You can use the Microsoft ADMX template to configure the client settings for the
 **Important**  
 You can obtain the App-V 5.1 ADMX template from the Microsoft Download Center.
 
- 
+ 
 
 After you download and install the ADMX template, perform the following steps on the computer that you will use to manage Group Policy. This is typically the Domain Controller.
 
@@ -67,7 +67,7 @@ The App-V 5.1 Shared Content Store (SCS) mode enables the SCS App-V 5.1 clients
 **Important**  
 If the App-V 5.1 client is configured to run in the SCS mode, the location where the App-V 5.1 packages are streamed from must be available, otherwise, the virtualized package will fail. Additionally, we do not recommend deployment of virtualized applications to computers that run the App-V 5.1 client in the SCS mode across the internet.
 
- 
+ 
 
 Additionally, the SCS is not a physical location that contains virtualized packages. It is a mode that allows the App-V 5.1 client to stream the required virtualized package data across the network.
 
@@ -113,9 +113,9 @@ You can use the App-V 5.1 Sequencer log information to help troubleshoot the Seq
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/deploying-the-app-v-51-server.md b/mdop/appv-v5/deploying-the-app-v-51-server.md
index 6e7325a0c2..10380a684e 100644
--- a/mdop/appv-v5/deploying-the-app-v-51-server.md
+++ b/mdop/appv-v5/deploying-the-app-v-51-server.md
@@ -24,7 +24,7 @@ For information about deploying the App-V Server, see [About App-V 5.1](about-ap
 **Important**  
 Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
 
- 
+ 
 
 ##  App-V 5.1 Server overview
 
@@ -73,7 +73,7 @@ You can also deploy the App-V 5.1 clients and packages by using an ESD without h
 **Note**  
 The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality.
 
- 
+ 
 
 [Deploying App-V 5.1 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md)
 
@@ -119,9 +119,9 @@ Use the following link for more information [About App-V 5.1 Reporting](about-ap
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/getting-started-with-app-v-50--rtm.md b/mdop/appv-v5/getting-started-with-app-v-50--rtm.md
index dab81dc002..861662bca5 100644
--- a/mdop/appv-v5/getting-started-with-app-v-50--rtm.md
+++ b/mdop/appv-v5/getting-started-with-app-v-50--rtm.md
@@ -56,7 +56,7 @@ App-V consists of the following elements:
 
  • Retrieves virtual applications
    • 
 
  • Publishes the applications on the clients
    • 
 
  • Automatically sets up and manages virtual environments at runtime on Windows endpoints.
    • 
-
  • Stores user-specific virtual application settings, such as registry and file changes, in each user's profile.
    • 
+
  • Stores user-specific virtual application settings, such as registry and file changes, in each user's profile.
    • 
 
 
 
@@ -78,7 +78,7 @@ App-V consists of the following elements:
 
 
 
- 
+ 
 
 For more information about these elements, see [High Level Architecture for App-V 5.0](high-level-architecture-for-app-v-50.md).
 
@@ -87,7 +87,7 @@ If you are new to this product, we recommend that you read the documentation tho
 **Note**  
 A downloadable version of this administrator’s guide is not available. However, you can learn about a special mode of the TechNet Library that allows you to select articles, group them in a collection, and print them or export them to a file at  (https://go.microsoft.com/fwlink/?LinkId=272491).
 
- 
+ 
 
 This section of the App-V 5.0 Administrator’s Guide includes high-level information about App-V 5.0 to provide you with a basic understanding of the product before you begin the deployment planning.
 
@@ -140,9 +140,9 @@ This section of the App-V 5.0 Administrator’s Guide includes high-level inform
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/getting-started-with-app-v-51.md b/mdop/appv-v5/getting-started-with-app-v-51.md
index 6303e011c1..f508e2c3a6 100644
--- a/mdop/appv-v5/getting-started-with-app-v-51.md
+++ b/mdop/appv-v5/getting-started-with-app-v-51.md
@@ -56,7 +56,7 @@ App-V consists of the following elements:
 
  • Retrieves virtual applications
    • 
 
  • Publishes the applications on the clients
    • 
 
  • Automatically sets up and manages virtual environments at runtime on Windows endpoints.
    • 
-
  • Stores user-specific virtual application settings, such as registry and file changes, in each user's profile.
    • 
+
  • Stores user-specific virtual application settings, such as registry and file changes, in each user's profile.
    • 
 
 
 
@@ -78,7 +78,7 @@ App-V consists of the following elements:
 
 
 
- 
+ 
 
 For more information about these elements, see [High Level Architecture for App-V 5.1](high-level-architecture-for-app-v-51.md).
 
@@ -87,7 +87,7 @@ If you are new to this product, we recommend that you read the documentation tho
 **Note**  
 A downloadable version of this administrator’s guide is not available. However, you can learn about a special mode of the TechNet Library that allows you to select articles, group them in a collection, and print them or export them to a file at  (https://go.microsoft.com/fwlink/?LinkId=272491).
 
- 
+ 
 
 This section of the App-V 5.1 Administrator’s Guide includes high-level information about App-V 5.1 to provide you with a basic understanding of the product before you begin the deployment planning.
 
@@ -130,9 +130,9 @@ This section of the App-V 5.1 Administrator’s Guide includes high-level inform
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/high-level-architecture-for-app-v-50.md b/mdop/appv-v5/high-level-architecture-for-app-v-50.md
index c3938da7ea..e23df5f0a1 100644
--- a/mdop/appv-v5/high-level-architecture-for-app-v-50.md
+++ b/mdop/appv-v5/high-level-architecture-for-app-v-50.md
@@ -64,12 +64,12 @@ A typical App-V 5.0 implementation consists of the following elements.
 
 
 
- 
+ 
 
 **Note**  
 If you are using App-V 5.0 with Electronic Software Distribution (ESD) you are not required to use the App-V 5.0 Management server, however you can still utilize the reporting and streaming functionality of App-V 5.0.
 
- 
+ 
 
 
 
@@ -81,9 +81,9 @@ If you are using App-V 5.0 with Electronic Software Distribution (ESD) you are n
 
 [Getting Started with App-V 5.0](getting-started-with-app-v-50--rtm.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/high-level-architecture-for-app-v-51.md b/mdop/appv-v5/high-level-architecture-for-app-v-51.md
index 03d0bf6b11..af616233b3 100644
--- a/mdop/appv-v5/high-level-architecture-for-app-v-51.md
+++ b/mdop/appv-v5/high-level-architecture-for-app-v-51.md
@@ -64,12 +64,12 @@ A typical App-V 5.1 implementation consists of the following elements.
 
 
 
- 
+ 
 
 **Note**  
 If you are using App-V 5.1 with Electronic Software Distribution (ESD) you are not required to use the App-V 5.1 Management server, however you can still utilize the reporting and streaming functionality of App-V 5.1.
 
- 
+ 
 
 
 
@@ -81,9 +81,9 @@ If you are using App-V 5.1 with Electronic Software Distribution (ESD) you are n
 
 [Getting Started with App-V 5.1](getting-started-with-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-access-the-client-management-console.md b/mdop/appv-v5/how-to-access-the-client-management-console.md
index 40f15bb4e5..1e5fc68d4b 100644
--- a/mdop/appv-v5/how-to-access-the-client-management-console.md
+++ b/mdop/appv-v5/how-to-access-the-client-management-console.md
@@ -22,7 +22,7 @@ Use the App-V 5.0 client management console to manage packages on the computer r
 **Note**  
 To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V 5.0 client.
 
- 
+ 
 
 Use the following procedure to access the client management console.
 
@@ -33,7 +33,7 @@ Use the following procedure to access the client management console.
     **Note**  
     For computers running the App-V 5.0 Remote Desktop Services client version, to access client management console follow step 1 of this procedure on the server running the client.
 
-     
+     
 
 2.  When the App-V 5.0 client management console is displayed, click the tab you want to review and perform any required tasks. For more information about the client management console tasks see, [Using the App-V 5.0 Client Management Console](using-the-app-v-50-client-management-console.md).
 
@@ -44,9 +44,9 @@ Use the following procedure to access the client management console.
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-access-the-client-management-console51.md b/mdop/appv-v5/how-to-access-the-client-management-console51.md
index f3839935f5..e98a45a0a3 100644
--- a/mdop/appv-v5/how-to-access-the-client-management-console51.md
+++ b/mdop/appv-v5/how-to-access-the-client-management-console51.md
@@ -22,7 +22,7 @@ Use the App-V 5.1 client management console to manage packages on the computer r
 **Note**  
 To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V 5.1 client.
 
- 
+ 
 
 Use the following procedure to access the client management console.
 
@@ -33,7 +33,7 @@ Use the following procedure to access the client management console.
     **Note**  
     For computers running the App-V 5.1 Remote Desktop Services client version, to access client management console follow step 1 of this procedure on the server running the client.
 
-     
+     
 
 2.  When the App-V 5.1 client management console is displayed, click the tab you want to review and perform any required tasks. For more information about the client management console tasks see, [Using the App-V 5.1 Client Management Console](using-the-app-v-51-client-management-console.md).
 
@@ -44,9 +44,9 @@ Use the following procedure to access the client management console.
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-51-gb18030.md b/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-51-gb18030.md
index d24a45d2c4..0d643c8054 100644
--- a/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-51-gb18030.md
+++ b/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-51-gb18030.md
@@ -34,7 +34,7 @@ You can the following procedure to add or upgrade a package to the App-V 5.1 Man
     **Important**  
     You must select a package with the **.appv** file name extension.
 
-     
+     
 
 4.  The page displays the status message **Adding <Packagename>**. Click **IMPORT STATUS** to check the status of a package that you have imported.
 
@@ -49,9 +49,9 @@ You can the following procedure to add or upgrade a package to the App-V 5.1 Man
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-beta-gb18030.md b/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-beta-gb18030.md
index 40a7b15611..6ffae20774 100644
--- a/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-add-or-upgrade-packages-by-using-the-management-console-beta-gb18030.md
@@ -34,7 +34,7 @@ You can the following procedure to add or upgrade a package to the App-V 5.0 Man
     **Important**  
     You must select a package with the **.appv** file name extension.
 
-     
+     
 
 4.  The page displays the status message **Adding <Packagename>**. Click **IMPORT STATUS** to check the status of a package that you have imported.
 
@@ -49,9 +49,9 @@ You can the following procedure to add or upgrade a package to the App-V 5.0 Man
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups.md b/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups.md
index ebe5a92d02..a04d25f7ae 100644
--- a/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups.md
+++ b/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups.md
@@ -22,7 +22,7 @@ You can configure the App-V client so that only administrators (not end users) c
 **Note**  
 **This feature is supported starting in App-V 5.0 SP3.**
 
- 
+ 
 
 Use one of the following methods to allow only administrators to enable or disable connection groups.
 
@@ -56,7 +56,7 @@ Use one of the following methods to allow only administrators to enable or disab
 
 
 
- 
+ 
 
 **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
@@ -65,9 +65,9 @@ Use one of the following methods to allow only administrators to enable or disab
 
 [Managing Connection Groups](managing-connection-groups.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups51.md b/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups51.md
index fb60c0628f..1a6a35f007 100644
--- a/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups51.md
+++ b/mdop/appv-v5/how-to-allow-only-administrators-to-enable-connection-groups51.md
@@ -22,7 +22,7 @@ You can configure the App-V client so that only administrators (not end users) c
 **Note**  
 **This feature is supported starting in App-V 5.0 SP3.**
 
- 
+ 
 
 Use one of the following methods to allow only administrators to enable or disable connection groups.
 
@@ -56,7 +56,7 @@ Use one of the following methods to allow only administrators to enable or disab
 
 
 
- 
+ 
 
 **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
@@ -65,9 +65,9 @@ Use one of the following methods to allow only administrators to enable or disab
 
 [Managing Connection Groups](managing-connection-groups51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell.md b/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell.md
index 6555bb02e3..8e30f21d57 100644
--- a/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell.md
@@ -29,23 +29,25 @@ The dynamic deployment configuration file is applied when a package is added or
 
     **Add-AppVClientPackage –Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
 
-    **Note**  
+    **Note**  
     This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
 
     **Set-AppVClientPackage –Name Myapp –Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell51.md b/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell51.md
index 69344880d1..dac9fedce1 100644
--- a/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-apply-the-deployment-configuration-file-by-using-powershell51.md
@@ -29,23 +29,25 @@ The dynamic deployment configuration file is applied when a package is added or
 
     **Add-AppVClientPackage –Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
 
-    **Note**  
+    **Note**  
     This command captures the resulting object into $pkg. If the package is already present on the computer, the **Set-AppVclientPackage** cmdlet can be used to apply the deployment configuration document:
 
     **Set-AppVClientPackage –Name Myapp –Path c:\\Packages\\Contoso\\MyApp.appv -DynamicDeploymentConfiguration c:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml**
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-50.md b/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-50.md
index 5ec2a3cf5a..2afafa6b63 100644
--- a/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-50.md
+++ b/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-50.md
@@ -38,7 +38,7 @@ Use the following procedure to configure access to virtualized packages.
         **Note**  
         Ensure that you provide an associated domain name for the group that you are searching for.
 
-         
+         
 
 3.  To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
 
@@ -67,9 +67,9 @@ Use the following procedure to configure access to virtualized packages.
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-51.md b/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-51.md
index 972427f79a..b7683c7b78 100644
--- a/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-51.md
+++ b/mdop/appv-v5/how-to-configure-access-to-packages-by-using-the-management-console-51.md
@@ -38,7 +38,7 @@ Use the following procedure to configure access to virtualized packages.
         **Note**  
         Ensure that you provide an associated domain name for the group that you are searching for.
 
-         
+         
 
 3.  To grant access to the package, select the desired group and click **Grant Access**. The newly added group is displayed in the **AD ENTITIES WITH ACCESS** pane.
 
@@ -67,9 +67,9 @@ Use the following procedure to configure access to virtualized packages.
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md b/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md
index 2d78cc9bcb..8e6b0c9389 100644
--- a/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md
+++ b/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-51.md
@@ -24,7 +24,7 @@ Use the following steps to configure the App-V 5.1 client to receive updates fro
 **Note**  
 For the following procedures the management server was installed on a computer named **MyMgmtSrv**, and the publishing server was installed on a computer named **MyPubSrv**.
 
- 
+ 
 
 **To configure the App-V 5.1 client to receive updates from the publishing server**
 
@@ -77,9 +77,9 @@ For the following procedures the management server was installed on a computer n
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-beta.md b/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-beta.md
index 8728453005..9120a87f6f 100644
--- a/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-beta.md
+++ b/mdop/appv-v5/how-to-configure-the-client-to-receive-package-and-connection-groups-updates-from-the-publishing-server-beta.md
@@ -24,7 +24,7 @@ Use the following steps to configure the App-V 5.0 client to receive updates fro
 **Note**  
 For the following procedures the management server was installed on a computer named **MyMgmtSrv**, and the publishing server was installed on a computer named **MyPubSrv**.
 
- 
+ 
 
 **To configure the App-V 5.0 client to receive updates from the publishing server**
 
@@ -77,9 +77,9 @@ For the following procedures the management server was installed on a computer n
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
index af35ad78e4..2c1debb1f6 100644
--- a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
+++ b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md
@@ -19,19 +19,19 @@ ms.date: 06/16/2016
 
 You can use the package converter utility to upgrade virtual application packages that have been created with previous versions of App-V.
 
-**Note**  
+**Note**  
 If you are running a computer with a 64-bit architecture, you must use the x86 version of PowerShell.
 
- 
 
-The package converter can only directly convert packages that were created by using the App-V 4.5 sequencer or a subsequent version. Packages that were created using a version prior to App-V 4.5 must be upgraded to the App-V 4.5 or App-V 4.6 format before conversion.
+
+The package converter can only directly convert packages that were created by using the App-V 4.5 sequencer or a subsequent version. Packages that were created using a version prior to App-V 4.5 must be upgraded to the App-V 4.5 or App-V 4.6 format before conversion.
 
 The following information provides direction for converting existing virtual application packages.
 
-**Important**  
+**Important**  
 You must configure the package converter to always save the package ingredients file to a secure location and directory. A secure location is accessible only by an administrator. Additionally, when you deploy the package, you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion process.
 
- 
+
 
 **Getting started**
 
@@ -43,39 +43,41 @@ You must configure the package converter to always save the package ingredients
 Import-Module AppVPkgConverter
 ```
 
-3.  
+3. 
 
-    The following cmdlets are available:
+   The following cmdlets are available:
 
-    -   Test-AppvLegacyPackage – This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using the PowerShell cmdline, type `Test-AppvLegacyPackage -?`.
+   -   Test-AppvLegacyPackage – This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using the PowerShell cmdline, type `Test-AppvLegacyPackage -?`.
 
-    -   ConvertFrom-AppvLegacyPackage – To convert an existing package, type `ConvertFrom-AppvLegacyPackage c:\contentStore c:\convertedPackages`. In this command, `c:\contentStore` represents the location of the existing package and `c:\convertedPackages` is the output directory to which the resulting App-V 5.0 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used for the App-V 5.0 filename.
+   -   ConvertFrom-AppvLegacyPackage – To convert an existing package, type `ConvertFrom-AppvLegacyPackage c:\contentStore c:\convertedPackages`. In this command, `c:\contentStore` represents the location of the existing package and `c:\convertedPackages` is the output directory to which the resulting App-V 5.0 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used for the App-V 5.0 filename.
 
-        Additionally, the package converter optimizes performance of packages in App-V 5.0 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
+       Additionally, the package converter optimizes performance of packages in App-V 5.0 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
 
-        **Note**  
-        Before you specify the output directory, you must create the output directory.
+       **Note**  
+       Before you specify the output directory, you must create the output directory.
 
-         
 
-    **Advanced Conversion Tips**
 
-    -   Piping - PowerShell supports piping. Piping allows you to call `dir c:\contentStore\myPackage | Test-AppvLegacyPackage`. In this example, the directory object that represents `myPackage` will be given as input to the `Test-AppvLegacyPackage` command and bound to the `-Source` parameter. Piping like this is especially useful when you want to batch commands together; for example, `dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages`. This piped command would test the packages and then pass those objects on to actually be converted. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V 5.0 client.
+~~~
+**Advanced Conversion Tips**
 
-    -   Batching - The PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the `-Source` parameter which represents a list of directory paths. This allows you to enter `$packages = dir c:\contentStore` and then call `ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target c:\ConvertedPackages` or to use piping and call `dir c:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages`.
+-   Piping - PowerShell supports piping. Piping allows you to call `dir c:\contentStore\myPackage | Test-AppvLegacyPackage`. In this example, the directory object that represents `myPackage` will be given as input to the `Test-AppvLegacyPackage` command and bound to the `-Source` parameter. Piping like this is especially useful when you want to batch commands together; for example, `dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages`. This piped command would test the packages and then pass those objects on to actually be converted. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V 5.0 client.
 
-    -   Other functionality - PowerShell has other built-in functionality for features such as aliases, piping, lazy-binding, .NET object, and many others. All of these are usable in PowerShell and can help you create advanced scenarios for the Package Converter.
+-   Batching - The PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the `-Source` parameter which represents a list of directory paths. This allows you to enter `$packages = dir c:\contentStore` and then call `ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target c:\ConvertedPackages` or to use piping and call `dir c:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages`.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+-   Other functionality - PowerShell has other built-in functionality for features such as aliases, piping, lazy-binding, .NET object, and many others. All of these are usable in PowerShell and can help you create advanced scenarios for the Package Converter.
+
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md
index 12f45796f2..b146f4dd7f 100644
--- a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md
+++ b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md
@@ -19,19 +19,19 @@ ms.date: 06/16/2016
 
 You can use the package converter utility to upgrade virtual application packages that have been created with previous versions of App-V.
 
-**Note**  
+**Note**  
 If you are running a computer with a 64-bit architecture, you must use the x86 version of PowerShell.
 
- 
 
-The package converter can only directly convert packages that were created by using the App-V 4.5 sequencer or a subsequent version. Packages that were created using a version prior to App-V 4.5 must be upgraded to the App-V 4.5 or App-V 4.6 format before conversion.
+
+The package converter can only directly convert packages that were created by using the App-V 4.5 sequencer or a subsequent version. Packages that were created using a version prior to App-V 4.5 must be upgraded to the App-V 4.5 or App-V 4.6 format before conversion.
 
 The following information provides direction for converting existing virtual application packages.
 
-**Important**  
+**Important**  
 You must configure the package converter to always save the package ingredients file to a secure location and directory. A secure location is accessible only by an administrator. Additionally, when you deploy the package, you should save the package to a location that is secure, or make sure that no other user is allowed to be logged in during the conversion process.
 
- 
+
 
 **App-V 4.6 installation folder is redirected to virtual file system root**
 
@@ -53,31 +53,33 @@ Prior to App-V 5.1, the 4.6 root folder was not recognized and could not be acce
 
     -   ConvertFrom-AppvLegacyPackage – To convert an existing package, type `ConvertFrom-AppvLegacyPackage c:\contentStore c:\convertedPackages`. In this command, `c:\contentStore` represents the location of the existing package and `c:\convertedPackages` is the output directory to which the resulting App-V 5.1 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used for the App-V 5.1 filename.
 
-        Additionally, the package converter optimizes performance of packages in App-V 5.1 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
+        Additionally, the package converter optimizes performance of packages in App-V 5.1 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
 
-        **Note**  
+        **Note**  
         Before you specify the output directory, you must create the output directory.
 
-         
 
-    **Advanced Conversion Tips**
 
-    -   Piping - PowerShell supports piping. Piping allows you to call `dir c:\contentStore\myPackage | Test-AppvLegacyPackage`. In this example, the directory object that represents `myPackage` will be given as input to the `Test-AppvLegacyPackage` command and bound to the `-Source` parameter. Piping like this is especially useful when you want to batch commands together; for example, `dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages`. This piped command would test the packages and then pass those objects on to actually be converted. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V 5.1 client.
+~~~
+**Advanced Conversion Tips**
 
-    -   Batching - The PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the `-Source` parameter which represents a list of directory paths. This allows you to enter `$packages = dir c:\contentStore` and then call `ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target c:\ConvertedPackages` or to use piping and call `dir c:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages`.
+-   Piping - PowerShell supports piping. Piping allows you to call `dir c:\contentStore\myPackage | Test-AppvLegacyPackage`. In this example, the directory object that represents `myPackage` will be given as input to the `Test-AppvLegacyPackage` command and bound to the `-Source` parameter. Piping like this is especially useful when you want to batch commands together; for example, `dir .\ | Test-AppvLegacyPackage | ConvertFrom-AppvLegacyAppvPackage -Target .\ConvertedPackages`. This piped command would test the packages and then pass those objects on to actually be converted. You can also apply a filter on packages without errors or only specify a directory which contains an **.sprj** file or pipe them to another cmdlet that adds the filtered package to the server or publishes them to the App-V 5.1 client.
 
-    -   Other functionality - PowerShell has other built-in functionality for features such as aliases, piping, lazy-binding, .NET object, and many others. All of these are usable in PowerShell and can help you create advanced scenarios for the Package Converter.
+-   Batching - The PowerShell command enables batching. More specifically, the cmdlets support taking a string\[\] object for the `-Source` parameter which represents a list of directory paths. This allows you to enter `$packages = dir c:\contentStore` and then call `ConvertFrom-AppvLegacyAppvPackage-Source $packages -Target c:\ConvertedPackages` or to use piping and call `dir c:\ContentStore | ConvertFrom-AppvLegacyAppvPackage -Target C:\ConvertedPackages`.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+-   Other functionality - PowerShell has other built-in functionality for features such as aliases, piping, lazy-binding, .NET object, and many others. All of these are usable in PowerShell and can help you create advanced scenarios for the Package Converter.
+
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-create-a-connection-group.md b/mdop/appv-v5/how-to-create-a-connection-group.md
index 481b85fb1f..b9ab2dc072 100644
--- a/mdop/appv-v5/how-to-create-a-connection-group.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group.md
@@ -42,7 +42,7 @@ When you place packages in a connection group, their package root paths are merg
     **Important**  
     By default, the Active Directory Domain Services access configurations that are associated with a specific application are not added to the connection group. To transfer the Active Directory access configuration, select **ADD PACKAGE ACCESS TO GROUP ACCESS**, which is located in the **PACKAGES IN** pane.
 
-     
+     
 
 7.  After adding all the applications and configuring Active Directory access, click **Apply**.
 
@@ -55,9 +55,9 @@ When you place packages in a connection group, their package root paths are merg
 
 [Managing Connection Groups](managing-connection-groups.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-create-a-connection-group51.md b/mdop/appv-v5/how-to-create-a-connection-group51.md
index b1f29f2468..f5605affe1 100644
--- a/mdop/appv-v5/how-to-create-a-connection-group51.md
+++ b/mdop/appv-v5/how-to-create-a-connection-group51.md
@@ -40,7 +40,7 @@ When you place packages in a connection group, their package root paths are merg
     **Important**  
     By default, the Active Directory Domain Services access configurations that are associated with a specific application are not added to the connection group. To transfer the Active Directory access configuration, select **ADD PACKAGE ACCESS TO GROUP ACCESS**, which is located in the **PACKAGES IN** pane.
 
-     
+     
 
 6.  After adding all the applications and configuring Active Directory access, click **Apply**.
 
@@ -53,9 +53,9 @@ When you place packages in a connection group, their package root paths are merg
 
 [Managing Connection Groups](managing-connection-groups51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md b/mdop/appv-v5/how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md
index d35cd476a3..eb1da74435 100644
--- a/mdop/appv-v5/how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md
+++ b/mdop/appv-v5/how-to-create-a-custom-configuration-file-by-using-the-app-v-51-management-console.md
@@ -31,21 +31,23 @@ Use the following procedure to create a Dynamic User Configuration file by using
 
 4.  Click **Advanced**, and then click **Export Configuration**. Type in a filename and click **Save**. Now you can edit the file to configure a package for a user.
 
-    **Note**  
+    **Note**  
     To export a configuration while running on Windows Server, you must disable "IE Enhanced Security Configuration". If this is enabled and set to block downloads, you cannot download anything from the App-V Server.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-create-a-package-accelerator.md b/mdop/appv-v5/how-to-create-a-package-accelerator.md
index d10d4468fa..3ca349472c 100644
--- a/mdop/appv-v5/how-to-create-a-package-accelerator.md
+++ b/mdop/appv-v5/how-to-create-a-package-accelerator.md
@@ -19,81 +19,87 @@ ms.date: 06/16/2016
 
 App-V 5.0 package accelerators automatically generate new virtual application packages.
 
-**Note**  
+**Note**  
 You can use PowerShell to create a package accelerator. For more information see [How to Create a Package Accelerator by Using PowerShell](how-to-create-a-package-accelerator-by-using-powershell.md).
 
- 
+
 
 Use the following procedure to create a package accelerator.
 
-**Important**  
+**Important**  
 Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V 5.0 Package Accelerator is applied.
 
- 
 
-**Important**  
+
+**Important**  
 Before you begin the following procedure, you should perform the following:
 
 -   Copy the virtual application package that you will use to create the package accelerator locally to the computer running the sequencer.
 
 -   Copy all required installation files associated with the virtual application package to the computer running the sequencer.
 
- 
+
 
 **To create a package accelerator**
 
-1.  **Important**  
+1.  **Important**  
     The App-V 5.0 Sequencer does not grant any license rights to the software application you are using to create the Package Accelerator. You must abide by all end user license terms for the application you are using. It is your responsibility to make sure the software application’s license terms allow you to create a Package Accelerator using App-V 5.0 Sequencer.
 
-     
 
-    To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
 
-2.  To start the App-V 5.0 **Create Package Accelerator** wizard, in the App-V 5.0 sequencer console, click **Tools** / **Create Accelerator**.
+~~~
+To start the App-V 5.0 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+~~~
 
-3.  On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.appv file).
+2. To start the App-V 5.0 **Create Package Accelerator** wizard, in the App-V 5.0 sequencer console, click **Tools** / **Create Accelerator**.
 
-    **Tip**  
-    Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer.
+3. On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.appv file).
 
-     
+   **Tip**  
+   Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer.
 
-    Click **Next**.
 
-4.  On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
 
-    **Tip**  
-    Copy the folder that contains the required installation files to the computer running the Sequencer.
+~~~
+Click **Next**.
+~~~
 
-     
+4. On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
 
-5.  If the application is already installed on the computer running the sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
+   **Tip**  
+   Copy the folder that contains the required installation files to the computer running the Sequencer.
 
-6.  On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
 
-    **Note**  
-    You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
 
-     
+5. If the application is already installed on the computer running the sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
 
-7.  On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the package accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
+6. On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
 
-8.  On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
+   **Note**  
+   You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
 
-    If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
 
-9.  On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
+
+7. On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the package accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
+
+8. On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
+
+   If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
+
+9. On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
 
 10. On the **Create Package Accelerator** page, to specify where to save the Package Accelerator, click **Browse** and select the directory.
 
 11. On the **Completion** page, to close the **Create Package Accelerator** wizard, click **Close**.
 
-    **Important**  
-    To help ensure that the package accelerator is as secure as possible, and so that the publisher can be verified when the package accelerator is applied, you should always digitally sign the package accelerator.
+   **Important**  
+   To help ensure that the package accelerator is as secure as possible, and so that the publisher can be verified when the package accelerator is applied, you should always digitally sign the package accelerator.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
@@ -102,9 +108,9 @@ Before you begin the following procedure, you should perform the following:
 
 [How to Create a Virtual Application Package Using an App-V Package Accelerator](how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-create-a-package-accelerator51.md b/mdop/appv-v5/how-to-create-a-package-accelerator51.md
index 46a6825827..45092fa865 100644
--- a/mdop/appv-v5/how-to-create-a-package-accelerator51.md
+++ b/mdop/appv-v5/how-to-create-a-package-accelerator51.md
@@ -19,81 +19,87 @@ ms.date: 06/16/2016
 
 App-V 5.1 package accelerators automatically generate new virtual application packages.
 
-**Note**  
+**Note**  
 You can use PowerShell to create a package accelerator. For more information see [How to Create a Package Accelerator by Using PowerShell](how-to-create-a-package-accelerator-by-using-powershell51.md).
 
- 
+
 
 Use the following procedure to create a package accelerator.
 
-**Important**  
+**Important**  
 Package Accelerators can contain password and user-specific information. Therefore you must save Package Accelerators and the associated installation media in a secure location, and you should digitally sign the Package Accelerator after you create it so that the publisher can be verified when the App-V 5.1 Package Accelerator is applied.
 
- 
 
-**Important**  
+
+**Important**  
 Before you begin the following procedure, you should perform the following:
 
 -   Copy the virtual application package that you will use to create the package accelerator locally to the computer running the sequencer.
 
 -   Copy all required installation files associated with the virtual application package to the computer running the sequencer.
 
- 
+
 
 **To create a package accelerator**
 
-1.  **Important**  
+1.  **Important**  
     The App-V 5.1 Sequencer does not grant any license rights to the software application you are using to create the Package Accelerator. You must abide by all end user license terms for the application you are using. It is your responsibility to make sure the software application’s license terms allow you to create a Package Accelerator using App-V 5.1 Sequencer.
 
-     
 
-    To start the App-V 5.1 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
 
-2.  To start the App-V 5.1 **Create Package Accelerator** wizard, in the App-V 5.1 sequencer console, click **Tools** / **Create Accelerator**.
+~~~
+To start the App-V 5.1 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+~~~
 
-3.  On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.appv file).
+2. To start the App-V 5.1 **Create Package Accelerator** wizard, in the App-V 5.1 sequencer console, click **Tools** / **Create Accelerator**.
 
-    **Tip**  
-    Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer.
+3. On the **Select Package** page, to specify an existing virtual application package to use to create the Package Accelerator, click **Browse**, and locate the existing virtual application package (.appv file).
 
-     
+   **Tip**  
+   Copy the files associated with the virtual application package you plan to use locally to the computer running the Sequencer.
 
-    Click **Next**.
 
-4.  On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
 
-    **Tip**  
-    Copy the folder that contains the required installation files to the computer running the Sequencer.
+~~~
+Click **Next**.
+~~~
 
-     
+4. On the **Installation Files** page, to specify the folder that contains the installation files that you used to create the original virtual application package, click **Browse**, and then select the directory that contains the installation files.
 
-5.  If the application is already installed on the computer running the sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
+   **Tip**  
+   Copy the folder that contains the required installation files to the computer running the Sequencer.
 
-6.  On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
 
-    **Note**  
-    You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
 
-     
+5. If the application is already installed on the computer running the sequencer, to specify the installation file, select **Files installed on local system**. To use this option, the application must already be installed in the default installation location.
 
-7.  On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the package accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
+6. On the **Gathering Information** page, review the files that were not found in the location specified on the **Installation Files** page of this wizard. If the files displayed are not required, select **Remove these files**, and then click **Next**. If the files are required, click **Previous** and copy the required files to the directory specified on the **Installation Files** page.
 
-8.  On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
+   **Note**  
+   You must either remove the unrequired files, or click **Previous** and locate the required files to advance to the next page of this wizard.
 
-    If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
 
-9.  On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
+
+7. On the **Select Files** page, carefully review the files that were detected, and clear any file that should be removed from the package accelerator. Select only files that are required for the application to run successfully, and then click **Next**.
+
+8. On the **Verify Applications** page, confirm that all installation files that are required to build the package are displayed. When the Package Accelerator is used to create a new package, all installation files displayed in the **Applications** pane are required to create the package.
+
+   If necessary, to add additional Installer files, click **Add**. To remove unnecessary installation files, select the Installer file, and then click **Delete**. To edit the properties associated with an installer, click **Edit**. The installation files specified in this step will be required when the Package Accelerator is used to create a new virtual application package. After you have confirmed the information displayed, click **Next**.
+
+9. On the **Select Guidance** page, to specify a file that contains information about how the Package Accelerator, click **Browse**. For example, this file can contain information about how the computer running the Sequencer should be configured, application prerequisite information for target computers, and general notes. You should provide all required information for the Package Accelerator to be successfully applied. The file you select must be in rich text (.rtf) or text file (.txt) format. Click **Next**.
 
 10. On the **Create Package Accelerator** page, to specify where to save the Package Accelerator, click **Browse** and select the directory.
 
 11. On the **Completion** page, to close the **Create Package Accelerator** wizard, click **Close**.
 
-    **Important**  
-    To help ensure that the package accelerator is as secure as possible, and so that the publisher can be verified when the package accelerator is applied, you should always digitally sign the package accelerator.
+   **Important**  
+   To help ensure that the package accelerator is as secure as possible, and so that the publisher can be verified when the package accelerator is applied, you should always digitally sign the package accelerator.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
@@ -102,9 +108,9 @@ Before you begin the following procedure, you should perform the following:
 
 [How to Create a Virtual Application Package Using an App-V Package Accelerator](how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator.md b/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator.md
index b0cbad1eb9..5520322085 100644
--- a/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator.md
+++ b/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator.md
@@ -17,17 +17,17 @@ ms.date: 06/16/2016
 # How to Create a Virtual Application Package Using an App-V Package Accelerator
 
 
-**Important**  
+**Important**  
 The App-V 5.0 Sequencer does not grant any license rights to the software application that you use to create the Package Accelerator. You must abide by all end user license terms for the application that you use. It is your responsibility to make sure that the software application’s license terms allow you to create a Package Accelerator with the App-V 5.0 Sequencer.
 
- 
+
 
 Use the following procedure to create a virtual application package with the App-V 5.0 Package Accelerator.
 
-**Note**  
+**Note**  
 Before you start this procedure, copy the required Package Accelerator locally to the computer that runs the App-V 5.0 Sequencer. You should also copy all required installation files for the package to a local directory on the computer that runs the Sequencer. This is the directory that you have to specify in step 5 of this procedure.
 
- 
+
 
 **To create a virtual application package with an App-V 5.0 Package Accelerator**
 
@@ -37,10 +37,10 @@ Before you start this procedure, copy the required Package Accelerator locally t
 
 3.  To specify the package accelerator that will be used to create the new virtual application package, click **Browse** on the **Select Package Accelerator** page. Click **Next**.
 
-    **Important**  
+    **Important**  
     If the publisher of the package accelerator cannot be verified and does not contain a valid digital signature, then before you click **Run**, you must confirm that you trust the source of the package accelerator. Confirm your choice in the **Security Warning** dialog box.
 
-     
+
 
 4.  On the **Guidance** page, review the publishing guidance information that is displayed in the information pane. This information was added when the Package Accelerator was created and it contains guidance about how to create and publish the package. To export the guidance information to a text (.txt) file, click **Export** and specify the location where the file should be saved, and then click **Next**.
 
@@ -48,7 +48,7 @@ Before you start this procedure, copy the required Package Accelerator locally t
 
     Alternatively, if you have already copied the installation files to a directory on this computer, click **Make New Folder**, browse to the folder that contains the installation files, and then click **Next**.
 
-    **Note**  
+    **Note**  
     You can specify the following types of supported installation files:
 
     -   Windows Installer files (**.msi**)
@@ -61,44 +61,46 @@ Before you start this procedure, copy the required Package Accelerator locally t
 
     The following file types are not supported: **.msp** and **.exe** files. If you specify an **.exe** file, you must extract the installation files manually.
 
-     
 
-    If the package accelerator requires an application to be installed before you apply the Package Accelerator, and if you have already installed the required application, select **I have installed all applications**, and then click **Next** on the **Local Installation** page.
 
-6.  On the **Package Name** page, specify a name that will be associated with the package. The name that you specify identifies the package in the App-V Management Console. Click **Next**.
+~~~
+If the package accelerator requires an application to be installed before you apply the Package Accelerator, and if you have already installed the required application, select **I have installed all applications**, and then click **Next** on the **Local Installation** page.
+~~~
 
-7.  On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information that is displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
+6. On the **Package Name** page, specify a name that will be associated with the package. The name that you specify identifies the package in the App-V Management Console. Click **Next**.
 
-    To create the package, click **Create**. After the package is created, click **Next**.
+7. On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information that is displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
 
-8.  On the **Configure Software** page, to enable the Sequencer to configure the applications that are contained in the package, select **Configure Software**. In this step you can configure any associated tasks that must be completed in order to run the application on the target computers. For example, you can configure any associated license agreements.
+   To create the package, click **Create**. After the package is created, click **Next**.
 
-    If you select **Configure Software**, the following items can be configured using the Sequencer as part of this step:
+8. On the **Configure Software** page, to enable the Sequencer to configure the applications that are contained in the package, select **Configure Software**. In this step you can configure any associated tasks that must be completed in order to run the application on the target computers. For example, you can configure any associated license agreements.
 
-    -   **Load Package**. The Sequencer loads the files that are associated with the package. It can take several seconds to an hour to decode the package.
+   If you select **Configure Software**, the following items can be configured using the Sequencer as part of this step:
 
-    -   **Run Each Program**. Optionally run the programs that are contained in the package. This step is helpful to complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at once, select at least one program, and then click **Run All**. To run specific programs, select the program or programs that you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
+   -   **Load Package**. The Sequencer loads the files that are associated with the package. It can take several seconds to an hour to decode the package.
 
-    -   **Save Package**. The Sequencer saves the package.
+   -   **Run Each Program**. Optionally run the programs that are contained in the package. This step is helpful to complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at once, select at least one program, and then click **Run All**. To run specific programs, select the program or programs that you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
 
-    -   **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
+   -   **Save Package**. The Sequencer saves the package.
 
-    If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
+   -   **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
 
-9.  On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, click **Close**.
+   If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
 
-    The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about how to modify a package, see [How to Modify an Existing Virtual Application Package](how-to-modify-an-existing-virtual-application-package-beta.md).
+9. On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, click **Close**.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about how to modify a package, see [How to Modify an Existing Virtual Application Package](how-to-modify-an-existing-virtual-application-package-beta.md).
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator51.md b/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator51.md
index 3944b0df6d..2552432acc 100644
--- a/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator51.md
+++ b/mdop/appv-v5/how-to-create-a-virtual-application-package-using-an-app-v-package-accelerator51.md
@@ -17,17 +17,17 @@ ms.date: 06/16/2016
 # How to Create a Virtual Application Package Using an App-V Package Accelerator
 
 
-**Important**  
+**Important**  
 The App-V 5.1 Sequencer does not grant any license rights to the software application that you use to create the Package Accelerator. You must abide by all end user license terms for the application that you use. It is your responsibility to make sure that the software application’s license terms allow you to create a Package Accelerator with the App-V 5.1 Sequencer.
 
- 
+
 
 Use the following procedure to create a virtual application package with the App-V 5.1 Package Accelerator.
 
-**Note**  
+**Note**  
 Before you start this procedure, copy the required Package Accelerator locally to the computer that runs the App-V 5.1 Sequencer. You should also copy all required installation files for the package to a local directory on the computer that runs the Sequencer. This is the directory that you have to specify in step 5 of this procedure.
 
- 
+
 
 **To create a virtual application package with an App-V 5.1 Package Accelerator**
 
@@ -37,10 +37,10 @@ Before you start this procedure, copy the required Package Accelerator locally t
 
 3.  To specify the package accelerator that will be used to create the new virtual application package, click **Browse** on the **Select Package Accelerator** page. Click **Next**.
 
-    **Important**  
+    **Important**  
     If the publisher of the package accelerator cannot be verified and does not contain a valid digital signature, then before you click **Run**, you must confirm that you trust the source of the package accelerator. Confirm your choice in the **Security Warning** dialog box.
 
-     
+
 
 4.  On the **Guidance** page, review the publishing guidance information that is displayed in the information pane. This information was added when the Package Accelerator was created and it contains guidance about how to create and publish the package. To export the guidance information to a text (.txt) file, click **Export** and specify the location where the file should be saved, and then click **Next**.
 
@@ -48,7 +48,7 @@ Before you start this procedure, copy the required Package Accelerator locally t
 
     Alternatively, if you have already copied the installation files to a directory on this computer, click **Make New Folder**, browse to the folder that contains the installation files, and then click **Next**.
 
-    **Note**  
+    **Note**  
     You can specify the following types of supported installation files:
 
     -   Windows Installer files (**.msi**)
@@ -61,44 +61,46 @@ Before you start this procedure, copy the required Package Accelerator locally t
 
     The following file types are not supported: **.msp** and **.exe** files. If you specify an **.exe** file, you must extract the installation files manually.
 
-     
 
-    If the package accelerator requires an application to be installed before you apply the Package Accelerator, and if you have already installed the required application, select **I have installed all applications**, and then click **Next** on the **Local Installation** page.
 
-6.  On the **Package Name** page, specify a name that will be associated with the package. The name that you specify identifies the package in the App-V Management Console. Click **Next**.
+~~~
+If the package accelerator requires an application to be installed before you apply the Package Accelerator, and if you have already installed the required application, select **I have installed all applications**, and then click **Next** on the **Local Installation** page.
+~~~
 
-7.  On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information that is displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
+6. On the **Package Name** page, specify a name that will be associated with the package. The name that you specify identifies the package in the App-V Management Console. Click **Next**.
 
-    To create the package, click **Create**. After the package is created, click **Next**.
+7. On the **Create Package** page, provide comments that will be associated with the package. The comments should contain identifying information about the package that you are creating. To confirm the location where the package is created, review the information that is displayed in **Save Location**. To compress the package, select **Compress Package**. Select the **Compress Package** check box if the package will be streamed across the network, or when the package size exceeds 4 GB.
 
-8.  On the **Configure Software** page, to enable the Sequencer to configure the applications that are contained in the package, select **Configure Software**. In this step you can configure any associated tasks that must be completed in order to run the application on the target computers. For example, you can configure any associated license agreements.
+   To create the package, click **Create**. After the package is created, click **Next**.
 
-    If you select **Configure Software**, the following items can be configured using the Sequencer as part of this step:
+8. On the **Configure Software** page, to enable the Sequencer to configure the applications that are contained in the package, select **Configure Software**. In this step you can configure any associated tasks that must be completed in order to run the application on the target computers. For example, you can configure any associated license agreements.
 
-    -   **Load Package**. The Sequencer loads the files that are associated with the package. It can take several seconds to an hour to decode the package.
+   If you select **Configure Software**, the following items can be configured using the Sequencer as part of this step:
 
-    -   **Run Each Program**. Optionally run the programs that are contained in the package. This step is helpful to complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at once, select at least one program, and then click **Run All**. To run specific programs, select the program or programs that you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
+   -   **Load Package**. The Sequencer loads the files that are associated with the package. It can take several seconds to an hour to decode the package.
 
-    -   **Save Package**. The Sequencer saves the package.
+   -   **Run Each Program**. Optionally run the programs that are contained in the package. This step is helpful to complete any associated license or configuration tasks that are required to run the application before you deploy and run the package on target computers. To run all the programs at once, select at least one program, and then click **Run All**. To run specific programs, select the program or programs that you want to run, and then click **Run Selected**. Complete the required configuration tasks, and then close the applications. It can take several minutes for all programs to run. Click **Next**.
 
-    -   **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
+   -   **Save Package**. The Sequencer saves the package.
 
-    If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
+   -   **Primary Feature Block**. The Sequencer optimizes the package for streaming by rebuilding the primary feature block.
 
-9.  On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, click **Close**.
+   If you do not want to configure the applications, click **Skip this step**, and to go to step 9 of this procedure, and then click **Next**.
 
-    The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about how to modify a package, see [How to Modify an Existing Virtual Application Package](how-to-modify-an-existing-virtual-application-package-beta.md).
+9. On the **Completion** page, after you review the information that is displayed in the **Virtual Application Package Report** pane, click **Close**.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   The package is now available in the Sequencer. To edit the package properties, click **Edit \[Package Name\]**. For more information about how to modify a package, see [How to Modify an Existing Virtual Application Package](how-to-modify-an-existing-virtual-application-package-beta.md).
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-create-and-use-a-project-template.md b/mdop/appv-v5/how-to-create-and-use-a-project-template.md
index 092938935c..199c3b09bf 100644
--- a/mdop/appv-v5/how-to-create-and-use-a-project-template.md
+++ b/mdop/appv-v5/how-to-create-and-use-a-project-template.md
@@ -33,10 +33,10 @@ Use the following procedures to create and apply a new template.
 **Note**  
     If the virtual application package is currently open in the App-V 5.0 Sequencer console, skip to step 3 of this procedure.
 
-2.  To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
+2. To open the existing virtual application package that contains the settings you want to save with the App-V 5.0 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
 
-3.  In the App-V 5.0 Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V 5.0 project template. Click Save.
-The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure.
+3. In the App-V 5.0 Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V 5.0 project template. Click Save.
+   The new App-V 5.0 project template is saved in the directory specified in step 3 of this procedure.
 
 **To apply a project template**
 
diff --git a/mdop/appv-v5/how-to-create-and-use-a-project-template51.md b/mdop/appv-v5/how-to-create-and-use-a-project-template51.md
index da09842a7e..cc1d47dba3 100644
--- a/mdop/appv-v5/how-to-create-and-use-a-project-template51.md
+++ b/mdop/appv-v5/how-to-create-and-use-a-project-template51.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 You can use an App-V 5.1 project template to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages.
 
-**Note**  
+**Note**  
 You can, and often should apply an App-V 5.1 project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application.
 
- 
+
 
 App-V 5.1 project templates differ from App-V 5.1 Application Accelerators because App-V 5.1 Application Accelerators are application-specific, and App-V 5.1 project templates can be applied to multiple applications.
 
@@ -32,42 +32,46 @@ Use the following procedures to create and apply a new template.
 
 1.  To start the App-V 5.1 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
 
-2.  **Note**  
+2.  **Note**  
     If the virtual application package is currently open in the App-V 5.1 Sequencer console, skip to step 3 of this procedure.
 
-     
 
-    To open the existing virtual application package that contains the settings you want to save with the App-V 5.1 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
 
-3.  In the App-V 5.1 Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V 5.1 project template. Click Save.
+~~~
+To open the existing virtual application package that contains the settings you want to save with the App-V 5.1 project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**.
+~~~
 
-    The new App-V 5.1 project template is saved in the directory specified in step 3 of this procedure.
+3. In the App-V 5.1 Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V 5.1 project template. Click Save.
+
+   The new App-V 5.1 project template is saved in the directory specified in step 3 of this procedure.
 
 **To apply a project template**
 
-1.  **Important**  
+1.  **Important**  
     Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported.
 
-     
 
-    To start the App-V 5.1 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
 
-2.  To create or upgrade a new virtual application package by using an App-V 5.1 project template, click **File** / **New From Template**.
+~~~
+To start the App-V 5.1 sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**.
+~~~
 
-3.  To select the project template that you want to use, browse to the directory where the project template is saved, select the project template, and then click **Open**.
+2. To create or upgrade a new virtual application package by using an App-V 5.1 project template, click **File** / **New From Template**.
 
-    Create the new virtual application package. The settings saved with the specified template will be applied to the new virtual application package that you are creating.
+3. To select the project template that you want to use, browse to the directory where the project template is saved, select the project template, and then click **Open**.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   Create the new virtual application package. The settings saved with the specified template will be applied to the new virtual application package that you are creating.
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-app-v-50-packages-using-electronic-software-distribution.md b/mdop/appv-v5/how-to-deploy-app-v-50-packages-using-electronic-software-distribution.md
index 8069130ba6..cb240b0114 100644
--- a/mdop/appv-v5/how-to-deploy-app-v-50-packages-using-electronic-software-distribution.md
+++ b/mdop/appv-v5/how-to-deploy-app-v-50-packages-using-electronic-software-distribution.md
@@ -45,12 +45,12 @@ Use one of the following methods to publish packages to App-V client computers w
 
 
 
    PowerShell
    
-
    Use PowerShell cmdlets to deploy virtualized applications. For more information about using PowerShell and App-V 5.0, see [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md).
    
+
    Use PowerShell cmdlets to deploy virtualized applications. For more information about using PowerShell and App-V 5.0, see Administering App-V by Using PowerShell.
    
 
 
 
 
- 
+ 
 
 **To deploy App-V 5.0 packages by using an ESD**
 
@@ -69,9 +69,9 @@ Use one of the following methods to publish packages to App-V client computers w
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-app-v-51-packages-using-electronic-software-distribution.md b/mdop/appv-v5/how-to-deploy-app-v-51-packages-using-electronic-software-distribution.md
index fd0877886a..6171caac63 100644
--- a/mdop/appv-v5/how-to-deploy-app-v-51-packages-using-electronic-software-distribution.md
+++ b/mdop/appv-v5/how-to-deploy-app-v-51-packages-using-electronic-software-distribution.md
@@ -45,12 +45,12 @@ Use one of the following methods to publish packages to App-V client computers w
 
 
 
    PowerShell
    
-
    Use PowerShell cmdlets to deploy virtualized applications. For more information about using PowerShell and App-V 5.1, see [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md).
    
+
    Use PowerShell cmdlets to deploy virtualized applications. For more information about using PowerShell and App-V 5.1, see Administering App-V 5.1 by Using PowerShell.
    
 
 
 
 
- 
+ 
 
 **To deploy App-V 5.1 packages by using an ESD**
 
@@ -69,9 +69,9 @@ Use one of the following methods to publish packages to App-V client computers w
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-50sp3.md b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-50sp3.md
index e728860b48..4c309e2617 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-50sp3.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-50sp3.md
@@ -33,126 +33,126 @@ Use the following procedure to install the App-V 5.0 server. For information abo
 
 **To install the App-V 5.0 server**
 
-1.  Copy the App-V 5.0 server installation files to the computer on which you want to install it.
+1. Copy the App-V 5.0 server installation files to the computer on which you want to install it.
 
-2.  Start the App-V 5.0 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
+2. Start the App-V 5.0 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
 
-3.  Review and accept the license terms, and choose whether to enable Microsoft updates.
+3. Review and accept the license terms, and choose whether to enable Microsoft updates.
 
-4.  On the **Feature Selection** page, select all of the following components.
+4. On the **Feature Selection** page, select all of the following components.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ComponentDescription
    Management server
    Provides overall management functionality for the App-V infrastructure.
    Management database
    Facilitates database predeployments for App-V management.
    Publishing server
    Provides hosting and streaming functionality for virtual applications.
    Reporting server
    Provides App-V 5.0 reporting services.
    Reporting database
    Facilitates database predeployments for App-V reporting.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    ComponentDescription
    Management server
    Provides overall management functionality for the App-V infrastructure.
    Management database
    Facilitates database predeployments for App-V management.
    Publishing server
    Provides hosting and streaming functionality for virtual applications.
    Reporting server
    Provides App-V 5.0 reporting services.
    Reporting database
    Facilitates database predeployments for App-V reporting.
    
 
-     
+     
 
-5.  On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
+5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
 
-6.  On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
+6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
-    
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
-    
    Not supported: A server name using the format ServerName\INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
-    
    The database name must be unique, or the installation will fail.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
+   
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
+   
    Not supported: A server name using the format ServerName<strong>INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
+   
    The database name must be unique, or the installation will fail.
    
 
-     
+     
 
-7.  On the **Configure** page, accept the default value **Use this local computer**.
+7. On the **Configure** page, accept the default value **Use this local computer**.
 
-    **Note**  
-    If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+   **Note**  
+   If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
 
-     
+     
 
-8.  On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
+8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
-    
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
-    
    Not supported: A server name using the format ServerName\INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
-    
    The database name must be unique, or the installation will fail.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
+   
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
+   
    Not supported: A server name using the format ServerName<strong>INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
+   
    The database name must be unique, or the installation will fail.
    
 
-     
+     
 
-9.  On the **Configure** page, accept the default value: **Use this local computer**.
+9. On the **Configure** page, accept the default value: **Use this local computer**.
 
-    **Note**  
-    If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+   **Note**  
+   If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
 
-     
+     
 
 10. On the **Configure** (Management Server Configuration) page, specify the following:
 
@@ -185,7 +185,7 @@ Use the following procedure to install the App-V 5.0 server. For information abo
     
     
 
-     
+     
 
 11. On the **Configure** **Publishing Server Configuration** page, specify the following:
 
@@ -203,7 +203,7 @@ Use the following procedure to install the App-V 5.0 server. For information abo
     
     
     
    Specify the URL for the management service.
    
-    
    Example: http://localhost:12345
    
+    
    Example: http://localhost:12345
    
     
     
     
    Website name: Specify the custom name that will be used to run the publishing service.
    
@@ -217,7 +217,7 @@ Use the following procedure to install the App-V 5.0 server. For information abo
     
     
 
-     
+     
 
 12. On the **Reporting Server** page, specify the following:
 
@@ -245,7 +245,7 @@ Use the following procedure to install the App-V 5.0 server. For information abo
     
     
 
-     
+     
 
 13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page.
 
@@ -270,9 +270,9 @@ Use the following procedure to install the App-V 5.0 server. For information abo
 
 [How to Enable Reporting on the App-V 5.0 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-50-client-by-using-powershell.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
index 850e2a621d..fdaab43d4a 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-50-server-using-a-script.md
@@ -69,7 +69,7 @@ Use the following tables for more information about installing the App-V 5.0 ser
     
     
     
-     
+     
 @@ -151,7 +151,7 @@ Use the following tables for more information about installing the App-V 5.0 ser
     
    
     
     

     
     
    
-    
+    
 @@ -623,7 +623,7 @@ Use the following tables for more information about installing the App-V 5.0 ser
     
    
     
     

     
    
 
-     
+     
 
 ### Parameters for using an Existing Reporting Server Database
 
@@ -648,11 +648,11 @@ Use the following tables for more information about installing the App-V 5.0 ser
     
    Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"
    
     
     
-    
    /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT
    
+    
    /EXISTING_ REPORTING DB_SQLINSTANCE_USE_DEFAULT
    
     
    Indicates that the default SQL instance is to be used. Switch parameter so no value is expected.
    
     
     
-    
    /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE
    
+    
    /EXISTING REPORTING_DB_CUSTOM_SQLINSTANCE
    
     
    Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"
    
     
     
@@ -737,19 +737,19 @@ Use the following tables for more information about installing the App-V 5.0 ser
     
    /EXISTING_MANAGEMENT_DB_NAME
    
     
    Specifies the name of the existing management database that should be used. Example usage: /EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    
     
    
-    
    Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
    
+    
    Got a suggestion for App-V? Add or vote on suggestions here. Got an App-V issue? Use the App-V TechNet Forum.
    
 
 
 
-  
+  
 
 ## Related topics
 
 [Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md
index 2318ddce47..597cd51d2b 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-51-server-using-a-script.md
@@ -23,770 +23,772 @@ In order to complete the **appv\_server\_setup.exe** Server setup successfully u
 
 -   Use the following tables for more information about installing the App-V 5.1 server using the command line.
 
-    **Note**  
+    **Note**  
     The information in the following tables can also be accessed using the command line by typing the following command: **appv\_server\_setup.exe /?**.
 
-     
 
-    **Common parameters and Examples**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To Install the Management server and Management database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /MANAGEMENT_SERVER
      • 
-    
    • /MANAGEMENT_ADMINACCOUNT
      • 
-    
    • /MANAGEMENT_WEBSITE_NAME
      • 
-    
    • /MANAGEMENT_WEBSITE_PORT
      • 
-    
    • /DB_PREDEPLOY_MANAGEMENT
      • 
-    
    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /MANAGEMENT_DB_NAME
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /MANAGEMENT_SERVER
      • 
-    
    • /MANAGEMENT_ADMINACCOUNT
      • 
-    
    • /MANAGEMENT_WEBSITE_NAME
      • 
-    
    • /MANAGEMENT_WEBSITE_PORT
      • 
-    
    • /DB_PREDEPLOY_MANAGEMENT
      • 
-    
    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /MANAGEMENT_DB_NAME
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /MANAGEMENT_SERVER
    
-    
    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
    
-    
    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
    
-    
    /MANAGEMENT_WEBSITE_PORT=”8080”
    
-    
    /DB_PREDEPLOY_MANAGEMENT
    
-    
    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
-    
    /MANAGEMENT_DB_NAME=”AppVManagement”
    
+~~~
+**Common parameters and Examples**
 
-     
+
++++
+
+
+
+
+
+
+
    



    To Install the Management server and Management database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /MANAGEMENT_SERVER
      • 
+
    • /MANAGEMENT_ADMINACCOUNT
      • 
+
    • /MANAGEMENT_WEBSITE_NAME
      • 
+
    • /MANAGEMENT_WEBSITE_PORT
      • 
+
    • /DB_PREDEPLOY_MANAGEMENT
      • 
+
    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /MANAGEMENT_DB_NAME
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /MANAGEMENT_SERVER
      • 
+
    • /MANAGEMENT_ADMINACCOUNT
      • 
+
    • /MANAGEMENT_WEBSITE_NAME
      • 
+
    • /MANAGEMENT_WEBSITE_PORT
      • 
+
    • /DB_PREDEPLOY_MANAGEMENT
      • 
+
    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
+
    • /MANAGEMENT_DB_NAME
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /MANAGEMENT_SERVER
    
+
    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
    
+
    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
    
+
    /MANAGEMENT_WEBSITE_PORT=”8080”
    
+
    /DB_PREDEPLOY_MANAGEMENT
    
+
    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
+
    /MANAGEMENT_DB_NAME=”AppVManagement”
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To Install the Management server using an existing Management database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /MANAGEMENT_SERVER
      • 
-    
    • /MANAGEMENT_ADMINACCOUNT
      • 
-    
    • /MANAGEMENT_WEBSITE_NAME
      • 
-    
    • /MANAGEMENT_WEBSITE_PORT
      • 
-    
    • /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
      • 
-    
    • /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /MANAGEMENT_SERVER
      • 
-    
    • /MANAGEMENT_ADMINACCOUNT
      • 
-    
    • /MANAGEMENT_WEBSITE_NAME
      • 
-    
    • /MANAGEMENT_WEBSITE_PORT
      • 
-    
    • /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
      • 
-    
    • /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /MANAGEMENT_SERVER
    
-    
    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
    
-    
    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
    
-    
    /MANAGEMENT_WEBSITE_PORT=”8080”
    
-    
    /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
    
-    
    /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”
    
-    
    /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”
    
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To install the Management server using an existing Management database on a remote machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /MANAGEMENT_SERVER
      • 
-    
    • /MANAGEMENT_ADMINACCOUNT
      • 
-    
    • /MANAGEMENT_WEBSITE_NAME
      • 
-    
    • /MANAGEMENT_WEBSITE_PORT
      • 
-    
    • /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
      • 
-    
    • /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /MANAGEMENT_SERVER
      • 
-    
    • /MANAGEMENT_ADMINACCOUNT
      • 
-    
    • /MANAGEMENT_WEBSITE_NAME
      • 
-    
    • /MANAGEMENT_WEBSITE_PORT
      • 
-    
    • /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
      • 
-    
    • /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /MANAGEMENT_SERVER
    
-    
    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
    
-    
    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
    
-    
    /MANAGEMENT_WEBSITE_PORT=”8080”
    
-    
    /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME=”SqlServermachine.domainName”
    
-    
    /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”
    
-    
    /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”
    
+
++++
+
+
+
+
+
+
+
    



    To Install the Management server using an existing Management database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /MANAGEMENT_SERVER
      • 
+
    • /MANAGEMENT_ADMINACCOUNT
      • 
+
    • /MANAGEMENT_WEBSITE_NAME
      • 
+
    • /MANAGEMENT_WEBSITE_PORT
      • 
+
    • /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
      • 
+
    • /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /MANAGEMENT_SERVER
      • 
+
    • /MANAGEMENT_ADMINACCOUNT
      • 
+
    • /MANAGEMENT_WEBSITE_NAME
      • 
+
    • /MANAGEMENT_WEBSITE_PORT
      • 
+
    • /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
      • 
+
    • /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
+
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /MANAGEMENT_SERVER
    
+
    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
    
+
    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
    
+
    /MANAGEMENT_WEBSITE_PORT=”8080”
    
+
    /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
    
+
    /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”
    
+
    /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”
    
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To Install the Management database and the Management Server on the same computer.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_MANAGEMENT
      • 
-    
    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /MANAGEMENT_DB_NAME
      • 
-    
    • /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
      • 
-    
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_MANAGEMENT
      • 
-    
    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /MANAGEMENT_DB_NAME
      • 
-    
    • /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
      • 
-    
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /DB_PREDEPLOY_MANAGEMENT
    
-    
    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
-    
    /MANAGEMENT_DB_NAME=”AppVManagement”
    
-    
    /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
    
-    
    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-     
+
++++
+
+
+
+
+
+
+
    



    To install the Management server using an existing Management database on a remote machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /MANAGEMENT_SERVER
      • 
+
    • /MANAGEMENT_ADMINACCOUNT
      • 
+
    • /MANAGEMENT_WEBSITE_NAME
      • 
+
    • /MANAGEMENT_WEBSITE_PORT
      • 
+
    • /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
      • 
+
    • /EXISTING_MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /MANAGEMENT_SERVER
      • 
+
    • /MANAGEMENT_ADMINACCOUNT
      • 
+
    • /MANAGEMENT_WEBSITE_NAME
      • 
+
    • /MANAGEMENT_WEBSITE_PORT
      • 
+
    • /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
      • 
+
    • /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
+
    • /EXISTING_MANAGEMENT_DB_NAME
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /MANAGEMENT_SERVER
    
+
    /MANAGEMENT_ADMINACCOUNT=”Domain\AdminGroup”
    
+
    /MANAGEMENT_WEBSITE_NAME=”Microsoft AppV Management Service”
    
+
    /MANAGEMENT_WEBSITE_PORT=”8080”
    
+
    /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME=”SqlServermachine.domainName”
    
+
    /EXISTING_MANAGEMENT_DB_CUSTOM_SQLINSTANCE =”SqlInstanceName”
    
+
    /EXISTING_MANAGEMENT_DB_NAME =”AppVManagement”
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To install the Management database on a different computer than the Management server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_MANAGEMENT
      • 
-    
    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /MANAGEMENT_DB_NAME
      • 
-    
    • /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
-    
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_MANAGEMENT
      • 
-    
    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /MANAGEMENT_DB_NAME
      • 
-    
    • /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
-    
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /DB_PREDEPLOY_MANAGEMENT
    
-    
    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
-    
    /MANAGEMENT_DB_NAME=”AppVManagement”
    
-    
    /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”
    
-    
    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To Install the publishing server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /PUBLISHING_SERVER
      • 
-    
    • /PUBLISHING_MGT_SERVER
      • 
-    
    • /PUBLISHING_WEBSITE_NAME
      • 
-    
    • /PUBLISHING_WEBSITE_PORT
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /PUBLISHING_SERVER
    
-    
    /PUBLISHING_MGT_SERVER=”http://ManagementServerName:ManagementPort”
    
-    
    /PUBLISHING_WEBSITE_NAME=”Microsoft AppV Publishing Service”
    
-    
    /PUBLISHING_WEBSITE_PORT=”8081”
    
+
++++
+
+
+
+
+
+
+
    



    To Install the Management database and the Management Server on the same computer.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /DB_PREDEPLOY_MANAGEMENT
      • 
+
    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /MANAGEMENT_DB_NAME
      • 
+
    • /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
      • 
+
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /DB_PREDEPLOY_MANAGEMENT
      • 
+
    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
+
    • /MANAGEMENT_DB_NAME
      • 
+
    • /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
      • 
+
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /DB_PREDEPLOY_MANAGEMENT
    
+
    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
+
    /MANAGEMENT_DB_NAME=”AppVManagement”
    
+
    /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
    
+
    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To Install the Reporting server and Reporting database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /REPORTING _SERVER
      • 
-    
    • /REPORTING _WEBSITE_NAME
      • 
-    
    • /REPORTING _WEBSITE_PORT
      • 
-    
    • /DB_PREDEPLOY_REPORTING
      • 
-    
    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /REPORTING _DB_NAME
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /REPORTING _SERVER
      • 
-    
    • /REPORTING _ADMINACCOUNT
      • 
-    
    • /REPORTING _WEBSITE_NAME
      • 
-    
    • /REPORTING _WEBSITE_PORT
      • 
-    
    • /DB_PREDEPLOY_REPORTING
      • 
-    
    • /REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /REPORTING _DB_NAME
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
      
-    
    • /appv_server_setup.exe /QUIET
      • 
-    
    • /REPORTING_SERVER
      • 
-    
    • /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
      • 
-    
    • /REPORTING_WEBSITE_PORT=”8082”
      • 
-    
    • /DB_PREDEPLOY_REPORTING
      • 
-    
    • /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
      • 
-    
    • /REPORTING_DB_NAME=”AppVReporting”
      • 
-    
    
 
-     
+
++++
+
+
+
+
+
+
+
    



    To install the Management database on a different computer than the Management server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /DB_PREDEPLOY_MANAGEMENT
      • 
+
    • /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /MANAGEMENT_DB_NAME
      • 
+
    • /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
+
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /DB_PREDEPLOY_MANAGEMENT
      • 
+
    • /MANAGEMENT_DB_CUSTOM_SQLINSTANCE
      • 
+
    • /MANAGEMENT_DB_NAME
      • 
+
    • /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
+
    • /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /DB_PREDEPLOY_MANAGEMENT
    
+
    /MANAGEMENT_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
+
    /MANAGEMENT_DB_NAME=”AppVManagement”
    
+
    /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”
    
+
    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To Install the Reporting server and using an existing Reporting database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /REPORTING _SERVER
      • 
-    
    • /REPORTING _WEBSITE_NAME
      • 
-    
    • /REPORTING _WEBSITE_PORT
      • 
-    
    • /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
      • 
-    
    • /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /EXISTING_REPORTING _DB_NAME
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /REPORTING _SERVER
      • 
-    
    • /REPORTING _ADMINACCOUNT
      • 
-    
    • /REPORTING _WEBSITE_NAME
      • 
-    
    • /REPORTING _WEBSITE_PORT
      • 
-    
    • /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
      • 
-    
    • /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /EXISTING_REPORTING _DB_NAME
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /REPORTING_SERVER
    
-    
    /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
    
-    
    /REPORTING_WEBSITE_PORT=”8082”
    
-    
    /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
    
-    
    /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
-    
    /EXITING_REPORTING_DB_NAME=”AppVReporting”
    
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To Install the Reporting server using an existing Reporting database on a remote machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /REPORTING _SERVER
      • 
-    
    • /REPORTING _WEBSITE_NAME
      • 
-    
    • /REPORTING _WEBSITE_PORT
      • 
-    
    • /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
      • 
-    
    • /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /EXISTING_REPORTING _DB_NAME
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /REPORTING _SERVER
      • 
-    
    • /REPORTING _ADMINACCOUNT
      • 
-    
    • /REPORTING _WEBSITE_NAME
      • 
-    
    • /REPORTING _WEBSITE_PORT
      • 
-    
    • /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
      • 
-    
    • /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /EXISTING_REPORTING _DB_NAME
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /REPORTING_SERVER
    
-    
    /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
    
-    
    /REPORTING_WEBSITE_PORT=”8082”
    
-    
    /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME=”SqlServerMachine.DomainName”
    
-    
    /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
-    
    /EXITING_REPORTING_DB_NAME=”AppVReporting”
    
+
++++
+
+
+
+
+
+
+
    



    To Install the publishing server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /PUBLISHING_SERVER
      • 
+
    • /PUBLISHING_MGT_SERVER
      • 
+
    • /PUBLISHING_WEBSITE_NAME
      • 
+
    • /PUBLISHING_WEBSITE_PORT
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /PUBLISHING_SERVER
    
+
    /PUBLISHING_MGT_SERVER=”http://ManagementServerName:ManagementPort”
    
+
    /PUBLISHING_WEBSITE_NAME=”Microsoft AppV Publishing Service”
    
+
    /PUBLISHING_WEBSITE_PORT=”8081”
    
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To install the Reporting database on the same computer as the Reporting server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_REPORTING
      • 
-    
    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /REPORTING _DB_NAME
      • 
-    
    • /REPORTING_SERVER_MACHINE_USE_LOCAL
      • 
-    
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_REPORTING
      • 
-    
    • /REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /REPORTING _DB_NAME
      • 
-    
    • /REPORTING_SERVER_MACHINE_USE_LOCAL
      • 
-    
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /DB_PREDEPLOY_REPORTING
    
-    
    /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
-    
    /REPORTING_DB_NAME=”AppVReporting”
    
-    
    /REPORTING_SERVER_MACHINE_USE_LOCAL
    
-    
    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-     
+
++++
+
+
+
+
+
+
+
    



    To Install the Reporting server and Reporting database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /REPORTING _SERVER
      • 
+
    • /REPORTING _WEBSITE_NAME
      • 
+
    • /REPORTING _WEBSITE_PORT
      • 
+
    • /DB_PREDEPLOY_REPORTING
      • 
+
    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /REPORTING _DB_NAME
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /REPORTING _SERVER
      • 
+
    • /REPORTING _ADMINACCOUNT
      • 
+
    • /REPORTING _WEBSITE_NAME
      • 
+
    • /REPORTING _WEBSITE_PORT
      • 
+
    • /DB_PREDEPLOY_REPORTING
      • 
+
    • /REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
+
    • /REPORTING _DB_NAME
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
      
+
    • /appv_server_setup.exe /QUIET
      • 
+
    • /REPORTING_SERVER
      • 
+
    • /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
      • 
+
    • /REPORTING_WEBSITE_PORT=”8082”
      • 
+
    • /DB_PREDEPLOY_REPORTING
      • 
+
    • /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
      • 
+
    • /REPORTING_DB_NAME=”AppVReporting”
      • 
+
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
    



    To install the Reporting database on a different computer than the Reporting server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_REPORTING
      • 
-    
    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
-    
    • /REPORTING _DB_NAME
      • 
-    
    • /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
-    
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
-    
      
-    
    • /DB_PREDEPLOY_REPORTING
      • 
-    
    • /REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
-    
    • /REPORTING _DB_NAME
      • 
-    
    • /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
-    
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
-    
    
-    
    Using a custom instance of Microsoft SQL Server example:
    
-    
    /appv_server_setup.exe /QUIET
    
-    
    /DB_PREDEPLOY_REPORTING
    
-    
    /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
-    
    /REPORTING_DB_NAME=”AppVReporting”
    
-    
    /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”
    
-    
    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-     
 
-    **Parameter Definitions**
+
++++
+
+
+
+
+
+
+
    



    To Install the Reporting server and using an existing Reporting database on a local machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /REPORTING _SERVER
      • 
+
    • /REPORTING _WEBSITE_NAME
      • 
+
    • /REPORTING _WEBSITE_PORT
      • 
+
    • /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
      • 
+
    • /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /EXISTING_REPORTING _DB_NAME
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /REPORTING _SERVER
      • 
+
    • /REPORTING _ADMINACCOUNT
      • 
+
    • /REPORTING _WEBSITE_NAME
      • 
+
    • /REPORTING _WEBSITE_PORT
      • 
+
    • /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
      • 
+
    • /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
+
    • /EXISTING_REPORTING _DB_NAME
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /REPORTING_SERVER
    
+
    /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
    
+
    /REPORTING_WEBSITE_PORT=”8082”
    
+
    /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
    
+
    /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
+
    /EXITING_REPORTING_DB_NAME=”AppVReporting”
    
 
-    **General Parameters**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /QUIET
    Specifies silent install.
    /UNINSTALL
    Specifies an uninstall.
    /LAYOUT
    Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected.
    /LAYOUTDIR
    Specifies the layout directory. Takes a string. For example, /LAYOUTDIR=”C:\Application Virtualization Server”
    /INSTALLDIR
    Specifies the installation directory. Takes a string. E.g. /INSTALLDIR=”C:\Program Files\Application Virtualization\Server”
    /MUOPTIN
    Enables Microsoft Update. No value is expected
    /ACCEPTEULA
    Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1.
    
 
-     
+
++++
+
+
+
+
+
+
+
    



    To Install the Reporting server using an existing Reporting database on a remote machine.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /REPORTING _SERVER
      • 
+
    • /REPORTING _WEBSITE_NAME
      • 
+
    • /REPORTING _WEBSITE_PORT
      • 
+
    • /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
      • 
+
    • /EXISTING_REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /EXISTING_REPORTING _DB_NAME
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /REPORTING _SERVER
      • 
+
    • /REPORTING _ADMINACCOUNT
      • 
+
    • /REPORTING _WEBSITE_NAME
      • 
+
    • /REPORTING _WEBSITE_PORT
      • 
+
    • /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
      • 
+
    • /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
+
    • /EXISTING_REPORTING _DB_NAME
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /REPORTING_SERVER
    
+
    /REPORTING_WEBSITE_NAME=”Microsoft AppV Reporting Service”
    
+
    /REPORTING_WEBSITE_PORT=”8082”
    
+
    /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME=”SqlServerMachine.DomainName”
    
+
    /EXISTING_REPORTING _DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
+
    /EXITING_REPORTING_DB_NAME=”AppVReporting”
    
 
-    **Management Server Installation Parameters**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /MANAGEMENT_SERVER
    Specifies that the management server will be installed. No value is expected
    /MANAGEMENT_ADMINACCOUNT
    Specifies the account that will be allowed to Administrator access to the management server This account can be an individual user account or a group. Example usage: /MANAGEMENT_ADMINACCOUNT=”mydomain\admin”. If /MANAGEMENT_SERVER is not specified, this will be ignored. Specifies the account that will be allowed to Administrator access to the management server. This can be a user account or a group. For example, /MANAGEMENT_ADMINACCOUNT="mydomain\admin".
    /MANAGEMENT_WEBSITE_NAME
    Specifies name of the website that will be created for the management service. For example, /MANAGEMENT_WEBSITE_NAME=”Microsoft App-V Management Service”
    MANAGEMENT_WEBSITE_PORT
    Specifies the port number that will be used by the management service will use. For example, /MANAGEMENT_WEBSITE_PORT=82.
    
 
-     
+
++++
+
+
+
+
+
+
+
    



    To install the Reporting database on the same computer as the Reporting server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /DB_PREDEPLOY_REPORTING
      • 
+
    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /REPORTING _DB_NAME
      • 
+
    • /REPORTING_SERVER_MACHINE_USE_LOCAL
      • 
+
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /DB_PREDEPLOY_REPORTING
      • 
+
    • /REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
+
    • /REPORTING _DB_NAME
      • 
+
    • /REPORTING_SERVER_MACHINE_USE_LOCAL
      • 
+
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /DB_PREDEPLOY_REPORTING
    
+
    /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
+
    /REPORTING_DB_NAME=”AppVReporting”
    
+
    /REPORTING_SERVER_MACHINE_USE_LOCAL
    
+
    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-    **Parameters for the Management Server Database**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /DB_PREDEPLOY_MANAGEMENT
    Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected
    /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
    Indicates that the default SQL instance should be used. No value is expected.
    /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE
    Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”MYSQLSERVER”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.
    /MANAGEMENT_DB_NAME
    Specifies the name of the new management database that should be created. Example usage: /MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.
    /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
    Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.
    /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
    Specifies the machine account of the remote machine that the management server will be installed on. Example usage: /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”domain\computername”
    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
    Indicates the Administrator account that will be used to install the management server. Example usage: /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT =”domain\alias”
    
 
-     
+
++++
+
+
+
+
+
+
+
    



    To install the Reporting database on a different computer than the Reporting server.
    To use the default instance of Microsoft SQL Server, use the following parameters:
    
+
      
+
    • /DB_PREDEPLOY_REPORTING
      • 
+
    • /REPORTING _DB_SQLINSTANCE_USE_DEFAULT
      • 
+
    • /REPORTING _DB_NAME
      • 
+
    • /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
+
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    To use a custom instance of Microsoft SQL Server, use these parameters:
    
+
      
+
    • /DB_PREDEPLOY_REPORTING
      • 
+
    • /REPORTING _DB_CUSTOM_SQLINSTANCE
      • 
+
    • /REPORTING _DB_NAME
      • 
+
    • /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
      • 
+
    • /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
      • 
+
    
+
    Using a custom instance of Microsoft SQL Server example:
    
+
    /appv_server_setup.exe /QUIET
    
+
    /DB_PREDEPLOY_REPORTING
    
+
    /REPORTING_DB_CUSTOM_SQLINSTANCE=”SqlInstanceName”
    
+
    /REPORTING_DB_NAME=”AppVReporting”
    
+
    /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT=”Domain\MachineAccount”
    
+
    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT=”Domain\InstallAdminAccount”
    
 
-    **Parameters for Installing Publishing Server**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /PUBLISHING_SERVER
    Specifies that the Publishing Server will be installed. No value is expected
    /PUBLISHING_MGT_SERVER
    Specifies the URL to Management Service the Publishing server will connect to. Example usage: http://<management server name>:<Management server port number>. If /PUBLISHING_SERVER is not used, this parameter will be ignored
    /PUBLISHING_WEBSITE_NAME
    Specifies name of the website that will be created for the publishing service. For example, /PUBLISHING_WEBSITE_NAME=”Microsoft App-V Publishing Service”
    /PUBLISHING_WEBSITE_PORT
    Specifies the port number used by the publishing service. For example, /PUBLISHING_WEBSITE_PORT=83
    
 
-     
+**Parameter Definitions**
 
-    **Parameters for Reporting Server**
+**General Parameters**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /REPORTING_SERVER
    Specifies that the Reporting Server will be installed. No value is expected
    /REPORTING_WEBSITE_NAME
    Specifies name of the website that will be created for the Reporting Service. E.g. /REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService"
    /REPORTING_WEBSITE_PORT
    Specifies the port number that the Reporting Service will use. E.g. /REPORTING_WEBSITE_PORT=82
    
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /QUIET
    Specifies silent install.
    /UNINSTALL
    Specifies an uninstall.
    /LAYOUT
    Specifies layout action. This extracts the MSIs and script files to a folder without actually installing the product. No value is expected.
    /LAYOUTDIR
    Specifies the layout directory. Takes a string. For example, /LAYOUTDIR=”C:\Application Virtualization Server”
    /INSTALLDIR
    Specifies the installation directory. Takes a string. E.g. /INSTALLDIR=”C:\Program Files\Application Virtualization\Server”
    /MUOPTIN
    Enables Microsoft Update. No value is expected
    /ACCEPTEULA
    Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1.
    
 
-     
 
-    **Parameters for using an Existing Reporting Server Database**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
    Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected.
    /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
    Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"
    /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT
    Indicates that the default SQL instance is to be used. Switch parameter so no value is expected.
    /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE
    Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"
    /EXISTING_ REPORTING _DB_NAME
    Specifies the name of the existing Reporting database that should be used. Takes a string. E.g. /EXISITING_REPORTING_DB_NAME="AppVReporting"
    
+**Management Server Installation Parameters**
 
-     
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /MANAGEMENT_SERVER
    Specifies that the management server will be installed. No value is expected
    /MANAGEMENT_ADMINACCOUNT
    Specifies the account that will be allowed to Administrator access to the management server This account can be an individual user account or a group. Example usage: /MANAGEMENT_ADMINACCOUNT=”mydomain\admin”. If /MANAGEMENT_SERVER is not specified, this will be ignored. Specifies the account that will be allowed to Administrator access to the management server. This can be a user account or a group. For example, /MANAGEMENT_ADMINACCOUNT="mydomain\admin".
    /MANAGEMENT_WEBSITE_NAME
    Specifies name of the website that will be created for the management service. For example, /MANAGEMENT_WEBSITE_NAME=”Microsoft App-V Management Service”
    MANAGEMENT_WEBSITE_PORT
    Specifies the port number that will be used by the management service will use. For example, /MANAGEMENT_WEBSITE_PORT=82.
    
 
-    **Parameters for installing Reporting Server Database**
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /DB_PREDEPLOY_REPORTING
    Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected
    /REPORTING_DB_SQLINSTANCE_USE_DEFAULT
    Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"
    /REPORTING_DB_NAME
    Specifies the name of the new Reporting database that should be created. Takes a string. E.g. /REPORTING_DB_NAME="AppVMgmtDB"
    /REPORTING_SERVER_MACHINE_USE_LOCAL
    Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.
    /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
    Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. E.g. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = "domain\computername"
    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
    Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. E.g. /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = "domain\alias"
    
 
-     
+**Parameters for the Management Server Database**
 
-    **Parameters for using an existing Management Server Database**
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /DB_PREDEPLOY_MANAGEMENT
    Specifies that the management database will be installed. You must have sufficient database permissions to complete this installation. No value is expected
    /MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
    Indicates that the default SQL instance should be used. No value is expected.
    /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE
    Specifies the name of the custom SQL instance that should be used to create a new database. Example usage: /MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”MYSQLSERVER”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.
    /MANAGEMENT_DB_NAME
    Specifies the name of the new management database that should be created. Example usage: /MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is not specified, this will be ignored.
    /MANAGEMENT_SERVER_MACHINE_USE_LOCAL
    Indicates if the management server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.
    /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT
    Specifies the machine account of the remote machine that the management server will be installed on. Example usage: /MANAGEMENT_REMOTE_SERVER_MACHINE_ACCOUNT=”domain\computername”
    /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT
    Indicates the Administrator account that will be used to install the management server. Example usage: /MANAGEMENT_SERVER_INSTALL_ADMIN_ACCOUNT =”domain\alias”
    
+
+
+
+**Parameters for Installing Publishing Server**
+
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /PUBLISHING_SERVER
    Specifies that the Publishing Server will be installed. No value is expected
    /PUBLISHING_MGT_SERVER
    Specifies the URL to Management Service the Publishing server will connect to. Example usage: http://<management server name>:<Management server port number>. If /PUBLISHING_SERVER is not used, this parameter will be ignored
    /PUBLISHING_WEBSITE_NAME
    Specifies name of the website that will be created for the publishing service. For example, /PUBLISHING_WEBSITE_NAME=”Microsoft App-V Publishing Service”
    /PUBLISHING_WEBSITE_PORT
    Specifies the port number used by the publishing service. For example, /PUBLISHING_WEBSITE_PORT=83
    
+
+
+
+**Parameters for Reporting Server**
+
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /REPORTING_SERVER
    Specifies that the Reporting Server will be installed. No value is expected
    /REPORTING_WEBSITE_NAME
    Specifies name of the website that will be created for the Reporting Service. E.g. /REPORTING_WEBSITE_NAME="Microsoft App-V ReportingService"
    /REPORTING_WEBSITE_PORT
    Specifies the port number that the Reporting Service will use. E.g. /REPORTING_WEBSITE_PORT=82
    
+
+
+
+**Parameters for using an Existing Reporting Server Database**
+
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /EXISTING_REPORTING_DB_SQL_SERVER_USE_LOCAL
    Indicates that the Microsoft SQL Server is installed on the local server. Switch parameter so no value is expected.
    /EXISTING_REPORTING_DB_REMOTE_SQL_SERVER_NAME
    Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_REPORTING_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"
    /EXISTING_ REPORTING _DB_SQLINSTANCE_USE_DEFAULT
    Indicates that the default SQL instance is to be used. Switch parameter so no value is expected.
    /EXISTING_ REPORTING_DB_CUSTOM_SQLINSTANCE
    Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /EXISTING_REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"
    /EXISTING_ REPORTING _DB_NAME
    Specifies the name of the existing Reporting database that should be used. Takes a string. E.g. /EXISITING_REPORTING_DB_NAME="AppVReporting"
    
+
+
+
+**Parameters for installing Reporting Server Database**
+
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /DB_PREDEPLOY_REPORTING
    Specifies that the Reporting Database will be installed. DBA permissions are required for this installation. No value is expected
    /REPORTING_DB_SQLINSTANCE_USE_DEFAULT
    Specifies the name of the custom SQL instance that should be used. Takes a string. E.g. /REPORTING_DB_ CUSTOM_SQLINSTANCE="MYSQLSERVER"
    /REPORTING_DB_NAME
    Specifies the name of the new Reporting database that should be created. Takes a string. E.g. /REPORTING_DB_NAME="AppVMgmtDB"
    /REPORTING_SERVER_MACHINE_USE_LOCAL
    Indicates that the Reporting server that will be accessing the database is installed on the local server. Switch parameter so no value is expected.
    /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT
    Specifies the machine account of the remote machine that the Reporting server will be installed on. Takes a string. E.g. /REPORTING_REMOTE_SERVER_MACHINE_ACCOUNT = "domain\computername"
    /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT
    Indicates the Administrator account that will be used to install the App-V Reporting Server. Takes a string. E.g. /REPORTING_SERVER_INSTALL_ADMIN_ACCOUNT = "domain\alias"
    
+
+
+
+**Parameters for using an existing Management Server Database**
+
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    ParameterInformation
    /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
    Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
    Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"
    /EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
    Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE
    Specifies the name of the custom SQL instance that will be used. Example usage /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”AppVManagement”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    /EXISTING_MANAGEMENT_DB_NAME
    Specifies the name of the existing management database that should be used. Example usage: /EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    
+
    
+
    Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
    
+~~~
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ParameterInformation
    /EXISTING_MANAGEMENT_DB_SQL_SERVER_USE_LOCAL
    Indicates that the SQL Server is installed on the local server. Switch parameter so no value is expected.If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    /EXISTING_MANAGEMENT_DB_REMOTE_SQL_SERVER_NAME
    Specifies the name of the remote computer that SQL Server is installed on. Takes a string. E.g. /EXISTING_MANAGEMENT_DB_ REMOTE_SQL_SERVER_NAME="mycomputer1"
    /EXISTING_ MANAGEMENT_DB_SQLINSTANCE_USE_DEFAULT
    Indicates that the default SQL instance is to be used. Switch parameter so no value is expected. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE
    Specifies the name of the custom SQL instance that will be used. Example usage /EXISTING_MANAGEMENT_DB_ CUSTOM_SQLINSTANCE=”AppVManagement”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    /EXISTING_MANAGEMENT_DB_NAME
    Specifies the name of the existing management database that should be used. Example usage: /EXISITING_MANAGEMENT_DB_NAME=”AppVMgmtDB”. If /DB_PREDEPLOY_MANAGEMENT is specified, this will be ignored.
    
-    
    
-    
    Got a suggestion for App-V? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). Got an App-V issue? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
    
 
-     
 
 ## Related topics
 
 
 [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.md b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.md
index 2c6c002009..97b1877022 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-51-server.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-51-server.md
@@ -33,126 +33,126 @@ Use the following procedure to install the Microsoft Application Virtualization
 
 **To install the App-V 5.1 server**
 
-1.  Copy the App-V 5.1 server installation files to the computer on which you want to install it.
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it.
 
-2.  Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
+2. Start the App-V 5.1 server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
 
-3.  Review and accept the license terms, and choose whether to enable Microsoft updates.
+3. Review and accept the license terms, and choose whether to enable Microsoft updates.
 
-4.  On the **Feature Selection** page, select all of the following components.
+4. On the **Feature Selection** page, select all of the following components.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    ComponentDescription
    Management server
    Provides overall management functionality for the App-V infrastructure.
    Management database
    Facilitates database predeployments for App-V management.
    Publishing server
    Provides hosting and streaming functionality for virtual applications.
    Reporting server
    Provides App-V 5.1 reporting services.
    Reporting database
    Facilitates database predeployments for App-V reporting.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    ComponentDescription
    Management server
    Provides overall management functionality for the App-V infrastructure.
    Management database
    Facilitates database predeployments for App-V management.
    Publishing server
    Provides hosting and streaming functionality for virtual applications.
    Reporting server
    Provides App-V 5.1 reporting services.
    Reporting database
    Facilitates database predeployments for App-V reporting.
    
 
-     
+     
 
-5.  On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
+5. On the **Installation Location** page, accept the default location where the selected components will be installed, or change the location by typing a new path on the **Installation Location** line.
 
-6.  On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
+6. On the initial **Create New Management Database** page, configure the **Microsoft SQL Server instance** and **Management Server database** by selecting the appropriate option below.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
-    
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
-    
    Not supported: A server name using the format ServerName\INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
-    
    The database name must be unique, or the installation will fail.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
+   
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
+   
    Not supported: A server name using the format ServerName<strong>INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
+   
    The database name must be unique, or the installation will fail.
    
 
-     
+     
 
-7.  On the **Configure** page, accept the default value **Use this local computer**.
+7. On the **Configure** page, accept the default value **Use this local computer**.
 
-    **Note**  
-    If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+   **Note**  
+   If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
 
-     
+     
 
-8.  On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
+8. On the initial **Create New Reporting Database** page, configure the **Microsoft SQL Server instance** and **Reporting Server database** by selecting the appropriate option below.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
-    
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
-    
    Not supported: A server name using the format ServerName\INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
-    
    The database name must be unique, or the installation will fail.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    MethodWhat you need to do
    You are using a custom Microsoft SQL Server instance.
    Select Use the custom instance, and type the name of the instance.
    
+   
    Use the format INSTANCENAME. The assumed installation location is the local computer.
    
+   
    Not supported: A server name using the format ServerName<strong>INSTANCE.
    You are using a custom database name.
    Select Custom configuration and type the database name.
    
+   
    The database name must be unique, or the installation will fail.
    
 
-     
+     
 
-9.  On the **Configure** page, accept the default value: **Use this local computer**.
+9. On the **Configure** page, accept the default value: **Use this local computer**.
 
-    **Note**  
-    If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
+   **Note**  
+   If you are installing the Management server and Management database side by side, some options on this page are not available. In this case, the appropriate options are selected by default and cannot be changed.
 
-     
+     
 
 10. On the **Configure** (Management Server Configuration) page, specify the following:
 
@@ -185,7 +185,7 @@ Use the following procedure to install the Microsoft Application Virtualization
     
     
 
-     
+     
 
 11. On the **Configure** **Publishing Server Configuration** page, specify the following:
 
@@ -203,7 +203,7 @@ Use the following procedure to install the Microsoft Application Virtualization
     
     
     
    Specify the URL for the management service.
    
-    
    Example: http://localhost:12345
    
+    
    Example: http://localhost:12345
    
     
     
     
    Website name: Specify the custom name that will be used to run the publishing service.
    
@@ -217,7 +217,7 @@ Use the following procedure to install the Microsoft Application Virtualization
     
     
 
-     
+     
 
 12. On the **Reporting Server** page, specify the following:
 
@@ -245,7 +245,7 @@ Use the following procedure to install the Microsoft Application Virtualization
     
     
 
-     
+     
 
 13. To start the installation, click **Install** on the **Ready** page, and then click **Close** on the **Finished** page.
 
@@ -268,9 +268,9 @@ Use the following procedure to install the Microsoft Application Virtualization
 
 [How to Deploy the App-V 5.1 Server Using a Script](how-to-deploy-the-app-v-51-server-using-a-script.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md b/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
index 7c88dabe76..f89ee280f9 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-51gb18030.md
@@ -21,36 +21,36 @@ Use the following procedure to install the Microsoft Application Virtualization
 
 **What to do before you start**
 
-1.  Review and install the software prerequisites:
+1. Review and install the software prerequisites:
 
-    Install the prerequisite software that corresponds to the version of App-V that you are installing:
+   Install the prerequisite software that corresponds to the version of App-V that you are installing:
 
-    -   [About App-V 5.1](about-app-v-51.md)
+   -   [About App-V 5.1](about-app-v-51.md)
 
-    -   [App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
+   -   [App-V 5.1 Prerequisites](app-v-51-prerequisites.md)
 
-2.  Review the client coexistence and unsupported scenarios, as applicable to your installation:
+2. Review the client coexistence and unsupported scenarios, as applicable to your installation:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    Deploying coexisting App-V clients
    [Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)
    Unsupported or limited installation scenarios
    See the client section in [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md)
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    Deploying coexisting App-V clients
    Planning for the App-V 5.1 Sequencer and Client Deployment
    Unsupported or limited installation scenarios
    See the client section in App-V 5.1 Supported Configurations
    
 
-     
 
-3.  Review the locations for client registry, log, and troubleshooting information:
+
+3. Review the locations for client registry, log, and troubleshooting information:
 
 @@ -76,9 +76,9 @@ Use the following procedure to install the Microsoft Application Virtualization
 
    Event logs / Applications and Services Logs / Microsoft / AppV
  • In App-V 5.0 SP3, some logs were consolidated and moved to the following location:
    
 
    Event logs/Applications and Services Logs/Microsoft/AppV/ServiceLog
    
-
    For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).
    • 
+
    For a list of the moved logs, see About App-V 5.0 SP3.
  • Packages that are currently stored on computers that run the App-V 5.1 Client are saved to the following location:
    
-
    C:\ProgramData\App-V\<package id>\<version id>
    • 
+
    C:\ProgramData\App-V&lt;package id>&lt;version id>
    
@@ -88,7 +88,7 @@ Use the following procedure to install the Microsoft Application Virtualization
 
    
 

 
 
 
 
 
    
 
    
 
- 
+
 
 **To install the App-V 5.1 Client**
 
@@ -117,7 +117,7 @@ Use the following procedure to install the Microsoft Application Virtualization
     
     
 
-     
+
 
 2.  Double-click the installation file, and click **Install**. Before the installation begins, the installer checks the computer for any missing [App-V 5.1 Prerequisites](app-v-51-prerequisites.md).
 
@@ -133,151 +133,151 @@ Use the following procedure to install the Microsoft Application Virtualization
 
     -   **language pack**
 
-        **Note**  
+        **Note**  
         After the installation, only the .exe file can be uninstalled.
 
-         
+
 
 **To install the App-V 5.1 client using a script**
 
-1.  Install all of the required prerequisite software on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If you install the client by using an .msi file, the installation will fail if any prerequisites are missing.
+1. Install all of the required prerequisite software on the target computers. See [What to do before you start](#bkmk-clt-install-prereqs). If you install the client by using an .msi file, the installation will fail if any prerequisites are missing.
 
-2.  To use a script to install the App-V 5.1 client, use the following parameters with **appv\_client\_setup.exe**.
+2. To use a script to install the App-V 5.1 client, use the following parameters with **appv\_client\_setup.exe**.
 
-    **Note**  
-    The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter.
+   **Note**  
+   The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter.
+
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    /INSTALLDIR
    Specifies the installation directory. Example usage: /INSTALLDIR=C:\Program Files\AppV Client
    /CEIPOPTIN
    Enables participation in the Customer Experience Improvement Program. Example usage: /CEIPOPTIN=[0|1]
    /MUOPTIN
    Enables Microsoft Update. Example usage: /MUOPTIN=[0|1]
    /PACKAGEINSTALLATIONROOT
    Specifies the directory in which to install all new applications and updates. Example usage: /PACKAGEINSTALLATIONROOT='C:\App-V Packages'
    /PACKAGESOURCEROOT
    Overrides the source location for downloading package content. Example usage: /PACKAGESOURCEROOT='http://packageStore'
    /AUTOLOAD
    Specifies how new packages will be loaded by App-V 5.1 on a specific computer. The following options are enabled: [1]; automatically load all packages [2]; or automatically load no packages [0].Example usage: /AUTOLOAD=[0|1|2]
    /SHAREDCONTENTSTOREMODE
    Specifies that streamed package contents will be not be saved to the local hard disk. Example usage: /SHAREDCONTENTSTOREMODE=[0|1]
    /MIGRATIONMODE
    Allows the App-V 5.1 client to modify the shortcuts and FTAs that are associated with the packages that are created with a previous version. Example usage: /MIGRATIONMODE=[0|1]
    /ENABLEPACKAGESCRIPTS
    Enables the scripts that are defined in the package manifest file or configuration files that should run. Example usage: /ENABLEPACKAGESCRIPTS=[0|1]
    /ROAMINGREGISTRYEXCLUSIONS
    Specifies the registry paths that will not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\classes;software\clients
    /ROAMINGFILEEXCLUSIONS
    Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /ROAMINGFILEEXCLUSIONS 'desktop;my pictures'
    /S[1-5]PUBLISHINGSERVERNAME
    Displays the name of the publishing server. Example usage: /S2PUBLISHINGSERVERNAME=MyPublishingServer
    /S[1-5]PUBLISHINGSERVERURL
    Displays the URL of the publishing server. Example usage: /S2PUBLISHINGSERVERURL=\pubserver
    /S[1-5]GLOBALREFRESHENABLED -
    Enables a global publishing refresh. Example usage: /S2GLOBALREFRESHENABLED=[0|1]
    /S[1-5]GLOBALREFRESHONLOGON
    Initiates a global publishing refresh when a user logs on. Example usage: /S2LOGONREFRESH=[0|1]
    /S[1-5]GLOBALREFRESHINTERVAL -
    Specifies the publishing refresh interval, where 0 indicates do not periodically refresh. Example usage: /S2PERIODICREFRESHINTERVAL=[0-744]
    /S[1-5]GLOBALREFRESHINTERVALUNIT
    Specifies the interval unit (Hours[0], Days[1]). Example usage: /S2GLOBALREFRESHINTERVALUNIT=[0|1]
    /S[1-5]USERREFRESHENABLED
    Enables user publishing refresh. Example usage: /S2USERREFRESHENABLED=[0|1]
    /S[1-5]USERREFRESHONLOGON
    Initiates a user publishing refresh when a user logs on. Example usage: /S2LOGONREFRESH=[0|1]
    /S[1-5]USERREFRESHINTERVAL -
    Specifies the publishing refresh interval, where 0 indicates do not periodically refresh. Example usage: /S2PERIODICREFRESHINTERVAL=[0-744]
    /S[1-5]USERREFRESHINTERVALUNIT
    Specifies the interval unit (Hours[0], Days[1]). Example usage: /S2USERREFRESHINTERVALUNIT=[0|1]
    /Log
    Specifies a location where the log information is saved. The default location is %Temp%. Example usage: /log C:\logs\log.log
    /q
    Specifies an unattended installation.
    /REPAIR
    Repairs a previous client installation.
    /NORESTART
    Prevents the computer from rebooting after the client installation.
    
+   
    The parameter prevents the end-user computer from rebooting after each update is installed and lets you schedule the reboot at your convenience. For example, you can install App-V 5.1 and then install Hotfix Package Y without rebooting after the Service Pack installation. After the installation, you must reboot before you start using App-V.
    /UNINSTALL
    Uninstalls the client.
    /ACCEPTEULA
    Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1.
    /LAYOUT
    Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V 5.1. No value is expected.
    /LAYOUTDIR
    Specifies the layout directory. Requires a string value. Example usage: /LAYOUTDIR=”C:\Application Virtualization Client”.
    /?, /h, /help
    Requests help about the previous installation parameters.
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    /INSTALLDIR
    Specifies the installation directory. Example usage: /INSTALLDIR=C:\Program Files\AppV Client
    /CEIPOPTIN
    Enables participation in the Customer Experience Improvement Program. Example usage: /CEIPOPTIN=[0|1]
    /MUOPTIN
    Enables Microsoft Update. Example usage: /MUOPTIN=[0|1]
    /PACKAGEINSTALLATIONROOT
    Specifies the directory in which to install all new applications and updates. Example usage: /PACKAGEINSTALLATIONROOT='C:\App-V Packages'
    /PACKAGESOURCEROOT
    Overrides the source location for downloading package content. Example usage: /PACKAGESOURCEROOT='http://packageStore'
    /AUTOLOAD
    Specifies how new packages will be loaded by App-V 5.1 on a specific computer. The following options are enabled: [1]; automatically load all packages [2]; or automatically load no packages [0].Example usage: /AUTOLOAD=[0|1|2]
    /SHAREDCONTENTSTOREMODE
    Specifies that streamed package contents will be not be saved to the local hard disk. Example usage: /SHAREDCONTENTSTOREMODE=[0|1]
    /MIGRATIONMODE
    Allows the App-V 5.1 client to modify the shortcuts and FTAs that are associated with the packages that are created with a previous version. Example usage: /MIGRATIONMODE=[0|1]
    /ENABLEPACKAGESCRIPTS
    Enables the scripts that are defined in the package manifest file or configuration files that should run. Example usage: /ENABLEPACKAGESCRIPTS=[0|1]
    /ROAMINGREGISTRYEXCLUSIONS
    Specifies the registry paths that will not roam with a user profile. Example usage: /ROAMINGREGISTRYEXCLUSIONS=software\classes;software\clients
    /ROAMINGFILEEXCLUSIONS
    Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /ROAMINGFILEEXCLUSIONS 'desktop;my pictures'
    /S[1-5]PUBLISHINGSERVERNAME
    Displays the name of the publishing server. Example usage: /S2PUBLISHINGSERVERNAME=MyPublishingServer
    /S[1-5]PUBLISHINGSERVERURL
    Displays the URL of the publishing server. Example usage: /S2PUBLISHINGSERVERURL=\\pubserver
    /S[1-5]GLOBALREFRESHENABLED -
    Enables a global publishing refresh. Example usage: /S2GLOBALREFRESHENABLED=[0|1]
    /S[1-5]GLOBALREFRESHONLOGON
    Initiates a global publishing refresh when a user logs on. Example usage: /S2LOGONREFRESH=[0|1]
    /S[1-5]GLOBALREFRESHINTERVAL -
    Specifies the publishing refresh interval, where 0 indicates do not periodically refresh. Example usage: /S2PERIODICREFRESHINTERVAL=[0-744]
    /S[1-5]GLOBALREFRESHINTERVALUNIT
    Specifies the interval unit (Hours[0], Days[1]). Example usage: /S2GLOBALREFRESHINTERVALUNIT=[0|1]
    /S[1-5]USERREFRESHENABLED
    Enables user publishing refresh. Example usage: /S2USERREFRESHENABLED=[0|1]
    /S[1-5]USERREFRESHONLOGON
    Initiates a user publishing refresh when a user logs on. Example usage: /S2LOGONREFRESH=[0|1]
    /S[1-5]USERREFRESHINTERVAL -
    Specifies the publishing refresh interval, where 0 indicates do not periodically refresh. Example usage: /S2PERIODICREFRESHINTERVAL=[0-744]
    /S[1-5]USERREFRESHINTERVALUNIT
    Specifies the interval unit (Hours[0], Days[1]). Example usage: /S2USERREFRESHINTERVALUNIT=[0|1]
    /Log
    Specifies a location where the log information is saved. The default location is %Temp%. Example usage: /log C:\logs\log.log
    /q
    Specifies an unattended installation.
    /REPAIR
    Repairs a previous client installation.
    /NORESTART
    Prevents the computer from rebooting after the client installation.
    
-    
    The parameter prevents the end-user computer from rebooting after each update is installed and lets you schedule the reboot at your convenience. For example, you can install App-V 5.1 and then install Hotfix Package Y without rebooting after the Service Pack installation. After the installation, you must reboot before you start using App-V.
    /UNINSTALL
    Uninstalls the client.
    /ACCEPTEULA
    Accepts the license agreement. This is required for an unattended installation. Example usage: /ACCEPTEULA or /ACCEPTEULA=1.
    /LAYOUT
    Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V 5.1. No value is expected.
    /LAYOUTDIR
    Specifies the layout directory. Requires a string value. Example usage: /LAYOUTDIR=”C:\Application Virtualization Client”.
    /?, /h, /help
    Requests help about the previous installation parameters.
    
 
-     
 
 **To install the App-V 5.1 client by using the Windows Installer (.msi) file**
 
@@ -314,7 +314,7 @@ Use the following procedure to install the Microsoft Application Virtualization
     
     
 
-     
+
 
 4.  Using the information in the following table, select the appropriate language pack **.msi** to install, based on the desired language for the target computer. The **xxxx** in the table refers to the target locale of the language pack.
 
@@ -349,9 +349,11 @@ Use the following procedure to install the Microsoft Application Virtualization
     
     
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
@@ -362,9 +364,9 @@ Use the following procedure to install the Microsoft Application Virtualization
 
 [How to Uninstall the App-V 5.1 Client](how-to-uninstall-the-app-v-51-client.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
index 9db502712f..930cf3c6f7 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-client-gb18030.md
@@ -33,30 +33,36 @@ Use the following procedure to install the Microsoft Application Virtualization
 
 2. Review the client coexistence and unsupported scenarios, as applicable to your installation:
 
-   | | |
-   |---|---|
-   |Deploying coexisting App-V clients |[Planning for the App-V 5.0 Sequencer and Client Deployment](planning-for-the-app-v-50-sequencer-and-client-deployment.md) |
-   |Unsupported or limited installation scenarios |[App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md) |
+
+   |                                               |                                                                                                                            |
+   |-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
+   |      Deploying coexisting App-V clients       | [Planning for the App-V 5.0 Sequencer and Client Deployment](planning-for-the-app-v-50-sequencer-and-client-deployment.md) |
+   | Unsupported or limited installation scenarios |                         [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md)                         |
+
    ---
-   
+
 3. Review the locations for client registry, log, and troubleshooting information:
 
-   | | |
-   |---|---|
-   |Client registry information |
    • By default, after you install the App-V 5.0 client, the client information is stored in the registry in the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\APPV\CLIENT
    • When you deploy a virtualized package to a computer that is running the App-V client, the associated package data is stored in the following location:
      C:\ProgramData\App-V
      However, you can reconfigure this location with the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SOFTWARE\MICROSOFT\APPV\CLIENT\STREAMING\PACKAGEINSTALLATIONROOT
     |
-   |Client log files |
    • For log file information that is associated with the App-V 5.0 Client, search in the following log:
      Event logs/Applications and Services Logs/Microsoft/AppV
    • In App-V 5.0 SP3, some logs have been consolidated and moved to the following location:
      Event logs/Applications and Services Logs/Microsoft/AppV/ServiceLog
      For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).
    • Packages that are currently stored on computers that run the App-V 5.0 Client are saved to the following location:
      C:\ProgramData\App-V\<_package id_>\<_version id_>
     |
-   |Client installation troubleshooting information |See the error log in the **%temp%** folder. To review the log files, click **Start**, type **%temp%**, and then look for the **appv_ log**. |
+
+   |                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+   |-------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+   |           Client registry information           |                                    
    • By default, after you install the App-V 5.0 client, the client information is stored in the registry in the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\APPV\CLIENT
    • When you deploy a virtualized package to a computer that is running the App-V client, the associated package data is stored in the following location:
      C:\ProgramData\App-V
      However, you can reconfigure this location with the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SOFTWARE\MICROSOFT\APPV\CLIENT\STREAMING\PACKAGEINSTALLATIONROOT
                                        |
+   |                Client log files                 | 
    • For log file information that is associated with the App-V 5.0 Client, search in the following log:
      Event logs/Applications and Services Logs/Microsoft/AppV
    • In App-V 5.0 SP3, some logs have been consolidated and moved to the following location:
      Event logs/Applications and Services Logs/Microsoft/AppV/ServiceLog
      For a list of the moved logs, see [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-event-logs-moved).
    • Packages that are currently stored on computers that run the App-V 5.0 Client are saved to the following location:
      C:\ProgramData\App-V\<package id>\<version id>
     |
+   | Client installation troubleshooting information |                                                                                                                                                                                                                                                                                   See the error log in the **%temp%** folder. To review the log files, click **Start**, type **%temp%**, and then look for the **appv_ log**.                                                                                                                                                                                                                                                                                   |
+
    ---
-   
+
 
 **To install the App-V 5.0 Client**
 
 1. Copy the App-V 5.0 client installation file to the computer on which it will be installed.
    Choose from the following client types:
 
-   |Client type |File to use |
-   |---|---|
-   |Standard version of the client   |**appv_client_setup.exe**  |
-   |Remote Desktop Services version of the client   |**appv_client_setup_rds.exe**   |
+
+   |                  Client type                  |          File to use          |
+   |-----------------------------------------------|-------------------------------|
+   |        Standard version of the client         |   **appv_client_setup.exe**   |
+   | Remote Desktop Services version of the client | **appv_client_setup_rds.exe** |
+
    ---
 
 2. Double-click the installation file, and click **Install**. Before the installation begins, the installer checks the computer for any missing [App-V 5.0 Prerequisites](app-v-50-prerequisites.md).
@@ -72,7 +78,7 @@ Use the following procedure to install the Microsoft Application Virtualization
    -   **.msi**
 
    -   **language pack**
-   
+
    >[!NOTE]
    >After the installation, only the .exe file can be uninstalled.
 
@@ -86,38 +92,39 @@ Use the following procedure to install the Microsoft Application Virtualization
    >[!NOTE]
    >The client Windows Installer (.msi) supports the same set of switches, except for the **/LOG** parameter.
 
-   | | |
-   |---|---|
-   |/INSTALLDIR |Specifies the installation directory. Example usage:
    **/INSTALLDIR=C:\Program Files\AppV Client** |
-   |/CEIPOPTIN |Enables participation in the Customer Experience Improvement Program. Example usage:
    **/CEIPOPTIN=[0\|1\]** |
-   |/MUOPTIN |Enables Microsoft Update. Example usage:
    **/MUOPTIN=[0\|1\]** |
-   |/PACKAGEINSTALLATIONROOT |Specifies the directory in which to install all new applications and updates. Example usage: 
    **/PACKAGEINSTALLATIONROOT='C:\App-V Packages'** |
-   |/PACKAGESOURCEROOT |Overrides the source location for downloading package content. Example usage:
    **/PACKAGESOURCEROOT='http://packageStore'** |
-   |/AUTOLOAD |Specifies how new packages will be loaded by App-V 5.0 on a specific computer. The following options are enabled: [1]; automatically load all packages [2]; or automatically load no packages [0]. Example usage:
    **/AUTOLOAD=[0\|1\|2\]** |
-   |/SHAREDCONTENTSTOREMODE |Specifies that streamed package contents will be not be saved to the local hard disk. Example usage: 
    **/SHAREDCONTENTSTOREMODE=[0\|1\]** |
-   |/MIGRATIONMODE |Allows the App-V 5.0 client to modify the shortcuts and FTAs that are associated with the packages that are created with a previous version. Example usage:
    **/MIGRATIONMODE=[0\|1\]** |
-   |/ENABLEPACKAGESCRIPTS |Enables the scripts that are defined in the package manifest file or configuration files that should run. Example usage:
    **/ENABLEPACKAGESCRIPTS=[0\|1\]** |
-   |/ROAMINGREGISTRYEXCLUSIONS |Specifies the registry paths that will not roam with a user profile. Example usage:
    **/ROAMINGREGISTRYEXCLUSIONS=software\classes;software\clients** |
-   |/ROAMINGFILEEXCLUSIONS |Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: 
    **/ROAMINGFILEEXCLUSIONS 'desktop;my pictures'** |
-   |/S[1-5]PUBLISHINGSERVERNAME |Displays the name of the publishing server. Example usage:
    **/S2PUBLISHINGSERVERNAME=MyPublishingServer** |
-   |/S[1-5]PUBLISHINGSERVERURL |Displays the URL of the publishing server. Example usage:
    **/S2PUBLISHINGSERVERURL=\\pubserver** |
-   |/S[1-5]GLOBALREFRESHENABLED|Enables a global publishing refresh. Example usage:
    **/S2GLOBALREFRESHENABLED=[0\|1\]** |
-   |/S[1-5]GLOBALREFRESHONLOGON |Initiates a global publishing refresh when a user logs on. Example usage:
    **/S2LOGONREFRESH=[0\|1\]** |
-   |/S[1-5]GLOBALREFRESHINTERVAL |Specifies the publishing refresh interval, where **0** indicates do not periodically refresh. Example usage: **/S2PERIODICREFRESHINTERVAL=[0-744]** |
-   |/S[1-5]GLOBALREFRESHINTERVALUNIT |Specifies the interval unit (Hours[0], Days[1]). Example usage:
    **/S2GLOBALREFRESHINTERVALUNIT=[0\|1\]** |
-   |/S[1-5]USERREFRESHENABLED |Enables user publishing refresh. Example usage: **/S2USERREFRESHENABLED=[0\|1\]** |
-   |/S[1-5]USERREFRESHONLOGON |Initiates a user publishing refresh when a user logs on. Example usage:
    **/S2LOGONREFRESH=[0\|1\]** |
-   |/S[1-5]USERREFRESHINTERVAL |Specifies the publishing refresh interval, where **0** indicates do not periodically refresh. Example usage: **/S2PERIODICREFRESHINTERVAL=[0-744]** |
-   |/S[1-5]USERREFRESHINTERVALUNIT |Specifies the interval unit (Hours[0], Days[1]). Example usage:
    **/S2USERREFRESHINTERVALUNIT=[0\|1\]** |
-   |/Log |Specifies a location where the log information is saved. The default location is %Temp%. Example usage:
    **/log C:\logs\log.log** |
-   |/q |Specifies an unattended installation. |
-   |/REPAIR |Repairs a previous client installation. |
-   |/NORESTART |Prevents the computer from rebooting after the client installation.
    The parameter prevents the end-user computer from rebooting after each update is installed and lets you schedule the reboot at your convenience. For example, you can install App-V 5.0 SPX and then install Hotfix Package Y without rebooting after the Service Pack installation. After the installation, you must reboot before you start using App-V. |
-   |/UNINSTALL |Uninstalls the client. |
-   |/ACCEPTEULA |Accepts the license agreement. This is required for an unattended installation. Example usage:
    **/ACCEPTEULA** or **/ACCEPTEULA=1** |
-   |/LAYOUT |Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V 5.0. No value is expected. |
-   |/LAYOUTDIR |Specifies the layout directory. Requires a string value. Example usage:
    **/LAYOUTDIR=”C:\Application Virtualization Client”** |
-   |/?, /h, /help |Requests help about the previous installation parameters. |
+   |                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+   |----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+   |           /INSTALLDIR            |                                                                                                                                                               Specifies the installation directory. Example usage:
    **/INSTALLDIR=C:\Program Files\AppV Client**                                                                                                                                                                |
+   |            /CEIPOPTIN            |                                                                                                                                                          Enables participation in the Customer Experience Improvement Program. Example usage:
    **/CEIPOPTIN=[0\|1\]**                                                                                                                                                           |
+   |             /MUOPTIN             |                                                                                                                                                                                 Enables Microsoft Update. Example usage:
    **/MUOPTIN=[0\|1\]**                                                                                                                                                                                  |
+   |     /PACKAGEINSTALLATIONROOT     |                                                                                                                                         Specifies the directory in which to install all new applications and updates. Example usage: 
    **/PACKAGEINSTALLATIONROOT='C:\App-V Packages'**                                                                                                                                         |
+   |        /PACKAGESOURCEROOT        |                                                                                                                                                  Overrides the source location for downloading package content. Example usage:
    **/PACKAGESOURCEROOT=''**                                                                                                                                                  |
+   |            /AUTOLOAD             |                                                                                           Specifies how new packages will be loaded by App-V 5.0 on a specific computer. The following options are enabled: [1]; automatically load all packages [2]; or automatically load no packages [0]. Example usage:
    **/AUTOLOAD=[0\|1\|2\]**                                                                                           |
+   |     /SHAREDCONTENTSTOREMODE      |                                                                                                                                           Specifies that streamed package contents will be not be saved to the local hard disk. Example usage: 
    **/SHAREDCONTENTSTOREMODE=[0\|1\]**                                                                                                                                            |
+   |          /MIGRATIONMODE          |                                                                                                                     Allows the App-V 5.0 client to modify the shortcuts and FTAs that are associated with the packages that are created with a previous version. Example usage:
    **/MIGRATIONMODE=[0\|1\]**                                                                                                                     |
+   |      /ENABLEPACKAGESCRIPTS       |                                                                                                                                   Enables the scripts that are defined in the package manifest file or configuration files that should run. Example usage:
    **/ENABLEPACKAGESCRIPTS=[0\|1\]**                                                                                                                                   |
+   |    /ROAMINGREGISTRYEXCLUSIONS    |                                                                                                                                      Specifies the registry paths that will not roam with a user profile. Example usage:
    **/ROAMINGREGISTRYEXCLUSIONS=software\classes;software\clients**                                                                                                                                      |
+   |      /ROAMINGFILEEXCLUSIONS      |                                                                                                                                  Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: 
    **/ROAMINGFILEEXCLUSIONS 'desktop;my pictures'**                                                                                                                                   |
+   |   /S[1-5]PUBLISHINGSERVERNAME    |                                                                                                                                                           Displays the name of the publishing server. Example usage:
    **/S2PUBLISHINGSERVERNAME=MyPublishingServer**                                                                                                                                                            |
+   |    /S[1-5]PUBLISHINGSERVERURL    |                                                                                                                                                                Displays the URL of the publishing server. Example usage:
    **/S2PUBLISHINGSERVERURL=\\pubserver**                                                                                                                                                                |
+   |   /S[1-5]GLOBALREFRESHENABLED    |                                                                                                                                                                    Enables a global publishing refresh. Example usage:
    **/S2GLOBALREFRESHENABLED=[0\|1\]**                                                                                                                                                                     |
+   |   /S[1-5]GLOBALREFRESHONLOGON    |                                                                                                                                                             Initiates a global publishing refresh when a user logs on. Example usage:
    **/S2LOGONREFRESH=[0\|1\]**                                                                                                                                                              |
+   |   /S[1-5]GLOBALREFRESHINTERVAL   |                                                                                                                                         Specifies the publishing refresh interval, where **0** indicates do not periodically refresh. Example usage: **/S2PERIODICREFRESHINTERVAL=[0-744]**                                                                                                                                         |
+   | /S[1-5]GLOBALREFRESHINTERVALUNIT |                                                                                                                                                            Specifies the interval unit (Hours[0], Days[1]). Example usage:
    **/S2GLOBALREFRESHINTERVALUNIT=[0\|1\]**                                                                                                                                                            |
+   |    /S[1-5]USERREFRESHENABLED     |                                                                                                                                                                          Enables user publishing refresh. Example usage: **/S2USERREFRESHENABLED=[0\|1\]**                                                                                                                                                                          |
+   |    /S[1-5]USERREFRESHONLOGON     |                                                                                                                                                              Initiates a user publishing refresh when a user logs on. Example usage:
    **/S2LOGONREFRESH=[0\|1\]**                                                                                                                                                               |
+   |    /S[1-5]USERREFRESHINTERVAL    |                                                                                                                                         Specifies the publishing refresh interval, where **0** indicates do not periodically refresh. Example usage: **/S2PERIODICREFRESHINTERVAL=[0-744]**                                                                                                                                         |
+   |  /S[1-5]USERREFRESHINTERVALUNIT  |                                                                                                                                                             Specifies the interval unit (Hours[0], Days[1]). Example usage:
    **/S2USERREFRESHINTERVALUNIT=[0\|1\]**                                                                                                                                                             |
+   |               /Log               |                                                                                                                                                Specifies a location where the log information is saved. The default location is %Temp%. Example usage:
    **/log C:\logs\log.log**                                                                                                                                                |
+   |                /q                |                                                                                                                                                                                                Specifies an unattended installation.                                                                                                                                                                                                |
+   |             /REPAIR              |                                                                                                                                                                                               Repairs a previous client installation.                                                                                                                                                                                               |
+   |            /NORESTART            | Prevents the computer from rebooting after the client installation.
    The parameter prevents the end-user computer from rebooting after each update is installed and lets you schedule the reboot at your convenience. For example, you can install App-V 5.0 SPX and then install Hotfix Package Y without rebooting after the Service Pack installation. After the installation, you must reboot before you start using App-V. |
+   |            /UNINSTALL            |                                                                                                                                                                                                       Uninstalls the client.                                                                                                                                                                                                        |
+   |           /ACCEPTEULA            |                                                                                                                                              Accepts the license agreement. This is required for an unattended installation. Example usage:
    **/ACCEPTEULA** or **/ACCEPTEULA=1**                                                                                                                                               |
+   |             /LAYOUT              |                                                                                                                               Specifies the associated layout action. It also extracts the Windows Installer (.msi) and script files to a folder without installing App-V 5.0. No value is expected.                                                                                                                                |
+   |            /LAYOUTDIR            |                                                                                                                                                 Specifies the layout directory. Requires a string value. Example usage:
    **/LAYOUTDIR=”C:\Application Virtualization Client”**                                                                                                                                                  |
+   |          /?, /h, /help           |                                                                                                                                                                                      Requests help about the previous installation parameters.                                                                                                                                                                                      |
+
    ---
 
 **To install the App-V 5.0 client by using the Windows Installer (.msi) file**
@@ -128,13 +135,15 @@ Use the following procedure to install the Microsoft Application Virtualization
 
 3. Deploy one of the following Windows Installer files to the target computer. The file that you specify must match the configuration of the target computer.
 
-   |Type of deployment |Deploy this file |
-   |---|---|
-   |Computer is running a 32-bit Microsoft Windows operating system |appv_client_MSI_x86.msi |
-   |Computer is running a 64-bit Microsoft Windows operating system |appv_client_MSI_x64.msi |
-   |You are deploying the App-V 5.0 Remote Desktop Services client |appv_client_rds_MSI_x64.msi |
+
+   |                       Type of deployment                        |      Deploy this file       |
+   |-----------------------------------------------------------------|-----------------------------|
+   | Computer is running a 32-bit Microsoft Windows operating system |   appv_client_MSI_x86.msi   |
+   | Computer is running a 64-bit Microsoft Windows operating system |   appv_client_MSI_x64.msi   |
+   | You are deploying the App-V 5.0 Remote Desktop Services client  | appv_client_rds_MSI_x64.msi |
+
    ---
- 
+
 4. Using the information in the following table, select the appropriate language pack **.msi** to install, based on the desired language for the target computer. The **xxxx** in the table refers to the target locale of the language pack.
 
    **What to know before you start:** 
@@ -145,12 +154,13 @@ Use the following procedure to install the Microsoft Application Virtualization
 
    -  To deploy additional language packs on a target computer, use the procedure **To install the App-V 5.0 client by using Windows Installer (.msi) file**.
 
-   |Type of deployment |Deploy this file |
-   |---|---|
-   |Computer is running a 32-bit Microsoft Windows operating system |appv_client_LP_xxxx_ x86.msi |
-   |Computer is running a 64-bit Microsoft Windows operating system |appv_client_LP_xxxx_ x64.msi |
+   |                       Type of deployment                        |       Deploy this file       |
+   |-----------------------------------------------------------------|------------------------------|
+   | Computer is running a 32-bit Microsoft Windows operating system | appv_client_LP_xxxx_ x86.msi |
+   | Computer is running a 64-bit Microsoft Windows operating system | appv_client_LP_xxxx_ x64.msi |
+
    ---
-   
+
    **Got a suggestion for App-V**? Add or vote on [suggestions](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). 
    **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md
index cfcbfcabbc..d203c1c67e 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts.md
@@ -25,49 +25,50 @@ Use the following instructions to use SQL scripts, rather than the Windows Insta
 
 **How to install the App-V databases by using SQL scripts**
 
-1.  Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
+1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
 
-2.  Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
+2. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
 
-3.  From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
+3. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
 
-    Example: appv\_server\_setup.exe /layout c:\\<temporary location path>
+   Example: appv\_server\_setup.exe /layout c:\\<temporary location path>
 
-4.  Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
+4. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    DatabaseLocation of Readme.txt file to use
    Management database
    ManagementDatabase subfolder
    
-    
    
-    Important  
-    
    If you are upgrading to or installing the App-V 5.0 SP3 Management database, see [SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail](https://support.microsoft.com/kb/3031340).
    
-    
    
-    
    
-     
-    
    Reporting database
    ReportingDatabase subfolder
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    DatabaseLocation of Readme.txt file to use
    Management database
    ManagementDatabase subfolder
    
+   
    
+   Important
    If you are upgrading to or installing the App-V 5.0 SP3 Management database, see SQL scripts to install or upgrade the App-V 5.0 SP3 Management Server database fail.
    
+   
    
+   
    
 
-     
+   
    Reporting database
    ReportingDatabase subfolder
    
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
@@ -76,9 +77,9 @@ Use the following instructions to use SQL scripts, rather than the Windows Insta
 
 [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
index 4052c43fe4..c8faae6bae 100644
--- a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
+++ b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
@@ -23,10 +23,10 @@ Use the following instructions to use SQL scripts, rather than the Windows Insta
 
 -   Upgrade the App-V databases to a later version
 
-**Note**  
+**Note**  
 If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1.
 
- 
+
 
 **How to install the App-V databases by using SQL scripts**
 
@@ -63,19 +63,21 @@ If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not
     
     
 
-     
 
-    **Caution**  
-    The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
 
-     
+~~~
+**Caution**  
+The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
 
-    **Important**  
-    The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
 
-    The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
 
-     
+**Important**  
+The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
+
+The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
+~~~
+
+
 
 **Updated management database README file content**
 
@@ -209,7 +211,7 @@ Steps to install "AppVReporting" schema in SQL SERVER.
 
  2. Run the following scripts against the "AppVReporting" database using the 
     same account as above in order.
-    
+
     CreateTables.sql
     CreateReportingStoredProcs.sql
     CreateStoredProcs.sql
@@ -229,9 +231,9 @@ Steps to install "AppVReporting" schema in SQL SERVER.
 
 [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-50-client-by-using-powershell.md b/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-50-client-by-using-powershell.md
index a7d1c1b3f9..34ed292cca 100644
--- a/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-50-client-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-50-client-by-using-powershell.md
@@ -21,76 +21,75 @@ Use the following procedure to configure the App-V 5.0 for reporting.
 
 **To configure the computer running the App-V 5.0 client for reporting**
 
-1.  Install the App-V 5.0 client. For more information about installing the client see [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md).
+1. Install the App-V 5.0 client. For more information about installing the client see [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md).
 
-2.  After you have installed the App-V 5.0 client, use the **Set-AppvClientConfiguration** PowerShell to configure appropriate Reporting Configuration settings:
+2. After you have installed the App-V 5.0 client, use the **Set-AppvClientConfiguration** PowerShell to configure appropriate Reporting Configuration settings:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    SettingDescription
    ReportingEnabled
    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
    ReportingServerURL
    Specifies the location on the reporting server where client information is saved. For example, http://<reportingservername>:<reportingportnumber>.
    
-    
    
-    Note  
-    
    This is the port number that was assigned during the Reporting Server setup
    
-    
    
-    
    
-     
-    
    Reporting Start Time
    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
    ReportingRandomDelay
    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
    ReportingInterval
    Specifies the retry interval that the client will use to resend data to the reporting server.
    ReportingDataCacheLimit
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    ReportingDataBlockSize
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    SettingDescription
    ReportingEnabled
    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
    ReportingServerURL
    Specifies the location on the reporting server where client information is saved. For example, http://<reportingservername>:<reportingportnumber>.
    
+   
    
+   Note
    This is the port number that was assigned during the Reporting Server setup
    
+   
    
+   
    
 
-     
+   
    Reporting Start Time
    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
    ReportingRandomDelay
    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
    ReportingInterval
    Specifies the retry interval that the client will use to resend data to the reporting server.
    ReportingDataCacheLimit
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    ReportingDataBlockSize
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    
 
-3.  After the appropriate settings have been configured, the computer running the App-V 5.0 client will automatically collect data and will send the data back to the reporting server.
 
-    Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** PowerShell cmdlet.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+3. After the appropriate settings have been configured, the computer running the App-V 5.0 client will automatically collect data and will send the data back to the reporting server.
+
+   Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** PowerShell cmdlet.
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md b/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md
index 9782009db7..0bbe4ac487 100644
--- a/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md
@@ -21,76 +21,75 @@ Use the following procedure to configure the App-V 5.1 for reporting.
 
 **To configure the computer running the App-V 5.1 client for reporting**
 
-1.  Install the App-V 5.1 client. For more information about installing the client see [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-51gb18030.md).
+1. Install the App-V 5.1 client. For more information about installing the client see [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-51gb18030.md).
 
-2.  After you have installed the App-V 5.1 client, use the **Set-AppvClientConfiguration** PowerShell to configure appropriate Reporting Configuration settings:
+2. After you have installed the App-V 5.1 client, use the **Set-AppvClientConfiguration** PowerShell to configure appropriate Reporting Configuration settings:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    SettingDescription
    ReportingEnabled
    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
    ReportingServerURL
    Specifies the location on the reporting server where client information is saved. For example, http://<reportingservername>:<reportingportnumber>.
    
-    
    
-    Note  
-    
    This is the port number that was assigned during the Reporting Server setup
    
-    
    
-    
    
-     
-    
    Reporting Start Time
    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
    ReportingRandomDelay
    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
    ReportingInterval
    Specifies the retry interval that the client will use to resend data to the reporting server.
    ReportingDataCacheLimit
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    ReportingDataBlockSize
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    SettingDescription
    ReportingEnabled
    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
    ReportingServerURL
    Specifies the location on the reporting server where client information is saved. For example, http://<reportingservername>:<reportingportnumber>.
    
+   
    
+   Note
    This is the port number that was assigned during the Reporting Server setup
    
+   
    
+   
    
 
-     
+   
    Reporting Start Time
    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
    ReportingRandomDelay
    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
    ReportingInterval
    Specifies the retry interval that the client will use to resend data to the reporting server.
    ReportingDataCacheLimit
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    ReportingDataBlockSize
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    
 
-3.  After the appropriate settings have been configured, the computer running the App-V 5.1 client will automatically collect data and will send the data back to the reporting server.
 
-    Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** PowerShell cmdlet.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+3. After the appropriate settings have been configured, the computer running the App-V 5.1 client will automatically collect data and will send the data back to the reporting server.
+
+   Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** PowerShell cmdlet.
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-app-v-50-client-for-shared-content-store-mode.md b/mdop/appv-v5/how-to-install-the-app-v-50-client-for-shared-content-store-mode.md
index 1851109ac9..f4f3e227c2 100644
--- a/mdop/appv-v5/how-to-install-the-app-v-50-client-for-shared-content-store-mode.md
+++ b/mdop/appv-v5/how-to-install-the-app-v-50-client-for-shared-content-store-mode.md
@@ -22,7 +22,7 @@ Use the following procedure to install the Microsoft Application Virtualization
 **Note**  
 Before performing this procedure if necessary uninstall any existing version of the App-V 5.0 client.
 
- 
+ 
 
 For more information about SCS mode, see [Shared Content Store in Microsoft App-V 5.0 – Behind the Scenes](https://go.microsoft.com/fwlink/?LinkId=316879) (https://go.microsoft.com/fwlink/?LinkId=316879).
 
@@ -37,7 +37,7 @@ For more information about SCS mode, see [Shared Content Store in Microsoft App-
         **Important**  
         You must perform a silent installation or the installation will fail.
 
-         
+         
 
 2.  After you have completed the installation you can deploy packages to the computer running the client and all package contents will be streamed across the network.
 
@@ -48,9 +48,9 @@ For more information about SCS mode, see [Shared Content Store in Microsoft App-
 
 [Deploying the App-V 5.0 Sequencer and Client](deploying-the-app-v-50-sequencer-and-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-app-v-51-client-for-shared-content-store-mode.md b/mdop/appv-v5/how-to-install-the-app-v-51-client-for-shared-content-store-mode.md
index 94f6a92aa3..25741ffb48 100644
--- a/mdop/appv-v5/how-to-install-the-app-v-51-client-for-shared-content-store-mode.md
+++ b/mdop/appv-v5/how-to-install-the-app-v-51-client-for-shared-content-store-mode.md
@@ -22,7 +22,7 @@ Use the following procedure to install the Microsoft Application Virtualization
 **Note**  
 Before performing this procedure if necessary uninstall any existing version of the App-V 5.1 client.
 
- 
+ 
 
 For more information about SCS mode, see [Shared Content Store in Microsoft App-V 5.0 – Behind the Scenes](https://go.microsoft.com/fwlink/?LinkId=316879) (https://go.microsoft.com/fwlink/?LinkId=316879).
 
@@ -37,7 +37,7 @@ For more information about SCS mode, see [Shared Content Store in Microsoft App-
         **Important**  
         You must perform a silent installation or the installation will fail.
 
-         
+         
 
 2.  After you have completed the installation you can deploy packages to the computer running the client and all package contents will be streamed across the network.
 
@@ -48,9 +48,9 @@ For more information about SCS mode, see [Shared Content Store in Microsoft App-
 
 [Deploying the App-V 5.1 Sequencer and Client](deploying-the-app-v-51-sequencer-and-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md
index 5f45f87b8f..e0ab454188 100644
--- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md
+++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md
@@ -37,357 +37,357 @@ Before attempting this procedure, you should read and understand the information
 
 **To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)**
 
-1.  Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
+1. Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
 
-2.  To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
+2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
 
-    ``` syntax
-    <#
-    ```
+   ``` syntax
+   <#
+   ```
 
-    ``` syntax
-    .SYNOPSIS
-    ```
+   ``` syntax
+   .SYNOPSIS
+   ```
 
-    ``` syntax
-    This PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats.
-    ```
+   ``` syntax
+   This PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats.
+   ```
 
-    ``` syntax
-    .DESCRIPTION
-    ```
+   ``` syntax
+   .DESCRIPTION
+   ```
 
-    ``` syntax
-    This is a PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts.
-    ```
+   ``` syntax
+   This is a PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts.
+   ```
 
-    ``` syntax
-    .INPUTS
-    ```
+   ``` syntax
+   .INPUTS
+   ```
 
-    ``` syntax
-    The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below.
-    ```
+   ``` syntax
+   The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below.
+   ```
 
-    ``` syntax
-    .OUTPUTS
-    ```
+   ``` syntax
+   .OUTPUTS
+   ```
 
-    ``` syntax
-    A list of account names with the corresponding SID in standard and hexadecimal formats
-    ```
+   ``` syntax
+   A list of account names with the corresponding SID in standard and hexadecimal formats
+   ```
 
-    ``` syntax
-    .EXAMPLE
-    ```
+   ``` syntax
+   .EXAMPLE
+   ```
 
-    ``` syntax
-    .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List
-    ```
+   ``` syntax
+   .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List
+   ```
 
-    ``` syntax
-    .EXAMPLE
-    ```
+   ``` syntax
+   .EXAMPLE
+   ```
 
-    ``` syntax
-    $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2")
-    ```
+   ``` syntax
+   $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2")
+   ```
 
-    ``` syntax
-    .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200
-    ```
+   ``` syntax
+   .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200
+   ```
 
-    ``` syntax
-#>
-    ```
+   ``` syntax
+   #>
+   ```
 
-    ``` syntax
-    ```
+   ``` syntax
+   ```
 
-    []()  
+   []()  
 
-    []()  
+   []()  
 
-    ``` syntax
-    function ConvertSIDToHexFormat
-    ```
+   ``` syntax
+   function ConvertSIDToHexFormat
+   ```
 
-    {
+   {
 
-       param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
+      param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
 
-    ``` syntax
-    ```
+   ``` syntax
+   ```
 
-    ``` syntax
-       $sb = New-Object System.Text.StringBuilder
-    ```
+   ``` syntax
+      $sb = New-Object System.Text.StringBuilder
+   ```
 
-    ``` syntax
-        [int] $binLength = $sidToConvert.BinaryLength
-    ```
+   ``` syntax
+       [int] $binLength = $sidToConvert.BinaryLength
+   ```
 
-    ``` syntax
-        [Byte[]] $byteArray = New-Object Byte[] $binLength
-    ```
+   ``` syntax
+       [Byte[]] $byteArray = New-Object Byte[] $binLength
+   ```
 
-    ``` syntax
-       $sidToConvert.GetBinaryForm($byteArray, 0)
-    ```
+   ``` syntax
+      $sidToConvert.GetBinaryForm($byteArray, 0)
+   ```
 
-    ``` syntax
-       foreach($byte in $byteArray)
-    ```
+   ``` syntax
+      foreach($byte in $byteArray)
+   ```
 
-    ``` syntax
-       {
-    ```
+   ``` syntax
+      {
+   ```
 
-    ``` syntax
-       $sb.Append($byte.ToString("X2")) |Out-Null
-    ```
+   ``` syntax
+      $sb.Append($byte.ToString("X2")) |Out-Null
+   ```
 
-    ``` syntax
-       }
-    ```
+   ``` syntax
+      }
+   ```
 
-    ``` syntax
-       return $sb.ToString()
-    ```
+   ``` syntax
+      return $sb.ToString()
+   ```
 
-    ``` syntax
-    }
-    ```
+   ``` syntax
+   }
+   ```
 
-    ``` syntax
-     [string[]]$myArgs = $args
-    ```
+   ``` syntax
+    [string[]]$myArgs = $args
+   ```
 
-    ``` syntax
-    if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0))
-    ```
+   ``` syntax
+   if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0))
+   ```
 
-    {
+   {
 
-    ``` syntax
-     [string]::Format("{0}====== Description ======{0}{0}" +
-    ```
+   ``` syntax
+    [string]::Format("{0}====== Description ======{0}{0}" +
+   ```
 
-    ``` syntax
-    "  Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
-    ```
+   ``` syntax
+   "  Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
+   ```
 
-    ``` syntax
-                   "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
-    ```
+   ``` syntax
+                  "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
+   ```
 
-    ``` syntax
-                   "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
-    ```
+   ``` syntax
+                  "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
+   ```
 
-    ``` syntax
-                   "  And can be written out to a file using standard PowerShell redirection{0}" +
-    ```
+   ``` syntax
+                  "  And can be written out to a file using standard PowerShell redirection{0}" +
+   ```
 
-    ``` syntax
-                   "  Please specify user accounts in the format 'DOMAIN\username'{0}" + 
-    ```
+   ``` syntax
+                  "  Please specify user accounts in the format 'DOMAIN\username'{0}" + 
+   ```
 
-    ``` syntax
-                   "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" +
-    ```
+   ``` syntax
+                  "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" +
+   ```
 
-    ``` syntax
-                   "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + 
-    ```
+   ``` syntax
+                  "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + 
+   ```
 
-    ``` syntax
-                   "{0}====== Arguments ======{0}" +
-    ```
+   ``` syntax
+                  "{0}====== Arguments ======{0}" +
+   ```
 
-    ``` syntax
-                   "{0}  /?    Show this help message", [Environment]::NewLine) 
-    ```
+   ``` syntax
+                  "{0}  /?    Show this help message", [Environment]::NewLine) 
+   ```
 
-    ``` syntax
-    {
-    ```
+   ``` syntax
+   {
+   ```
 
-    ``` syntax
-    else
-    ```
+   ``` syntax
+   else
+   ```
 
-    ``` syntax
-    {  
-        #If an array was passed in, try to split it
-    ```
+   ``` syntax
+   {  
+       #If an array was passed in, try to split it
+   ```
 
-    ``` syntax
-        if($myArgs.Length -eq 1)
-    ```
+   ``` syntax
+       if($myArgs.Length -eq 1)
+   ```
 
-    ``` syntax
-        {
-    ```
+   ``` syntax
+       {
+   ```
 
-    ``` syntax
-            $myArgs = $myArgs.Split(' ')
-    ```
+   ``` syntax
+           $myArgs = $myArgs.Split(' ')
+   ```
 
-    ``` syntax
-        }
-    ```
+   ``` syntax
+       }
+   ```
 
-    ``` syntax
+   ``` syntax
 
-        #Parse the arguments for account names
-    ```
+       #Parse the arguments for account names
+   ```
 
-    ``` syntax
-        foreach($accountName in $myArgs)
-    ```
+   ``` syntax
+       foreach($accountName in $myArgs)
+   ```
 
-    ``` syntax
-        {    
-    ```
+   ``` syntax
+       {    
+   ```
 
-    ``` syntax
-            [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject
-    ```
+   ``` syntax
+           [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject
+   ```
 
-    ``` syntax
-            if($splitString.Length -ne 2)
-    ```
+   ``` syntax
+           if($splitString.Length -ne 2)
+   ```
 
-    ``` syntax
-            {
-    ```
+   ``` syntax
+           {
+   ```
 
-    ``` syntax
-                $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName)
-    ```
+   ``` syntax
+               $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName)
+   ```
 
-    ``` syntax
-                Write-Error -Message $message
-    ```
+   ``` syntax
+               Write-Error -Message $message
+   ```
 
-    ``` syntax
-                continue
-    ```
+   ``` syntax
+               continue
+   ```
 
-    ``` syntax
-            }
-    ```
+   ``` syntax
+           }
+   ```
 
-    ``` syntax
-            
-    ```
+   ``` syntax
+            
+   ```
 
-    ``` syntax
-            #Convert any account names to SIDs
-    ```
+   ``` syntax
+           #Convert any account names to SIDs
+   ```
 
-    ``` syntax
-            try
-    ```
+   ``` syntax
+           try
+   ```
 
-    ``` syntax
-            {
-    ```
+   ``` syntax
+           {
+   ```
 
-    ``` syntax
-                [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1])
-    ```
+   ``` syntax
+               [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1])
+   ```
 
-    ``` syntax
-                [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier]))
-    ```
+   ``` syntax
+               [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier]))
+   ```
 
-    ``` syntax
-            }
-    ```
+   ``` syntax
+           }
+   ```
 
-    ``` syntax
-            catch [System.Security.Principal.IdentityNotMappedException]
-    ```
+   ``` syntax
+           catch [System.Security.Principal.IdentityNotMappedException]
+   ```
 
-    ``` syntax
-            {
-    ```
+   ``` syntax
+           {
+   ```
 
-    ``` syntax
-                $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString())
-    ```
+   ``` syntax
+               $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString())
+   ```
 
-    ``` syntax
-                Write-Error -Message $message
-    ```
+   ``` syntax
+               Write-Error -Message $message
+   ```
 
-    ``` syntax
-                continue
-    ```
+   ``` syntax
+               continue
+   ```
 
-    ``` syntax
-            }
-    ```
+   ``` syntax
+           }
+   ```
 
-    ``` syntax
+   ``` syntax
 
-            #Convert regular SID to binary format used by SQL
-    ```
+           #Convert regular SID to binary format used by SQL
+   ```
 
-    ``` syntax
-            $hexSIDString = ConvertSIDToHexFormat $SID
-    ```
+   ``` syntax
+           $hexSIDString = ConvertSIDToHexFormat $SID
+   ```
 
-    ``` syntax
-            
-            $SIDs = New-Object PSObject
-    ```
+   ``` syntax
+            
+           $SIDs = New-Object PSObject
+   ```
 
-    ``` syntax
-            $SIDs | Add-Member NoteProperty Account $accountName
-    ```
+   ``` syntax
+           $SIDs | Add-Member NoteProperty Account $accountName
+   ```
 
-    ``` syntax
-            $SIDs | Add-Member NoteProperty SID $SID.ToString()
-    ```
+   ``` syntax
+           $SIDs | Add-Member NoteProperty SID $SID.ToString()
+   ```
 
-    ``` syntax
-            $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString
-    ```
+   ``` syntax
+           $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString
+   ```
 
-    ``` syntax
+   ``` syntax
 
-            Write-Output $SIDs
-    ```
+           Write-Output $SIDs
+   ```
 
-    ``` syntax
-        }
-    ```
+   ``` syntax
+       }
+   ```
 
-    ``` syntax
-    }
-    ```
+   ``` syntax
+   }
+   ```
 
-3.  Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
+3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
 
-    For example,
+   For example,
 
-    **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
+   **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
 
-    **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
+   **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
index 5377e6c956..d40e38cbd7 100644
--- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
@@ -37,357 +37,357 @@ Before attempting this procedure, you should read and understand the information
 
 **To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)**
 
-1.  Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
+1. Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
 
-2.  To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
+2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
 
-    ``` syntax
-    <#
-    ```
+   ``` syntax
+   <#
+   ```
 
-    ``` syntax
-    .SYNOPSIS
-    ```
+   ``` syntax
+   .SYNOPSIS
+   ```
 
-    ``` syntax
-    This PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats.
-    ```
+   ``` syntax
+   This PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats.
+   ```
 
-    ``` syntax
-    .DESCRIPTION
-    ```
+   ``` syntax
+   .DESCRIPTION
+   ```
 
-    ``` syntax
-    This is a PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts.
-    ```
+   ``` syntax
+   This is a PowerShell script that converts any number of Active Directory (AD) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by SQL server when running SQL scripts.
+   ```
 
-    ``` syntax
-    .INPUTS
-    ```
+   ``` syntax
+   .INPUTS
+   ```
 
-    ``` syntax
-    The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below.
-    ```
+   ``` syntax
+   The account(s) to convert to SID format. This can be a single account name or an array of account names. Please see examples below.
+   ```
 
-    ``` syntax
-    .OUTPUTS
-    ```
+   ``` syntax
+   .OUTPUTS
+   ```
 
-    ``` syntax
-    A list of account names with the corresponding SID in standard and hexadecimal formats
-    ```
+   ``` syntax
+   A list of account names with the corresponding SID in standard and hexadecimal formats
+   ```
 
-    ``` syntax
-    .EXAMPLE
-    ```
+   ``` syntax
+   .EXAMPLE
+   ```
 
-    ``` syntax
-    .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List
-    ```
+   ``` syntax
+   .\ConvertToSID.ps1 DOMAIN\user_account1 DOMAIN\machine_account1$ DOMAIN\user_account2 | Format-List
+   ```
 
-    ``` syntax
-    .EXAMPLE
-    ```
+   ``` syntax
+   .EXAMPLE
+   ```
 
-    ``` syntax
-    $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2")
-    ```
+   ``` syntax
+   $accountsArray = @("DOMAIN\user_account1", "DOMAIN\machine_account1$", "DOMAIN_user_account2")
+   ```
 
-    ``` syntax
-    .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200
-    ```
+   ``` syntax
+   .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200
+   ```
 
-    ``` syntax
-#>
-    ```
+   ``` syntax
+   #>
+   ```
 
-    ``` syntax
-    ```
+   ``` syntax
+   ```
 
-    []()  
+   []()  
 
-    []()  
+   []()  
 
-    ``` syntax
-    function ConvertSIDToHexFormat
-    ```
+   ``` syntax
+   function ConvertSIDToHexFormat
+   ```
 
-    {
+   {
 
-       param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
+      param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
 
-    ``` syntax
-    ```
+   ``` syntax
+   ```
 
-    ``` syntax
-       $sb = New-Object System.Text.StringBuilder
-    ```
+   ``` syntax
+      $sb = New-Object System.Text.StringBuilder
+   ```
 
-    ``` syntax
-        [int] $binLength = $sidToConvert.BinaryLength
-    ```
+   ``` syntax
+       [int] $binLength = $sidToConvert.BinaryLength
+   ```
 
-    ``` syntax
-        [Byte[]] $byteArray = New-Object Byte[] $binLength
-    ```
+   ``` syntax
+       [Byte[]] $byteArray = New-Object Byte[] $binLength
+   ```
 
-    ``` syntax
-       $sidToConvert.GetBinaryForm($byteArray, 0)
-    ```
+   ``` syntax
+      $sidToConvert.GetBinaryForm($byteArray, 0)
+   ```
 
-    ``` syntax
-       foreach($byte in $byteArray)
-    ```
+   ``` syntax
+      foreach($byte in $byteArray)
+   ```
 
-    ``` syntax
-       {
-    ```
+   ``` syntax
+      {
+   ```
 
-    ``` syntax
-       $sb.Append($byte.ToString("X2")) |Out-Null
-    ```
+   ``` syntax
+      $sb.Append($byte.ToString("X2")) |Out-Null
+   ```
 
-    ``` syntax
-       }
-    ```
+   ``` syntax
+      }
+   ```
 
-    ``` syntax
-       return $sb.ToString()
-    ```
+   ``` syntax
+      return $sb.ToString()
+   ```
 
-    ``` syntax
-    }
-    ```
+   ``` syntax
+   }
+   ```
 
-    ``` syntax
-     [string[]]$myArgs = $args
-    ```
+   ``` syntax
+    [string[]]$myArgs = $args
+   ```
 
-    ``` syntax
-    if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0))
-    ```
+   ``` syntax
+   if(($myArgs.Length -lt 1) -or ($myArgs[0].CompareTo("/?") -eq 0))
+   ```
 
-    {
+   {
 
-    ``` syntax
-     [string]::Format("{0}====== Description ======{0}{0}" +
-    ```
+   ``` syntax
+    [string]::Format("{0}====== Description ======{0}{0}" +
+   ```
 
-    ``` syntax
-    "  Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
-    ```
+   ``` syntax
+   "  Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
+   ```
 
-    ``` syntax
-                   "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
-    ```
+   ``` syntax
+                  "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
+   ```
 
-    ``` syntax
-                   "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
-    ```
+   ``` syntax
+                  "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
+   ```
 
-    ``` syntax
-                   "  And can be written out to a file using standard PowerShell redirection{0}" +
-    ```
+   ``` syntax
+                  "  And can be written out to a file using standard PowerShell redirection{0}" +
+   ```
 
-    ``` syntax
-                   "  Please specify user accounts in the format 'DOMAIN\username'{0}" + 
-    ```
+   ``` syntax
+                  "  Please specify user accounts in the format 'DOMAIN\username'{0}" + 
+   ```
 
-    ``` syntax
-                   "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" +
-    ```
+   ``` syntax
+                  "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" +
+   ```
 
-    ``` syntax
-                   "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + 
-    ```
+   ``` syntax
+                  "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" + 
+   ```
 
-    ``` syntax
-                   "{0}====== Arguments ======{0}" +
-    ```
+   ``` syntax
+                  "{0}====== Arguments ======{0}" +
+   ```
 
-    ``` syntax
-                   "{0}  /?    Show this help message", [Environment]::NewLine) 
-    ```
+   ``` syntax
+                  "{0}  /?    Show this help message", [Environment]::NewLine) 
+   ```
 
-    ``` syntax
-    {
-    ```
+   ``` syntax
+   {
+   ```
 
-    ``` syntax
-    else
-    ```
+   ``` syntax
+   else
+   ```
 
-    ``` syntax
-    {  
-        #If an array was passed in, try to split it
-    ```
+   ``` syntax
+   {  
+       #If an array was passed in, try to split it
+   ```
 
-    ``` syntax
-        if($myArgs.Length -eq 1)
-    ```
+   ``` syntax
+       if($myArgs.Length -eq 1)
+   ```
 
-    ``` syntax
-        {
-    ```
+   ``` syntax
+       {
+   ```
 
-    ``` syntax
-            $myArgs = $myArgs.Split(' ')
-    ```
+   ``` syntax
+           $myArgs = $myArgs.Split(' ')
+   ```
 
-    ``` syntax
-        }
-    ```
+   ``` syntax
+       }
+   ```
 
-    ``` syntax
+   ``` syntax
 
-        #Parse the arguments for account names
-    ```
+       #Parse the arguments for account names
+   ```
 
-    ``` syntax
-        foreach($accountName in $myArgs)
-    ```
+   ``` syntax
+       foreach($accountName in $myArgs)
+   ```
 
-    ``` syntax
-        {    
-    ```
+   ``` syntax
+       {    
+   ```
 
-    ``` syntax
-            [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject
-    ```
+   ``` syntax
+           [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject
+   ```
 
-    ``` syntax
-            if($splitString.Length -ne 2)
-    ```
+   ``` syntax
+           if($splitString.Length -ne 2)
+   ```
 
-    ``` syntax
-            {
-    ```
+   ``` syntax
+           {
+   ```
 
-    ``` syntax
-                $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName)
-    ```
+   ``` syntax
+               $message = [string]::Format("{0} is not a valid account name. Expected format 'Domain\username' for user accounts or 'DOMAIN\machinename$' for machine accounts.", $accountName)
+   ```
 
-    ``` syntax
-                Write-Error -Message $message
-    ```
+   ``` syntax
+               Write-Error -Message $message
+   ```
 
-    ``` syntax
-                continue
-    ```
+   ``` syntax
+               continue
+   ```
 
-    ``` syntax
-            }
-    ```
+   ``` syntax
+           }
+   ```
 
-    ``` syntax
-            
-    ```
+   ``` syntax
+            
+   ```
 
-    ``` syntax
-            #Convert any account names to SIDs
-    ```
+   ``` syntax
+           #Convert any account names to SIDs
+   ```
 
-    ``` syntax
-            try
-    ```
+   ``` syntax
+           try
+   ```
 
-    ``` syntax
-            {
-    ```
+   ``` syntax
+           {
+   ```
 
-    ``` syntax
-                [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1])
-    ```
+   ``` syntax
+               [System.Security.Principal.NTAccount] $account = New-Object System.Security.Principal.NTAccount($splitString[0], $splitString[1])
+   ```
 
-    ``` syntax
-                [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier]))
-    ```
+   ``` syntax
+               [System.Security.Principal.SecurityIdentifier] $SID = [System.Security.Principal.SecurityIdentifier]($account.Translate([System.Security.Principal.SecurityIdentifier]))
+   ```
 
-    ``` syntax
-            }
-    ```
+   ``` syntax
+           }
+   ```
 
-    ``` syntax
-            catch [System.Security.Principal.IdentityNotMappedException]
-    ```
+   ``` syntax
+           catch [System.Security.Principal.IdentityNotMappedException]
+   ```
 
-    ``` syntax
-            {
-    ```
+   ``` syntax
+           {
+   ```
 
-    ``` syntax
-                $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString())
-    ```
+   ``` syntax
+               $message = [string]::Format("Failed to translate account object '{0}' to a SID. Please verify that this is a valid user or machine account.", $account.ToString())
+   ```
 
-    ``` syntax
-                Write-Error -Message $message
-    ```
+   ``` syntax
+               Write-Error -Message $message
+   ```
 
-    ``` syntax
-                continue
-    ```
+   ``` syntax
+               continue
+   ```
 
-    ``` syntax
-            }
-    ```
+   ``` syntax
+           }
+   ```
 
-    ``` syntax
+   ``` syntax
 
-            #Convert regular SID to binary format used by SQL
-    ```
+           #Convert regular SID to binary format used by SQL
+   ```
 
-    ``` syntax
-            $hexSIDString = ConvertSIDToHexFormat $SID
-    ```
+   ``` syntax
+           $hexSIDString = ConvertSIDToHexFormat $SID
+   ```
 
-    ``` syntax
-            
-            $SIDs = New-Object PSObject
-    ```
+   ``` syntax
+            
+           $SIDs = New-Object PSObject
+   ```
 
-    ``` syntax
-            $SIDs | Add-Member NoteProperty Account $accountName
-    ```
+   ``` syntax
+           $SIDs | Add-Member NoteProperty Account $accountName
+   ```
 
-    ``` syntax
-            $SIDs | Add-Member NoteProperty SID $SID.ToString()
-    ```
+   ``` syntax
+           $SIDs | Add-Member NoteProperty SID $SID.ToString()
+   ```
 
-    ``` syntax
-            $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString
-    ```
+   ``` syntax
+           $SIDs | Add-Member NoteProperty Hexadecimal $hexSIDString
+   ```
 
-    ``` syntax
+   ``` syntax
 
-            Write-Output $SIDs
-    ```
+           Write-Output $SIDs
+   ```
 
-    ``` syntax
-        }
-    ```
+   ``` syntax
+       }
+   ```
 
-    ``` syntax
-    }
-    ```
+   ``` syntax
+   }
+   ```
 
-3.  Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
+3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
 
-    For example,
+   For example,
 
-    **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
+   **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
 
-    **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
+   **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services.md b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services.md
index 49ee4acb8b..dd19ea6161 100644
--- a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services.md
+++ b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail.
 
-**Note**  
+**Note**  
 After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
 
- 
+
 
 **To install the management database and the management server on separate computers**
 
@@ -44,14 +44,16 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 7.  On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
 
-    **Note**  
+    **Note**  
     If you plan to deploy the management server on the same computer you must select **Use this local computer**.
 
-     
 
-    Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 
-8.  To start the installation, click **Install**.
+~~~
+Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+~~~
+
+8. To start the installation, click **Install**.
 
 **To install the reporting database and the reporting server on separate computers**
 
@@ -73,14 +75,16 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 7.  On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
 
-    **Note**  
+    **Note**  
     If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
 
-     
 
-    Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 
-8.  To start the installation, click **Install**.
+~~~
+Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+~~~
+
+8. To start the installation, click **Install**.
 
 **To install the management and reporting databases using App-V 5.0 database scripts**
 
@@ -98,10 +102,10 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 4.  For each database, copy the scripts to a share and modify them following the instructions in the readme file.
 
-    **Note**  
+    **Note**  
     For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell.md).
 
-     
+
 
 5.  Run the scripts on the computer running Microsoft SQL Server.
 
@@ -112,9 +116,9 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 [Deploying App-V 5.0](deploying-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
index e888c02cc4..77c7a3fd6a 100644
--- a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
+++ b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail.
 
-**Note**  
+**Note**  
 After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
 
- 
+
 
 **To install the management database and the management server on separate computers**
 
@@ -44,14 +44,16 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 7.  On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
 
-    **Note**  
+    **Note**  
     If you plan to deploy the management server on the same computer you must select **Use this local computer**.
 
-     
 
-    Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 
-8.  To start the installation, click **Install**.
+~~~
+Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+~~~
+
+8. To start the installation, click **Install**.
 
 **To install the reporting database and the reporting server on separate computers**
 
@@ -73,14 +75,16 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 7.  On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
 
-    **Note**  
+    **Note**  
     If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
 
-     
 
-    Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
 
-8.  To start the installation, click **Install**.
+~~~
+Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
+~~~
+
+8. To start the installation, click **Install**.
 
 **To install the management and reporting databases using App-V 5.1 database scripts**
 
@@ -98,10 +102,10 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 4.  For each database, copy the scripts to a share and modify them following the instructions in the readme file.
 
-    **Note**  
+    **Note**  
     For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md).
 
-     
+
 
 5.  Run the scripts on the computer running Microsoft SQL Server.
 
@@ -112,9 +116,9 @@ After you complete the deployment, the **Microsoft SQL Server name**, **instance
 
 [Deploying App-V 5.1](deploying-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database.md b/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database.md
index b0f617583f..05a849b30c 100644
--- a/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database.md
+++ b/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database.md
@@ -33,33 +33,35 @@ Use the following procedure to install the management server on a standalone com
 
 6.  On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL SQL, for example **SqlServerMachine**.
 
-    **Note**  
+    **Note**  
     If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
 
-     
 
-    For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-    Specify the **SQL Server Database name** that this management server will use, for example **AppvManagement**.
+~~~
+For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-7.  On the **Configure Management Server Configuration** page, specify the AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
+Specify the **SQL Server Database name** that this management server will use, for example **AppvManagement**.
+~~~
 
-    Specify the **Website Name** that you want to use for the management service. Accept the default if you do not have a custom name. For the **Port Binding**, specify a unique port number to be used, for example **12345**.
+7. On the **Configure Management Server Configuration** page, specify the AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
 
-8.  Click **Install**.
+   Specify the **Website Name** that you want to use for the management service. Accept the default if you do not have a custom name. For the **Port Binding**, specify a unique port number to be used, for example **12345**.
 
-9.  To confirm that the setup has completed successfully, open a web browser, and type the following URL: http://managementserver:portnumber/Console.html if the installation was successful you should see the **Silverlight Management Console** appear without any error messages or warnings being displayed.
+8. Click **Install**.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+9. To confirm that the setup has completed successfully, open a web browser, and type the following URL: http://managementserver:portnumber/Console.html if the installation was successful you should see the **Silverlight Management Console** appear without any error messages or warnings being displayed.
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Deploying App-V 5.0](deploying-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database51.md b/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
index 076de936c5..988a91b3ff 100644
--- a/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
+++ b/mdop/appv-v5/how-to-install-the-management-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
@@ -33,33 +33,35 @@ Use the following procedure to install the management server on a standalone com
 
 6.  On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL SQL, for example **SqlServerMachine**.
 
-    **Note**  
+    **Note**  
     If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
 
-     
 
-    For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-    Specify the **SQL Server Database name** that this management server will use, for example **AppvManagement**.
+~~~
+For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-7.  On the **Configure Management Server Configuration** page, specify the AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
+Specify the **SQL Server Database name** that this management server will use, for example **AppvManagement**.
+~~~
 
-    Specify the **Website Name** that you want to use for the management service. Accept the default if you do not have a custom name. For the **Port Binding**, specify a unique port number to be used, for example **12345**.
+7. On the **Configure Management Server Configuration** page, specify the AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
 
-8.  Click **Install**.
+   Specify the **Website Name** that you want to use for the management service. Accept the default if you do not have a custom name. For the **Port Binding**, specify a unique port number to be used, for example **12345**.
 
-9.  To confirm that the setup has completed successfully, open a web browser, and type the following URL: http://managementserver:portnumber/Console. If the installation was successful, you should see the **Management Console** appear without any error messages or warnings being displayed.
+8. Click **Install**.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+9. To confirm that the setup has completed successfully, open a web browser, and type the following URL: http://managementserver:portnumber/Console. If the installation was successful, you should see the **Management Console** appear without any error messages or warnings being displayed.
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Deploying App-V 5.1](deploying-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md
index 8946b62adc..22a42e002d 100644
--- a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md
+++ b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md
@@ -21,62 +21,62 @@ Use the following procedure to install the publishing server on a separate compu
 
 **To install the publishing server on a separate computer**
 
-1.  Copy the App-V 5.0 server installation files to the computer on which you want to install it on. To start the App-V 5.0 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+1. Copy the App-V 5.0 server installation files to the computer on which you want to install it on. To start the App-V 5.0 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
 
-2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
 
-3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
 
-4.  On the **Feature Selection** page, select the **Publishing Server** checkbox and click **Next**.
+4. On the **Feature Selection** page, select the **Publishing Server** checkbox and click **Next**.
 
-5.  On the **Installation Location** page, accept the default location and click **Next**.
+5. On the **Installation Location** page, accept the default location and click **Next**.
 
-6.  On the **Configure Publishing Server Configuration** page, specify the following items:
+6. On the **Configure Publishing Server Configuration** page, specify the following items:
 
-    -   The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**.
+   -   The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**.
 
-    -   Specify the website name that you want to use for the publishing service. Accept the default if you do not have a custom name.
+   -   Specify the website name that you want to use for the publishing service. Accept the default if you do not have a custom name.
 
-    -   For the **Port Binding**, specify a unique port number that will be used by App-V 5.0, for example **54321**.
+   -   For the **Port Binding**, specify a unique port number that will be used by App-V 5.0, for example **54321**.
 
-7.  On the **Ready to Install** page, click **Install**.
+7. On the **Ready to Install** page, click **Install**.
 
-8.  After the installation is complete, the publishing server must be registered with the management server. In the App-V 5.0 management console, use the following steps to register the server:
+8. After the installation is complete, the publishing server must be registered with the management server. In the App-V 5.0 management console, use the following steps to register the server:
 
-    1.  Open the App-V 5.0 management server console.
+   1.  Open the App-V 5.0 management server console.
 
-    2.  In the left pane, select **Servers**, and then select **Register New Server**.
+   2.  In the left pane, select **Servers**, and then select **Register New Server**.
 
-    3.  Type the name of this server and a description (if required) and click **Add**.
+   3.  Type the name of this server and a description (if required) and click **Add**.
 
-9.  To verify if the publishing server is running correctly, you should import a package to the management server, entitle the package to an AD group, and publish the package. Using an internet browser, open the following URL: **http://publishingserver:pubport**. If the server is running correctly information similar to the following will be displayed:
+9. To verify if the publishing server is running correctly, you should import a package to the management server, entitle the package to an AD group, and publish the package. Using an internet browser, open the following URL: http://publishingserver:pubport. If the server is running correctly information similar to the following will be displayed:
 
-    ``
+   ``
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    ``
+   ``
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Deploying App-V 5.0](deploying-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md
index c5da2723e4..b304366dd1 100644
--- a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md
+++ b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md
@@ -21,62 +21,62 @@ Use the following procedure to install the publishing server on a separate compu
 
 **To install the publishing server on a separate computer**
 
-1.  Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
+1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
 
-2.  On the **Getting Started** page, review and accept the license terms, and click **Next**.
+2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
 
-3.  On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
+3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**.
 
-4.  On the **Feature Selection** page, select the **Publishing Server** checkbox and click **Next**.
+4. On the **Feature Selection** page, select the **Publishing Server** checkbox and click **Next**.
 
-5.  On the **Installation Location** page, accept the default location and click **Next**.
+5. On the **Installation Location** page, accept the default location and click **Next**.
 
-6.  On the **Configure Publishing Server Configuration** page, specify the following items:
+6. On the **Configure Publishing Server Configuration** page, specify the following items:
 
-    -   The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**.
+   -   The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**.
 
-    -   Specify the website name that you want to use for the publishing service. Accept the default if you do not have a custom name.
+   -   Specify the website name that you want to use for the publishing service. Accept the default if you do not have a custom name.
 
-    -   For the **Port Binding**, specify a unique port number that will be used by App-V 5.1, for example **54321**.
+   -   For the **Port Binding**, specify a unique port number that will be used by App-V 5.1, for example **54321**.
 
-7.  On the **Ready to Install** page, click **Install**.
+7. On the **Ready to Install** page, click **Install**.
 
-8.  After the installation is complete, the publishing server must be registered with the management server. In the App-V 5.1 management console, use the following steps to register the server:
+8. After the installation is complete, the publishing server must be registered with the management server. In the App-V 5.1 management console, use the following steps to register the server:
 
-    1.  Open the App-V 5.1 management server console.
+   1.  Open the App-V 5.1 management server console.
 
-    2.  In the left pane, select **Servers**, and then select **Register New Server**.
+   2.  In the left pane, select **Servers**, and then select **Register New Server**.
 
-    3.  Type the name of this server and a description (if required) and click **Add**.
+   3.  Type the name of this server and a description (if required) and click **Add**.
 
-9.  To verify if the publishing server is running correctly, you should import a package to the management server, entitle the package to an AD group, and publish the package. Using an internet browser, open the following URL: **http://publishingserver:pubport**. If the server is running correctly information similar to the following will be displayed:
+9. To verify if the publishing server is running correctly, you should import a package to the management server, entitle the package to an AD group, and publish the package. Using an internet browser, open the following URL: http://publishingserver:pubport. If the server is running correctly information similar to the following will be displayed:
 
-    ``
+   ``
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    `  `
+   `  `
 
-    ``
+   ``
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Deploying App-V 5.1](deploying-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database.md b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database.md
index a52e6812c2..6cd9f15218 100644
--- a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database.md
+++ b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Use the following procedure to install the reporting server on a standalone computer and connect it to the database.
 
-**Important**  
+**Important**  
 Before performing the following procedure you should read and understand [About App-V 5.0 Reporting](about-app-v-50-reporting.md).
 
- 
+
 
 **To install the reporting server on a standalone computer and connect it to the database**
 
@@ -38,24 +38,26 @@ Before performing the following procedure you should read and understand [About
 
 6.  On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
 
-    **Note**  
+    **Note**  
     If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
 
-     
 
-    For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-    Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
+~~~
+For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-7.  On the **Configure Reporting Server Configuration** page.
+Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
+~~~
 
-    -   Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
+7. On the **Configure Reporting Server Configuration** page.
 
-    -   For the **Port binding**, specify a unique port number that will be used by App-V 5.0, for example **55555**. You should also ensure that the port specified is not being used by another website.
+   -   Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
 
-8.  Click **Install**.
+   -   For the **Port binding**, specify a unique port number that will be used by App-V 5.0, for example **55555**. You should also ensure that the port specified is not being used by another website.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+8. Click **Install**.
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
@@ -66,9 +68,9 @@ Before performing the following procedure you should read and understand [About
 
 [How to Enable Reporting on the App-V 5.0 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-50-client-by-using-powershell.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
index b7ec2918c2..4d6223aabf 100644
--- a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
+++ b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Use the following procedure to install the reporting server on a standalone computer and connect it to the database.
 
-**Important**  
+**Important**  
 Before performing the following procedure you should read and understand [About App-V 5.1 Reporting](about-app-v-51-reporting.md).
 
- 
+
 
 **To install the reporting server on a standalone computer and connect it to the database**
 
@@ -38,24 +38,26 @@ Before performing the following procedure you should read and understand [About
 
 6.  On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**.
 
-    **Note**  
+    **Note**  
     If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**.
 
-     
 
-    For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-    Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
+~~~
+For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance.
 
-7.  On the **Configure Reporting Server Configuration** page.
+Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**.
+~~~
 
-    -   Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
+7. On the **Configure Reporting Server Configuration** page.
 
-    -   For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
+   -   Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name.
 
-8.  Click **Install**.
+   -   For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+8. Click **Install**.
+
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
@@ -66,9 +68,9 @@ Before performing the following procedure you should read and understand [About
 
 [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-sequencer-51beta-gb18030.md b/mdop/appv-v5/how-to-install-the-sequencer-51beta-gb18030.md
index ab643ae423..dac6a4e3dc 100644
--- a/mdop/appv-v5/how-to-install-the-sequencer-51beta-gb18030.md
+++ b/mdop/appv-v5/how-to-install-the-sequencer-51beta-gb18030.md
@@ -24,7 +24,7 @@ Upgrading a previous installation of the App-V sequencer is not supported.
 **Important**  
 For a full list of the sequencer requirements see sequencer sections of [App-V 5.1 Prerequisites](app-v-51-prerequisites.md) and [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md).
 
- 
+ 
 
 You can also use the command line to install the App-V 5.1 sequencer. The following list displays information about options for installing the sequencer using the command line and **appv\_sequencer\_setup.exe**:
 
@@ -79,7 +79,7 @@ You can also use the command line to install the App-V 5.1 sequencer. The follow
 
 
 
- 
+ 
 
 **To install the App-V 5.1 sequencer**
 
@@ -104,9 +104,9 @@ You can also use the command line to install the App-V 5.1 sequencer. The follow
 
 [Planning to Deploy App-V](planning-to-deploy-app-v51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-install-the-sequencer-beta-gb18030.md b/mdop/appv-v5/how-to-install-the-sequencer-beta-gb18030.md
index c83463f6ff..3f7e638081 100644
--- a/mdop/appv-v5/how-to-install-the-sequencer-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-install-the-sequencer-beta-gb18030.md
@@ -24,7 +24,7 @@ Upgrading a previous installation of the App-V sequencer is not supported.
 **Important**  
 For a full list of the sequencer requirements see sequencer sections of [App-V 5.0 Prerequisites](app-v-50-prerequisites.md) and [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
 
- 
+ 
 
 You can also use the command line to install the App-V 5.0 sequencer. The following list displays information about options for installing the sequencer using the command line and **appv\_sequencer\_setup.exe**:
 
@@ -79,7 +79,7 @@ You can also use the command line to install the App-V 5.0 sequencer. The follow
 
 
 
- 
+ 
 
 **To install the App-V 5.0 sequencer**
 
@@ -104,9 +104,9 @@ You can also use the command line to install the App-V 5.0 sequencer. The follow
 
 [Planning to Deploy App-V](planning-to-deploy-app-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
index 64a255bda2..e24a590f0a 100644
--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-50-sp3.md
@@ -48,9 +48,9 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 
    Users can run App-V Server cmdlets only if you grant them access by using one of the following methods:
    
 
      
 
    • When you are deploying and configuring the App-V Server:
      
-
      Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).
      • 
+
      Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See How to Deploy the App-V 5.0 Server.
      
 
    • After you’ve deployed the App-V Server:
      
-
      Use the App-V Management console to add an additional Active Directory group or user. See [How to Add or Remove an Administrator by Using the Management Console](how-to-add-or-remove-an-administrator-by-using-the-management-console.md).
      • 
+
      Use the App-V Management console to add an additional Active Directory group or user. See How to Add or Remove an Administrator by Using the Management Console.
      
 
    
 
 
@@ -91,13 +91,13 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 
 
    Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
    
 
 
 
 
    Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
    
-
    [How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md) 
    
+
    How to Publish a Package by Using the Management Console 
    
 
 
 
@@ -106,7 +106,7 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 
 
 
- 
+ 
 
 ## Loading the PowerShell cmdlets
 To load the PowerShell cmdlet modules:
@@ -142,7 +142,7 @@ To load the PowerShell cmdlet modules:
 
 
 
- 
+ 
 
 ## Getting help for the PowerShell cmdlets
 Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
@@ -196,12 +196,12 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
 
 
 
    On TechNet as web pages
    
-
    See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).
    
+
    See the App-V node under Microsoft Desktop Optimization Pack Automation with Windows PowerShell.
    
 
 
 
 
- 
+ 
 
 ## Displaying the help for a PowerShell cmdlet
 To display help for a specific PowerShell cmdlet:
@@ -212,9 +212,9 @@ To display help for a specific PowerShell cmdlet:
 
 **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue**? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
index 0251d9bd78..c8f34160ab 100644
--- a/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
+++ b/mdop/appv-v5/how-to-load-the-powershell-cmdlets-and-get-cmdlet-help-51.md
@@ -48,9 +48,9 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 
    Users can run App-V Server cmdlets only if you grant them access by using one of the following methods:
    
 
      
 
    • When you are deploying and configuring the App-V Server:
      
-
      Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md).
      • 
+
      Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See How to Deploy the App-V 5.1 Server.
      
 
    • After you’ve deployed the App-V Server:
      
-
      Use the App-V Management console to add an additional Active Directory group or user. See [How to Add or Remove an Administrator by Using the Management Console](how-to-add-or-remove-an-administrator-by-using-the-management-console51.md).
      • 
+
      Use the App-V Management console to add an additional Active Directory group or user. See How to Add or Remove an Administrator by Using the Management Console.
      
 
    
 
 
@@ -91,13 +91,13 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 
 
    Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
    
 
 
 
 
    Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
    
-
    [How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md)
    
+
    How to Publish a Package by Using the Management Console
    
 
 
 
@@ -106,7 +106,7 @@ Review the following requirements for using the App-V PowerShell cmdlets:
 
 
 
- 
+ 
 
 ## Loading the PowerShell cmdlets
 
@@ -195,7 +195,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
 
 
 
    On TechNet as web pages
    
-
    See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).
    
+
    See the App-V node under Microsoft Desktop Optimization Pack Automation with Windows PowerShell.
    
 
 
 
@@ -209,9 +209,9 @@ To display help for a specific PowerShell cmdlet:
 
 **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md
index a759434486..5cfa258188 100644
--- a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md
+++ b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version.md
@@ -61,7 +61,7 @@ To upgrade a package in earlier versions of App-V, you had to perform several st
 
  • Click EDIT in the CONNECTED PACKAGES pane.
    • 
 
  • Select Use Any Version check box next to the package name, and click Apply.
    • 
 
-
    For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](how-to-add-or-upgrade-packages-by-using-the-management-console-beta-gb18030.md).
    
+
    For more about adding or upgrading packages, see How to Add or Upgrade Packages by Using the Management Console.
    
 
 
 
    App-V Client on a Stand-alone computer
    
@@ -79,8 +79,8 @@ To upgrade a package in earlier versions of App-V, you had to perform several st
 
 
    For more information, see:
    
 
 
 
@@ -90,7 +90,7 @@ To upgrade a package in earlier versions of App-V, you had to perform several st
 
 
 
- 
+ 
 
 
 
@@ -102,9 +102,9 @@ To upgrade a package in earlier versions of App-V, you had to perform several st
 
 [Managing Connection Groups](managing-connection-groups.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md
index 7f167a4ac0..dd0494ceee 100644
--- a/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md
+++ b/mdop/appv-v5/how-to-make-a-connection-group-ignore-the-package-version51.md
@@ -61,7 +61,7 @@ To upgrade a package in some earlier versions of App-V, you had to perform sever
 
  • Click EDIT in the CONNECTED PACKAGES pane.
    • 
 
  • Select Use Any Version check box next to the package name, and click Apply.
    • 
 
-
    For more about adding or upgrading packages, see [How to Add or Upgrade Packages by Using the Management Console](how-to-add-or-upgrade-packages-by-using-the-management-console-51-gb18030.md).
    
+
    For more about adding or upgrading packages, see How to Add or Upgrade Packages by Using the Management Console.
    
 
 
 
    App-V Client on a Stand-alone computer
    
@@ -79,8 +79,8 @@ To upgrade a package in some earlier versions of App-V, you had to perform sever
 
 
    For more information, see:
    
 
 
 
@@ -90,7 +90,7 @@ To upgrade a package in some earlier versions of App-V, you had to perform sever
 
 
 
- 
+ 
 
 
 
@@ -102,9 +102,9 @@ To upgrade a package in some earlier versions of App-V, you had to perform sever
 
 [Managing Connection Groups](managing-connection-groups51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md b/mdop/appv-v5/how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md
index 4c2c9aed8f..08c7e04567 100644
--- a/mdop/appv-v5/how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md
@@ -58,7 +58,7 @@ Use the following information to add a package to a computer.
 **Important**  
 This example only adds a package. It does not publish the package to the user or the computer.
 
- 
+ 
 
 **Cmdlet**: Add-AppvClientPackage
 
@@ -94,7 +94,7 @@ Use the following information to publish a package that has been added to a spec
 
 
 
- 
+ 
 
 ## To publish a package to a specific user
 
@@ -102,7 +102,7 @@ Use the following information to publish a package that has been added to a spec
 **Note**  
 You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
 
- 
+ 
 
 An administrator can publish a package to a specific user by specifying the optional **–UserSID** parameter with the **Publish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
 
@@ -144,7 +144,7 @@ Use the following information to unpublish a package which has been entitled to
 **Note**  
 You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
 
- 
+ 
 
 An administrator can unpublish a package for a specific user by using the optional **–UserSID** parameter with the **Unpublish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
 
@@ -174,7 +174,7 @@ Use the following information to remove a package from the computer.
 **Note**  
 App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://go.microsoft.com/fwlink/?LinkId=324466).
 
- 
+ 
 
 ## To enable only administrators to publish or unpublish packages
 
@@ -182,7 +182,7 @@ App-V cmdlets have been assigned to variables for the previous examples for clar
 **Note**  
 **This feature is supported starting in App-V 5.0 SP3.**
 
- 
+ 
 
 Use the following cmdlet and parameter to enable only administrators (not end users) to publish or unpublish packages:
 
@@ -209,7 +209,7 @@ Use the following cmdlet and parameter to enable only administrators (not end us
 
 
 
- 
+ 
 
 To use the App-V Management console to set this configuration, see [How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-50.md).
 
@@ -249,7 +249,7 @@ To use the App-V Management console to set this configuration, see [How to Publi
 
 
 
- 
+ 
 
 The pending task will run later, according to the following rules:
 
@@ -276,7 +276,7 @@ The pending task will run later, according to the following rules:
 
 
 
- 
+ 
 
 For more information about pending tasks, see [About App-V 5.0 SP2](about-app-v-50-sp2.md#bkmk-pkg-upgr-pendg-tasks).
 
@@ -289,9 +289,9 @@ For more information about pending tasks, see [About App-V 5.0 SP2](about-app-v-
 
 [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md b/mdop/appv-v5/how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md
index 1991de0612..fe66e53ac9 100644
--- a/mdop/appv-v5/how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md
+++ b/mdop/appv-v5/how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md
@@ -58,7 +58,7 @@ Use the following information to add a package to a computer.
 **Important**  
 This example only adds a package. It does not publish the package to the user or the computer.
 
- 
+ 
 
 **Cmdlet**: Add-AppvClientPackage
 
@@ -94,7 +94,7 @@ Use the following information to publish a package that has been added to a spec
 
 
 
- 
+ 
 
 ## To publish a package to a specific user
 
@@ -102,7 +102,7 @@ Use the following information to publish a package that has been added to a spec
 **Note**  
 You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
 
- 
+ 
 
 An administrator can publish a package to a specific user by specifying the optional **–UserSID** parameter with the **Publish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
 
@@ -144,7 +144,7 @@ Use the following information to unpublish a package which has been entitled to
 **Note**  
 You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
 
- 
+ 
 
 An administrator can unpublish a package for a specific user by using the optional **–UserSID** parameter with the **Unpublish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
 
@@ -174,7 +174,7 @@ Use the following information to remove a package from the computer.
 **Note**  
 App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://go.microsoft.com/fwlink/?LinkId=324466).
 
- 
+ 
 
 ## To enable only administrators to publish or unpublish packages
 
@@ -182,7 +182,7 @@ App-V cmdlets have been assigned to variables for the previous examples for clar
 **Note**  
 **This feature is supported starting in App-V 5.0 SP3.**
 
- 
+ 
 
 Use the following cmdlet and parameter to enable only administrators (not end users) to publish or unpublish packages:
 
@@ -209,7 +209,7 @@ Use the following cmdlet and parameter to enable only administrators (not end us
 
 
 
- 
+ 
 
 To use the App-V Management console to set this configuration, see [How to Publish a Package by Using the Management Console](how-to-publish-a-package-by-using-the-management-console-51.md).
 
@@ -249,7 +249,7 @@ To use the App-V Management console to set this configuration, see [How to Publi
 
 
 
- 
+ 
 
 The pending task will run later, according to the following rules:
 
@@ -276,7 +276,7 @@ The pending task will run later, according to the following rules:
 
 
 
- 
+ 
 
 For more information about pending tasks, see [About App-V 5.0 SP2](about-app-v-50-sp2.md#bkmk-pkg-upgr-pendg-tasks).
 
@@ -289,9 +289,9 @@ For more information about pending tasks, see [About App-V 5.0 SP2](about-app-v-
 
 [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
index a8f338283e..fb63bd845f 100644
--- a/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
+++ b/mdop/appv-v5/how-to-manage-connection-groups-on-a-stand-alone-computer-by-using-powershell51.md
@@ -128,9 +128,11 @@ This topic explains the following procedures:
     
     
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
@@ -139,9 +141,9 @@ This topic explains the following procedures:
 
 [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
index 68f99e01c1..75bb7066c4 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md
@@ -22,43 +22,43 @@ Use the following procedure to migrate extension points from an App-V 4.6 pack
 **Note**  
 The following procedure does not require an App-V 5.0 management server.
 
- 
+ 
 
 **To migrate extension points from a package from an App-V 4.6 package to a converted App-V 5.0 package using the deployment configuration file**
 
-1.  Locate the directory that contains the deployment configuration file for the package you want to migrate. To set the policy, make the following update to the **userConfiguration** section:
+1. Locate the directory that contains the deployment configuration file for the package you want to migrate. To set the policy, make the following update to the **userConfiguration** section:
 
-    **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**
+   **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**
 
-    The following is an example of content from a deployment configuration file:
+   The following is an example of content from a deployment configuration file:
 
-    <?xml version="1.0" ?>
+   <?xml version="1.0" ?>
 
-    <DeploymentConfiguration
+   <DeploymentConfiguration
 
-    xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration" PackageId=<Package ID> DisplayName=<Display Name>
+   xmlns="" PackageId=<Package ID> DisplayName=<Display Name>
 
-    <MachineConfiguration/>
+   <MachineConfiguration/>
 
-    <UserConfiguration>
+   <UserConfiguration>
 
-    <ManagingAuthority TakeoverExtensionPointsFrom46="true"
+   <ManagingAuthority TakeoverExtensionPointsFrom46="true"
 
-    PackageName=<Package ID>
+   PackageName=<Package ID>
 
-    </UserConfiguration>
+   </UserConfiguration>
 
-    </DeploymentConfiguration>
+   </DeploymentConfiguration>
 
-2.  To add the App-V 5.0 package, in an elevated PowerShell command prompt type:
+2. To add the App-V 5.0 package, in an elevated PowerShell command prompt type:
 
-    PS>**$pkg= Add-AppvClientPackage** **–Path** <Path to package location> -**DynamicDeploymentConfiguration** <Path to the deployment configuration file>
+   PS>**$pkg= Add-AppvClientPackage** **–Path** <Path to package location> -**DynamicDeploymentConfiguration** <Path to the deployment configuration file>
 
-    PS>**Publish-AppVClientPackage $pkg**
+   PS>**Publish-AppVClientPackage $pkg**
 
-3.  To test the migration, open the virtual application using asscoaited FTAs or shortcuts. The application opens with App-V 5.0. Both, the App-V 4.6 package and the converted App-V 5.0 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.0 package.
+3. To test the migration, open the virtual application using asscoaited FTAs or shortcuts. The application opens with App-V 5.0. Both, the App-V 4.6 package and the converted App-V 5.0 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.0 package.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
@@ -67,9 +67,9 @@ The following procedure does not require an App-V 5.0 management server.
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
index cd86daeff6..19ee17d2ed 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md
@@ -23,43 +23,43 @@ Use the following procedure to migrate extension points from an App-V 4.6 packa
 This procedure assumes that you are running the latest version of App-V 4.6.  
 The following procedure does not require an App-V 5.1 management server.
 
- 
+ 
 
 **To migrate extension points from a package from an App-V 4.6 package to a converted App-V 5.1 package using the deployment configuration file**
 
-1.  Locate the directory that contains the deployment configuration file for the package you want to migrate. To set the policy, make the following update to the **userConfiguration** section:
+1. Locate the directory that contains the deployment configuration file for the package you want to migrate. To set the policy, make the following update to the **userConfiguration** section:
 
-    **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**
+   **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**
 
-    The following is an example of content from a deployment configuration file:
+   The following is an example of content from a deployment configuration file:
 
-    <?xml version="1.0" ?>
+   <?xml version="1.0" ?>
 
-    <DeploymentConfiguration
+   <DeploymentConfiguration
 
-    xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration" PackageId=<Package ID> DisplayName=<Display Name>
+   xmlns="" PackageId=<Package ID> DisplayName=<Display Name>
 
-    <MachineConfiguration/>
+   <MachineConfiguration/>
 
-    <UserConfiguration>
+   <UserConfiguration>
 
-    <ManagingAuthority TakeoverExtensionPointsFrom46="true"
+   <ManagingAuthority TakeoverExtensionPointsFrom46="true"
 
-    PackageName=<Package ID>
+   PackageName=<Package ID>
 
-    </UserConfiguration>
+   </UserConfiguration>
 
-    </DeploymentConfiguration>
+   </DeploymentConfiguration>
 
-2.  To add the App-V 5.1 package, in an elevated PowerShell command prompt type:
+2. To add the App-V 5.1 package, in an elevated PowerShell command prompt type:
 
-    PS>**$pkg= Add-AppvClientPackage** **–Path** <Path to package location> -**DynamicDeploymentConfiguration** <Path to the deployment configuration file>
+   PS>**$pkg= Add-AppvClientPackage** **–Path** <Path to package location> -**DynamicDeploymentConfiguration** <Path to the deployment configuration file>
 
-    PS>**Publish-AppVClientPackage $pkg**
+   PS>**Publish-AppVClientPackage $pkg**
 
-3.  To test the migration, open the virtual application using associated FTAs or shortcuts. The application opens with App-V 5.1. Both, the App-V 4.6 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
+3. To test the migration, open the virtual application using associated FTAs or shortcuts. The application opens with App-V 5.1. Both, the App-V 4.6 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
@@ -68,9 +68,9 @@ The following procedure does not require an App-V 5.1 management server.
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
index 86e330149b..d93b082e4b 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md
@@ -21,40 +21,40 @@ Use the following procedure to migrate packages created with App-V using the use
 
 **To convert a package**
 
-1.  Locate the user configuration file for the package you want to convert. To set the policy, perform the following updates in the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**.
+1. Locate the user configuration file for the package you want to convert. To set the policy, perform the following updates in the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**.
 
-    The following is an example of a user configuration file:
+   The following is an example of a user configuration file:
 
-    <?xml version="1.0" ?>
+   <?xml version="1.0" ?>
 
-    <UserConfiguration PackageId=<Package ID> DisplayName=<Name of the Package>
+   <UserConfiguration PackageId=<Package ID> DisplayName=<Name of the Package>
 
-    xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> <ManagingAuthority TakeoverExtensionPointsFrom46="true"
+   xmlns="; <ManagingAuthority TakeoverExtensionPointsFrom46="true"
 
-    PackageName=<Package ID>
+   PackageName=<Package ID>
 
-    </UserConfiguration>
+   </UserConfiguration>
 
-2.  To add the App-V 5.0 package type the following in an elavted PowerShell command prompt:
+2. To add the App-V 5.0 package type the following in an elavted PowerShell command prompt:
 
-    PS>**$pkg= Add-AppvClientPackage –Path** <Path to package location>
+   PS>**$pkg= Add-AppvClientPackage –Path** <Path to package location>
 
-    PS>**Publish-AppVClientPackage $pkg -DynamicUserConfiguration** <Path to the user configuration file>
+   PS>**Publish-AppVClientPackage $pkg -DynamicUserConfiguration** <Path to the user configuration file>
 
-3.  Open the application using FTAs or shortcuts now. The application should open using App-V 5.0.
+3. Open the application using FTAs or shortcuts now. The application should open using App-V 5.0.
 
-    The App-V SP2 package and the converted App-V 5.0 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.0 package.
+   The App-V SP2 package and the converted App-V 5.0 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.0 package.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
index 985c56d9da..ddcc67a299 100644
--- a/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md
@@ -24,31 +24,31 @@ This procedure assumes that you are running the latest version of App-V 4.6.
 
 **To convert a package**
 
-1.  Locate the user configuration file for the package you want to convert. To set the policy, perform the following updates in the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**.
+1. Locate the user configuration file for the package you want to convert. To set the policy, perform the following updates in the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="true" PackageName=<Package ID>**.
 
-    The following is an example of a user configuration file:
+   The following is an example of a user configuration file:
 
-    <?xml version="1.0" ?>
+   <?xml version="1.0" ?>
 
-    <UserConfiguration PackageId=<Package ID> DisplayName=<Name of the Package>
+   <UserConfiguration PackageId=<Package ID> DisplayName=<Name of the Package>
 
-    xmlns="http://schemas.microsoft.com/appv/2010/userconfiguration"> <ManagingAuthority TakeoverExtensionPointsFrom46="true"
+   xmlns="; <ManagingAuthority TakeoverExtensionPointsFrom46="true"
 
-    PackageName=<Package ID>
+   PackageName=<Package ID>
 
-    </UserConfiguration>
+   </UserConfiguration>
 
-2.  To add the App-V 5.1 package, type the following in an elevated PowerShell command prompt window:
+2. To add the App-V 5.1 package, type the following in an elevated PowerShell command prompt window:
 
-    PS>**$pkg= Add-AppvClientPackage –Path** <Path to package location>
+   PS>**$pkg= Add-AppvClientPackage –Path** <Path to package location>
 
-    PS>**Publish-AppVClientPackage $pkg -DynamicUserConfiguration** <Path to the user configuration file>
+   PS>**Publish-AppVClientPackage $pkg -DynamicUserConfiguration** <Path to the user configuration file>
 
-3.  Open the application using FTAs or shortcuts now. The application should open using App-V 5.1.
+3. Open the application using FTAs or shortcuts now. The application should open using App-V 5.1.
 
-    The App-V 4.6 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
+   The App-V 4.6 package and the converted App-V 5.1 package are published to the user, but the FTAs and shortcuts for the applications have been assumed by the App-V 5.1 package.
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+   **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
 
 ## Related topics
 
@@ -57,9 +57,9 @@ This procedure assumes that you are running the latest version of App-V 4.6.
 
 [How to Revert Extension Points From an App-V 5.1 Package to an App-V 4.6 Package for a Specific User](how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-a-specific-user.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
index cde442951e..8a537ea939 100644
--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-51.md
@@ -158,9 +158,9 @@ This topic explains how to:
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
index bb3e5bb221..db77297d82 100644
--- a/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
+++ b/mdop/appv-v5/how-to-modify-an-existing-virtual-application-package-beta.md
@@ -148,9 +148,9 @@ This topic explains how to:
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-modify-app-v-50-client-configuration-using-the-admx-template-and-group-policy.md b/mdop/appv-v5/how-to-modify-app-v-50-client-configuration-using-the-admx-template-and-group-policy.md
index b7e1e1b231..a70a6e6083 100644
--- a/mdop/appv-v5/how-to-modify-app-v-50-client-configuration-using-the-admx-template-and-group-policy.md
+++ b/mdop/appv-v5/how-to-modify-app-v-50-client-configuration-using-the-admx-template-and-group-policy.md
@@ -26,7 +26,7 @@ Use the App-V 5.0 ADMX template to configure App-V 5.0 client settings using the
     **Note**  
     Use the following link to download the App-V 5.0 **ADMX Templates**: .
 
-     
+     
 
 2.  On the computer where you manage group Policy, typically the domain controller, copy the template **.admx** file to the following directory: **<Installation Drive> \\ Windows \\ PolicyDefinitions**.
 
@@ -43,9 +43,9 @@ Use the App-V 5.0 ADMX template to configure App-V 5.0 client settings using the
 
 [About Client Configuration Settings](about-client-configuration-settings.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md b/mdop/appv-v5/how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md
index b28bc6c584..b316fe6660 100644
--- a/mdop/appv-v5/how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md
+++ b/mdop/appv-v5/how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md
@@ -26,7 +26,7 @@ Use the Microsoft Application Virtualization (App-V) 5.1 ADMX template to config
     **Note**  
     Use the following link to download the App-V 5.1 **ADMX Templates**: .
 
-     
+     
 
 2.  On the computer where you manage group Policy, typically the domain controller, copy the template **.admx** file to the following directory: **<Installation Drive> \\ Windows \\ PolicyDefinitions**.
 
@@ -43,9 +43,9 @@ Use the Microsoft Application Virtualization (App-V) 5.1 ADMX template to config
 
 [About Client Configuration Settings](about-client-configuration-settings51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-50.md b/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-50.md
index 2072f02ad1..fb93be080c 100644
--- a/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-50.md
+++ b/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-50.md
@@ -22,7 +22,7 @@ Use the following procedure to publish an App-V 5.0 package. Once you publish a
 **Note**  
 The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
 
- 
+ 
 
 **To publish an App-V 5.0 package**
 
@@ -51,9 +51,9 @@ The ability to enable only administrators to publish or unpublish packages (desc
 
 [How to Configure Access to Packages by Using the Management Console](how-to-configure-access-to-packages-by-using-the-management-console-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-51.md b/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-51.md
index a5daad6419..9a64b6ff65 100644
--- a/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-51.md
+++ b/mdop/appv-v5/how-to-publish-a-package-by-using-the-management-console-51.md
@@ -22,7 +22,7 @@ Use the following procedure to publish an App-V 5.1 package. Once you publish a
 **Note**  
 The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
 
- 
+ 
 
 **To publish an App-V 5.1 package**
 
@@ -51,9 +51,9 @@ The ability to enable only administrators to publish or unpublish packages (desc
 
 [How to Configure Access to Packages by Using the Management Console](how-to-configure-access-to-packages-by-using-the-management-console-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md
index 6e4773ca5f..7c0d2eb7d4 100644
--- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md
@@ -19,7 +19,7 @@ Use the following procedure to revert an App-V 5.0 package to the App-V file for
 
 **To revert a package**
 
-1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.0 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.0 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md).
+1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.0 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.0 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-50-for-a-specific-user.md).
 
     In the **userConfiguration** section of the deployment configuration file for the converted package, to set the policy, make the following update to the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="false" PackageName=<Package ID>**
 
@@ -27,23 +27,25 @@ Use the following procedure to revert an App-V 5.0 package to the App-V file for
 
     PS>**Publish-AppVClientPackage $pkg –DynamicUserConfigurationPath** <path to user configuration file>
 
-3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6. Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6 SP2.
+3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6. Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6 SP2.
 
-    **Note**  
+    **Note**  
     If you do not need the App-V 5.0 package anymore, you can unpublish the App-V 5.0 package and the extension points will automatically revert to App-V 4.6.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md
index 430fcc0f18..eb3e8e7dfb 100644
--- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md
@@ -17,11 +17,11 @@ ms.date: 06/21/2016
 
 *Note:** App-V 4.6 has exited Mainstream support. The following assumes that the App-V 4.6 SP3 client is already installed.
 
-Use the following procedure to revert extension points from an App-V 5.0 package to the App-V 4.6 file format using the deployment configuration file.
+Use the following procedure to revert extension points from an App-V 5.0 package to the App-V 4.6 file format using the deployment configuration file.
 
 **To revert a package**
 
-1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.0 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.0 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md).
+1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.0 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.0 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-50-package-for-all-users-on-a-specific-computer.md).
 
     In the **userConfiguration** section of the deployment configuration file for the converted package, to set the policy, make the following update to the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="false" PackageName=<Package ID>**
 
@@ -31,25 +31,27 @@ Use the following procedure to revert extension points from an App-V 5.0 package
 
     PS>**Publish-AppVClientPackage $pkg –DynamicUserConfigurationType useDeploymentConfiguration**
 
-3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6 SP2 package.
+3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6 SP2 package.
 
     Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6.
 
-    **Note**  
-    If you do not need the App-V 5.0 package anymore, you can unpublish the App-V 5.0 package and the extension points will automatically revert to App-V 4.6.
+    **Note**  
+    If you do not need the App-V 5.0 package anymore, you can unpublish the App-V 5.0 package and the extension points will automatically revert to App-V 4.6.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-a-specific-user.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-a-specific-user.md
index 57a1c9adf1..b62aea5290 100644
--- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-a-specific-user.md
+++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-a-specific-user.md
@@ -21,7 +21,7 @@ Use the following procedure to revert an App-V 5.1 package to the App-V file for
 
 **To revert a package**
 
-1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md).
+1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to App-V 5.1 for a Specific User](how-to-migrate-extension-points-from-an-app-v-46-package-to-app-v-51-for-a-specific-user.md).
 
     In the **userConfiguration** section of the deployment configuration file for the converted package, to set the policy, make the following update to the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="false" PackageName=<Package ID>**
 
@@ -29,23 +29,25 @@ Use the following procedure to revert an App-V 5.1 package to the App-V file for
 
     PS>**Publish-AppVClientPackage $pkg –DynamicUserConfigurationPath** <path to user configuration file>
 
-3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6. Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6.
+3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6. Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6.
 
-    **Note**  
+    **Note**  
     If you do not need the App-V 5.1 package anymore, you can unpublish the App-V 5.1 package and the extension points will automatically revert to App-V 4.6.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md
index fab74f6202..7c6b1455cf 100644
--- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md
+++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-51-package-to-an-app-v-46-package-for-all-users-on-a-specific-computer.md
@@ -17,11 +17,11 @@ ms.date: 06/21/2016
 # How to Revert Extension Points from an App-V 5.1 Package to an App-V 4.6 Package For All Users on a Specific Computer
 
 
-Use the following procedure to revert extension points from an App-V 5.1 package to the App-V 4.6 file format using the deployment configuration file.
+Use the following procedure to revert extension points from an App-V 5.1 package to the App-V 4.6 file format using the deployment configuration file.
 
 **To revert a package**
 
-1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md).
+1.  Ensure that App-V 4.6 package is published to the users but the FTAs and shortcuts have been assumed by App-V 5.1 package using the following migration method, [How to Migrate Extension Points From an App-V 4.6 Package to a Converted App-V 5.1 Package for All Users on a Specific Computer](how-to-migrate-extension-points-from-an-app-v-46-package-to-a-converted-app-v-51-package-for-all-users-on-a-specific-computer.md).
 
     In the **userConfiguration** section of the deployment configuration file for the converted package, to set the policy, make the following update to the **userConfiguration** section: **ManagingAuthority TakeoverExtensionPointsFrom46="false" PackageName=<Package ID>**
 
@@ -31,25 +31,27 @@ Use the following procedure to revert extension points from an App-V 5.1 package
 
     PS>**Publish-AppVClientPackage $pkg –DynamicUserConfigurationType useDeploymentConfiguration**
 
-3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6 package.
+3.  Perform a publishing refresh, or wait for the next scheduled publishing refresh for the App-V 4.6 package.
 
     Open the application using FTAs or shortcuts. The Application should now open using App-V 4.6.
 
-    **Note**  
-    If you do not need the App-V 5.1 package anymore, you can unpublish the App-V 5.1 package and the extension points will automatically revert to App-V 4.6.
+    **Note**  
+    If you do not need the App-V 5.1 package anymore, you can unpublish the App-V 5.1 package and the extension points will automatically revert to App-V 4.6.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
index 9170bd64d9..5765532b2a 100644
--- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md
@@ -48,7 +48,7 @@ ms.date: 06/16/2016
     
     
 
-     
+
 
 2.  Copy all required installation files to the computer that is running the sequencer.
 
@@ -70,208 +70,224 @@ ms.date: 06/16/2016
 
 3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
+    **Important**  
     If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
-     
+
 
 4.  On the **Type of Application** page, click the **Standard Application (default)** check box, and then click **Next**.
 
 5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application.
 
-    **Note**  
+    **Note**  
     If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
 
-     
 
-    If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then Click **Next**.
 
-6.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console.
+~~~
+If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then Click **Next**.
+~~~
 
-    The **Primary Virtual Application Directory** displays the path where the application will be installed on target computers. To specify this location, select **Browse**.
+6. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console.
 
-    **Note**  
-    Starting in App-V 5.0 SP3, the primary virtual application directory (PVAD) is hidden, but you can turn it back on. See [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-pvad-hidden).
+   The **Primary Virtual Application Directory** displays the path where the application will be installed on target computers. To specify this location, select **Browse**.
 
-     
+   **Note**  
+   Starting in App-V 5.0 SP3, the primary virtual application directory (PVAD) is hidden, but you can turn it back on. See [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-pvad-hidden).
 
-    **Important**  
-    The primary application virtual directory should match the installation location for the application that is being sequenced. For example, if you install Notepad to **C:\\Program Files\\Notepad**; you should configure **C:\\Program Files\\Notepad** as your primary virtual directory. Alternatively, you can choose to set **C:\\Notepad** as the primary virtual application directory, as long as during installation time, you configure the installer to install to **C:\\Notepad**. Editing the Application Virtualization path is an advanced configuration task. For most applications, the default path is recommended for the following reasons:
 
-    -   Application Compatibility. Some virtualized applications will not function correctly, or will fail to open if the directories are not configured with identical virtual directory paths.
 
-    -   Performance. Since no file system redirection is required, the runtime performance can improve.
+~~~
+**Important**  
+The primary application virtual directory should match the installation location for the application that is being sequenced. For example, if you install Notepad to **C:\\Program Files\\Notepad**; you should configure **C:\\Program Files\\Notepad** as your primary virtual directory. Alternatively, you can choose to set **C:\\Notepad** as the primary virtual application directory, as long as during installation time, you configure the installer to install to **C:\\Notepad**. Editing the Application Virtualization path is an advanced configuration task. For most applications, the default path is recommended for the following reasons:
 
-     
+-   Application Compatibility. Some virtualized applications will not function correctly, or will fail to open if the directories are not configured with identical virtual directory paths.
 
-    **Tip**  
-    It is recommended that prior to Sequencing an application, you open the associated installer to determine the default installation directory, and then configure that location as the **Primary Virtual Application Directory**.
+-   Performance. Since no file system redirection is required, the runtime performance can improve.
 
-     
 
-    Click **Next**.
 
-7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
+**Tip**  
+It is recommended that prior to Sequencing an application, you open the associated installer to determine the default installation directory, and then configure that location as the **Primary Virtual Application Directory**.
 
-    **Important**  
-    You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
 
-     
 
-    Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+Click **Next**.
+~~~
 
-8.  On the **Installation** page, wait while the sequencer configures the virtualized application package.
+7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
 
-9.  On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
+   **Important**  
+   You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
 
-    **Note**  
-    To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
 
-     
 
-    Click **Next**.
+~~~
+Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+~~~
+
+8. On the **Installation** page, wait while the sequencer configures the virtualized application package.
+
+9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
+
+   **Note**  
+   To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
+
+
+
+~~~
+Click **Next**.
+~~~
 
 10. On the **Installation Report** page, you can review information about the virtualized application package you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
 
 11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**.
 
-    -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+   -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
 
-    -   Specify the operating systems that can run this package.
+   -   Specify the operating systems that can run this package.
 
-    Click **Next**.
+   Click **Next**.
 
 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
 
-    **Note**  
-    If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
+   **Note**  
+   If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
+
 
-     
 
 13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**.
 
-    **Important**  
-    Make sure that the operating systems you specify here are supported by the application you are sequencing.
+   **Important**  
+   Make sure that the operating systems you specify here are supported by the application you are sequencing.
+
 
-     
 
 14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
 
-    To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
+   To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
 
-    **Important**  
-    The system does not support non-printable characters in **Comments** and **Descriptions**.
+   **Important**  
+   The system does not support non-printable characters in **Comments** and **Descriptions**.
 
-     
 
-    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+~~~
+The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+~~~
 
 15. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory where the package was created.
 
-    The package is now available in the sequencer.
+   The package is now available in the sequencer.
+
+   **Important**  
+   After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-    **Important**  
-    After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-     
 
 **To sequence an add-on or plug-in application**
 
 1.  
 
-    **Note**  
+    **Note**  
     Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
 
     For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
 
-     
 
-    On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
 
-2.  ****In the sequencer, click **Create a New Virtual Application Package**. Select **Create Package (default)**, and then click **Next**.
+~~~
+On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+~~~
 
-3.  On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
+2. *In the sequencer, click *Create a New Virtual Application Package. Select **Create Package (default)**, and then click **Next**.
 
-    **Important**  
-    If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
+3. On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-     
+   **Important**  
+   If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
-4.  On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**.
 
-5.  On the **Select Installer** page, click **Browse** and specify the installation file for the add-on or plug-in. If the add-on or plug-in does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-6.  On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**.
+4. On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**.
 
-    Click **Next**.
+5. On the **Select Installer** page, click **Browse** and specify the installation file for the add-on or plug-in. If the add-on or plug-in does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-7.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V 5.0 Management Console. The **Primary Virtual Application Directory** displays the path where the application will be installed. To specify this location, type the path, or click **Browse**.
+6. On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**.
 
-    **Note**  
-    Starting in App-V 5.0 SP3, the primary virtual application directory (PVAD) is hidden, but you can turn it back on. See [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-pvad-hidden).
+   Click **Next**.
 
-     
+7. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V 5.0 Management Console. The **Primary Virtual Application Directory** displays the path where the application will be installed. To specify this location, type the path, or click **Browse**.
 
-    Click **Next**.
+   **Note**  
+   Starting in App-V 5.0 SP3, the primary virtual application directory (PVAD) is hidden, but you can turn it back on. See [About App-V 5.0 SP3](about-app-v-50-sp3.md#bkmk-pvad-hidden).
 
-8.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
+
+~~~
+Click **Next**.
+~~~
+
+8. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
+
+9. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
 
 10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
 
-    -   Optimize how the package will run across a slow or unreliable network.
+   -   Optimize how the package will run across a slow or unreliable network.
 
-    -   Specify the operating systems that can run this package.
+   -   Specify the operating systems that can run this package.
 
-    Click **Next**.
+   Click **Next**.
 
 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
 
-    **Note**  
-    If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
+   **Note**  
+   If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
+
 
-     
 
 12. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Click **Next**.
 
 13. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor** check box. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
 
-    To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package.
+   To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package.
 
-    **Important**  
-    The system does not support non-printable characters in Comments and Descriptions.
+   **Important**  
+   The system does not support non-printable characters in Comments and Descriptions.
 
-     
 
-    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+~~~
+The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+~~~
 
 **To sequence a middleware application**
 
-1.  On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+1. On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
 
-2.  ****In the sequencer, click **Create a New Virtual Application Package**. Select **Create Package (default)**, and then click **Next**.
+2. *In the sequencer, click *Create a New Virtual Application Package. Select **Create Package (default)**, and then click **Next**.
 
-3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
+3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
-    If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
+   **Important**  
+   If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
 
-     
 
-4.  On the **Type of Application** page, select **Middleware**, and then click **Next**.
 
-5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+4. On the **Type of Application** page, select **Middleware**, and then click **Next**.
 
-6.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console. The **Primary Virtual Application Directory** displays the path where the application will be installed. To specify this location, type the path or click **Browse**.
+5. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-    Click **Next**.
+6. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console. The **Primary Virtual Application Directory** displays the path where the application will be installed. To specify this location, type the path or click **Browse**.
 
-7.  On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
+   Click **Next**.
 
-8.  On the **Installation** page, wait while the sequencer configures the virtual application package.
+7. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
+8. On the **Installation** page, wait while the sequencer configures the virtual application package.
+
+9. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
 
 10. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**.
 
@@ -279,32 +295,36 @@ ms.date: 06/16/2016
 
     To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package.
 
-    **Important**  
+    **Important**  
     The system does not support non-printable characters in Comments and Descriptions.
 
-     
 
-    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+~~~
+The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+~~~
 
 12. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure.
 
-    The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
+   The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
 
-    **Important**  
-    After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
+   **Important**  
+   After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
index fabc1035f8..d836a5126f 100644
--- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
@@ -48,7 +48,7 @@ ms.date: 06/16/2016
     
     
 
-     
+
 
 2.  Copy all required installation files to the computer that is running the sequencer.
 
@@ -74,142 +74,154 @@ ms.date: 06/16/2016
     > [!IMPORTANT]  
     > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
-     
 
-    > [!NOTE]  
-    > There is currently no way to disable Windows Defender in Windows 10. If you receive a warning, you can safely ignore it. It is unlikely that Windows Defender will affect sequencing at all.
 
-     
+~~~
+> [!NOTE]  
+> There is currently no way to disable Windows Defender in Windows 10. If you receive a warning, you can safely ignore it. It is unlikely that Windows Defender will affect sequencing at all.
+~~~
 
-4.  On the **Type of Application** page, click the **Standard Application (default)** check box, and then click **Next**.
 
-5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application.
 
-    > [!NOTE]  
-    > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
+4. On the **Type of Application** page, click the **Standard Application (default)** check box, and then click **Next**.
 
-     
+5. On the **Select Installer** page, click **Browse** and specify the installation file for the application.
 
-    If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then Click **Next**.
+   > [!NOTE]  
+   > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
 
-6.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console.
 
-    Click **Next**.
 
-7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
+~~~
+If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then Click **Next**.
+~~~
 
-    > [!IMPORTANT]  
-    > You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
+6. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console.
 
-     
+   Click **Next**.
 
-    Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
 
-8.  On the **Installation** page, wait while the sequencer configures the virtualized application package.
+   > [!IMPORTANT]  
+   > You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
 
-9.  On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
 
-    > [!NOTE]  
-    > To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
 
-     
+~~~
+Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**.
+~~~
 
-    Click **Next**.
+8. On the **Installation** page, wait while the sequencer configures the virtualized application package.
+
+9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
+
+   > [!NOTE]  
+   > To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
+
+
+
+~~~
+Click **Next**.
+~~~
 
 10. On the **Installation Report** page, you can review information about the virtualized application package you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
 
 11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**.
 
-    -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
+   -   Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers.
 
-    -   Specify the operating systems that can run this package.
+   -   Specify the operating systems that can run this package.
 
-    Click **Next**.
+   Click **Next**.
 
 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
 
-    > [!NOTE]  
-    > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
+   > [!NOTE]  
+   > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
+
 
-     
 
 13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**.
 
-    > [!IMPORTANT]  
-    > Make sure that the operating systems you specify here are supported by the application you are sequencing.
+   > [!IMPORTANT]  
+   > Make sure that the operating systems you specify here are supported by the application you are sequencing.
+
 
-     
 
 14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**.
 
-    To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
+   To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
 
-    > [!IMPORTANT]  
-    > The system does not support non-printable characters in **Comments** and **Descriptions**.
+   > [!IMPORTANT]  
+   > The system does not support non-printable characters in **Comments** and **Descriptions**.
 
-     
 
-    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+~~~
+The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+~~~
 
 15. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory where the package was created.
 
-    The package is now available in the sequencer.
+   The package is now available in the sequencer.
+
+   > [!IMPORTANT]  
+   > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-    > [!IMPORTANT]  
-    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-     
 
 **To sequence an add-on or plug-in application**
 
-1.  > [!NOTE]  
-    > Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
-    >
-    > For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
+1. > [!NOTE]  
+   > Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
+   >
+   > For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
 
-     
 
-    On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
 
-2.  ****In the sequencer, click **Create a New Virtual Application Package**. Select **Create Package (default)**, and then click **Next**.
+~~~
+On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+~~~
 
-3.  On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
+2. *In the sequencer, click *Create a New Virtual Application Package. Select **Create Package (default)**, and then click **Next**.
 
-    > [!IMPORTANT]  
-    > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
+3. On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-     
+   > [!IMPORTANT]  
+   > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
-4.  On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**.
 
-5.  On the **Select Installer** page, click **Browse** and specify the installation file for the add-on or plug-in. If the add-on or plug-in does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-6.  On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**.
+4. On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**.
 
-    Click **Next**.
+5. On the **Select Installer** page, click **Browse** and specify the installation file for the add-on or plug-in. If the add-on or plug-in does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-7.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V 5.0 Management Console.
+6. On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**.
 
-    Click **Next**.
+   Click **Next**.
 
-8.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
+7. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V 5.0 Management Console.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
+   Click **Next**.
+
+8. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**.
+
+9. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**.
 
 10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**.
 
-    -   Optimize how the package will run across a slow or unreliable network.
+   -   Optimize how the package will run across a slow or unreliable network.
 
-    -   Specify the operating systems that can run this package.
+   -   Specify the operating systems that can run this package.
 
-    Click **Next**.
+   Click **Next**.
 
 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
 
     > [!NOTE]  
     > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
 
-     
+
 
 12. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Click **Next**.
 
@@ -220,36 +232,38 @@ ms.date: 06/16/2016
     > [!IMPORTANT]  
     > The system does not support non-printable characters in Comments and Descriptions.
 
-     
 
-    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+~~~
+The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+~~~
 
 **To sequence a middleware application**
 
-1.  On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
+1. On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.
 
-2.  ****In the sequencer, click **Create a New Virtual Application Package**. Select **Create Package (default)**, and then click **Next**.
+2. *In the sequencer, click *Create a New Virtual Application Package. Select **Create Package (default)**, and then click **Next**.
 
-3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
+3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    > [!IMPORTANT]  
-    > If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
+   > [!IMPORTANT]  
+   > If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
 
-     
 
-4.  On the **Type of Application** page, select **Middleware**, and then click **Next**.
 
-5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
+4. On the **Type of Application** page, select **Middleware**, and then click **Next**.
 
-6.  On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console.
+5. On the **Select Installer** page, click **Browse** and specify the installation file for the application. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Select this option to perform a custom installation** check box, and then click **Next**.
 
-    Click **Next**.
+6. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V 5.0 Management Console.
 
-7.  On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
+   Click **Next**.
 
-8.  On the **Installation** page, wait while the sequencer configures the virtual application package.
+7. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**.
 
-9.  On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
+8. On the **Installation** page, wait while the sequencer configures the virtual application package.
+
+9. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**.
 
 10. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**.
 
@@ -257,32 +271,36 @@ ms.date: 06/16/2016
 
     To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package.
 
-    > [!IMPORTANT]  
+    > [!IMPORTANT]  
     > The system does not support non-printable characters in Comments and Descriptions.
 
-     
 
-    The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+
+~~~
+The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**.
+~~~
 
 12. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure.
 
-    The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
+   The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
 
-    > [!IMPORTANT]  
-    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
+   > [!IMPORTANT]  
+   > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-50.md b/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-50.md
index 166479c9c7..17f4bffcb4 100644
--- a/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-50.md
+++ b/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-50.md
@@ -22,7 +22,7 @@ Use the following procedure to create a new App-V 5.0 package using PowerShell.
 **Note**  
 Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V 5.0 Sequencer and Client Deployment](planning-for-the-app-v-50-sequencer-and-client-deployment.md).
 
- 
+ 
 
 **To create a new virtual application using PowerShell**
 
@@ -67,9 +67,9 @@ Before you use this procedure you must copy the associated installer files to th
 
 [Administering App-V by Using PowerShell](administering-app-v-by-using-powershell.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-51.md b/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-51.md
index 59e1460132..a4804fc73e 100644
--- a/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-51.md
+++ b/mdop/appv-v5/how-to-sequence-a-package--by-using-powershell-51.md
@@ -22,7 +22,7 @@ Use the following procedure to create a new App-V 5.1 package using PowerShell.
 **Note**  
 Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md).
 
- 
+ 
 
 **To create a new virtual application using PowerShell**
 
@@ -67,9 +67,9 @@ Before you use this procedure you must copy the associated installer files to th
 
 [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-uninstall-the-app-v-50-client.md b/mdop/appv-v5/how-to-uninstall-the-app-v-50-client.md
index 24fc308041..3923ff9ea3 100644
--- a/mdop/appv-v5/how-to-uninstall-the-app-v-50-client.md
+++ b/mdop/appv-v5/how-to-uninstall-the-app-v-50-client.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Use the following procedure to uninstall the App-V 5.0 client from a computer. When you uninstall the App-V 5.0 client all packages published to the computer running the client are also removed. If the uninstall operation does not complete the packages will need to be re-published to the computer running the App-V 5.0 client.
 
-**Important**  
+**Important**  
 You should ensure that the App-V 5.0 client service is running prior to performing the uninstall procedure.
 
- 
+
 
 **To uninstall the App-V 5.0 Client**
 
@@ -30,28 +30,30 @@ You should ensure that the App-V 5.0 client service is running prior to performi
 
 2.  In the dialog box that appears, click **Yes** to continue with the uninstall process.
 
-    **Important**  
+    **Important**  
     The uninstall process cannot be canceled or interrupted.
 
-     
+
 
 3.  A progress bar shows the time remaining. When this step finishes, you must restart the computer so that all associated drivers can be stopped to complete the uninstall process.
 
-    **Note**  
+    **Note**  
     You can also use the command line to uninstall the App-V 5.0 client with the following switch: **/UNINSTALL**.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issu**e? Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Deploying App-V 5.0](deploying-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-uninstall-the-app-v-51-client.md b/mdop/appv-v5/how-to-uninstall-the-app-v-51-client.md
index d5e1a81c49..119e3fda37 100644
--- a/mdop/appv-v5/how-to-uninstall-the-app-v-51-client.md
+++ b/mdop/appv-v5/how-to-uninstall-the-app-v-51-client.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 Use the following procedure to uninstall the Microsoft Application Virtualization (App-V) 5.1 client from a computer. When you uninstall the App-V 5.1 client all packages published to the computer running the client are also removed. If the uninstall operation does not complete the packages will need to be re-published to the computer running the App-V 5.1 client.
 
-**Important**  
+**Important**  
 You should ensure that the App-V 5.1 client service is running prior to performing the uninstall procedure.
 
- 
+
 
 **To uninstall the App-V 5.1 Client**
 
@@ -30,28 +30,30 @@ You should ensure that the App-V 5.1 client service is running prior to performi
 
 2.  In the dialog box that appears, click **Yes** to continue with the uninstall process.
 
-    **Important**  
+    **Important**  
     The uninstall process cannot be canceled or interrupted.
 
-     
+
 
 3.  A progress bar shows the time remaining. When this step finishes, you must restart the computer so that all associated drivers can be stopped to complete the uninstall process.
 
-    **Note**  
+    **Note**  
     You can also use the command line to uninstall the App-V 5.1 client with the following switch: **/UNINSTALL**.
 
-     
 
-    **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+
+~~~
+**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
+~~~
 
 ## Related topics
 
 
 [Deploying App-V 5.1](deploying-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md
index 41e26ad7ba..06eb564ecc 100644
--- a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md
+++ b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-51-application.md
@@ -40,9 +40,9 @@ This procedure assumes that you are running the latest version of App-V 4.6.
 
 [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
index 7b22ca4a8e..3f0e318e6e 100644
--- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
+++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups.md
@@ -22,7 +22,7 @@ Starting in Microsoft Application Virtualization (App-V) 5.0 SP3, you can add op
 **Note**  
 **Optional packages are supported only in App-V 5.0 SP3.**
 
- 
+ 
 
 Before using optional packages, see [Requirements for using optional packages in connection groups](#bkmk-reqs-using-cg).
 
@@ -39,19 +39,19 @@ Before using optional packages, see [Requirements for using optional packages in
 
 
 
-
    [Use one connection group, with optional packages, for multiple users who have different packages entitled to them](#bkmk-apps-plugs-optional)
    
+
    Use one connection group, with optional packages, for multiple users who have different packages entitled to them
    
 
    Use a single connection group to make different groups of applications and plug-ins available to different end users.
    
 
    For example, you want to distribute Microsoft Office to all end users, but distribute different plug-ins to different subsets of users.
    
 
 
-
    [Unpublish or delete an optional package, or unpublish an optional package and republish it later, without changing the connection group](#bkmk-unpub-del-optl-pkg)
    
+
    Unpublish or delete an optional package, or unpublish an optional package and republish it later, without changing the connection group
    
 
    Unpublish, delete, or republish an optional package without having to disable, remove, edit, add, and re-enable the connection group on the App-V Client.
    
 
    You can also unpublish the optional package and republish it later without having to disable or republish the connection group.
    
 
 
 
 
- 
+ 
 
 ## Use one connection group, with optional packages, for multiple users with different packages entitled to them
 
@@ -119,7 +119,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
    Example connection group XML document with optional packages:
    
 
    <?xml version="1.0" ?>
 <AppConnectionGroup
-   xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+   xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
    AppConnectionGroupId="8105CCD5-244B-4BA1-8888-E321E688D2CB"
    VersionId="84CE3797-F1CB-4475-A223-757918929EB4"
    DisplayName="Contoso Software Connection Group" >
@@ -165,7 +165,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
 
 
- 
+ 
 
 ## Unpublish or delete an optional package, or unpublish an optional package and republish it later, without changing the connection group
 
@@ -213,7 +213,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
  • Unpublish-AppvClientPackage
    • 
 
  • Remove-AppvClientPackage
    • 
 
-
    For more information, see [How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-50-packages-running-on-a-stand-alone-computer-by-using-powershell.md).
    
+
    For more information, see How to Manage App-V 5.0 Packages Running on a Stand-Alone Computer by Using PowerShell.
    
 
 
 
@@ -232,7 +232,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
 
 
- 
+ 
 
 ## Requirements for using optional packages in connection groups
 
@@ -279,7 +279,7 @@ Review the following requirements before using optional packages in connection g
 
 
 
- 
+ 
 
 
 
@@ -291,9 +291,9 @@ Review the following requirements before using optional packages in connection g
 
 [Managing Connection Groups](managing-connection-groups.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
index ccbdd3a25b..d507575d2e 100644
--- a/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
+++ b/mdop/appv-v5/how-to-use-optional-packages-in-connection-groups51.md
@@ -22,7 +22,7 @@ Starting in Microsoft Application Virtualization (App-V) 5.0 SP3, you can add op
 **Note**  
 **Optional packages are not supported in releases prior to App-V 5.0 SP3.**
 
- 
+ 
 
 Before using optional packages, see [Requirements for using optional packages in connection groups](#bkmk-reqs-using-cg).
 
@@ -39,19 +39,19 @@ Before using optional packages, see [Requirements for using optional packages in
 
 
 
-
    [Use one connection group, with optional packages, for multiple users who have different packages entitled to them](#bkmk-apps-plugs-optional)
    
+
    Use one connection group, with optional packages, for multiple users who have different packages entitled to them
    
 
    Use a single connection group to make different groups of applications and plug-ins available to different end users.
    
 
    For example, you want to distribute Microsoft Office to all end users, but distribute different plug-ins to different subsets of users.
    
 
 
-
    [Unpublish or delete an optional package, or unpublish an optional package and republish it later, without changing the connection group](#bkmk-unpub-del-optl-pkg)
    
+
    Unpublish or delete an optional package, or unpublish an optional package and republish it later, without changing the connection group
    
 
    Unpublish, delete, or republish an optional package without having to disable, remove, edit, add, and re-enable the connection group on the App-V Client.
    
 
    You can also unpublish the optional package and republish it later without having to disable or republish the connection group.
    
 
 
 
 
- 
+ 
 
 ## Use one connection group, with optional packages, for multiple users with different packages entitled to them
 
@@ -118,7 +118,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
    Example connection group XML document with optional packages:
    
 
    <?xml version="1.0" ?>
 <AppConnectionGroup
-   xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup"
+   xmlns="http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup";
    AppConnectionGroupId="8105CCD5-244B-4BA1-8888-E321E688D2CB"
    VersionId="84CE3797-F1CB-4475-A223-757918929EB4"
    DisplayName="Contoso Software Connection Group" >
@@ -164,7 +164,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
 
 
- 
+ 
 
 ## Unpublish or delete an optional package, or unpublish an optional package and republish it later, without changing the connection group
 
@@ -212,7 +212,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
  • Unpublish-AppvClientPackage
    • 
 
  • Remove-AppvClientPackage
    • 
 
-
    For more information, see [How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell](how-to-manage-app-v-51-packages-running-on-a-stand-alone-computer-by-using-powershell.md).
    
+
    For more information, see How to Manage App-V 5.1 Packages Running on a Stand-Alone Computer by Using PowerShell.
    
 
 
 
@@ -231,7 +231,7 @@ Before using optional packages, see [Requirements for using optional packages in
 
 
 
- 
+ 
 
 ## Requirements for using optional packages in connection groups
 
@@ -278,7 +278,7 @@ Review the following requirements before using optional packages in connection g
 
 
 
- 
+ 
 
 
 
@@ -290,9 +290,9 @@ Review the following requirements before using optional packages in connection g
 
 [Managing Connection Groups](managing-connection-groups51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/managing-connection-groups.md b/mdop/appv-v5/managing-connection-groups.md
index 9592d9da68..baca427994 100644
--- a/mdop/appv-v5/managing-connection-groups.md
+++ b/mdop/appv-v5/managing-connection-groups.md
@@ -22,7 +22,7 @@ Connection groups enable the applications within a package to interact with each
 **Note**  
 In previous versions of App-V 5.0, connection groups were referred to as Dynamic Suite Composition.
 
- 
+ 
 
 **In this topic:**
 
@@ -33,33 +33,33 @@ In previous versions of App-V 5.0, connection groups were referred to as Dynamic
 
 
 
-
    [About the Connection Group Virtual Environment](about-the-connection-group-virtual-environment.md)
    
+
    About the Connection Group Virtual Environment
    
 
    Describes the connection group virtual environment.
    
 
 
-
    [About the Connection Group File](about-the-connection-group-file.md)
    
+
    About the Connection Group File
    
 
    Describes the connection group file.
    
 
 
-
    [How to Create a Connection Group](how-to-create-a-connection-group.md)
    
+
    How to Create a Connection Group
    
 
    Explains how to create a new connection group.
    
 
 
-
    [How to Create a Connection Group with User-Published and Globally Published Packages](how-to-create-a-connection-group-with-user-published-and-globally-published-packages.md)
    
+
    How to Create a Connection Group with User-Published and Globally Published Packages
    
 
    Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.
    
 
 
-
    [How to Delete a Connection Group](how-to-delete-a-connection-group.md)
    
+
    How to Delete a Connection Group
    
 
    Explains how to delete a connection group.
    
 
 
-
    [How to Publish a Connection Group](how-to-publish-a-connection-group.md)
    
+
    How to Publish a Connection Group
    
 
    Explains how to publish a connection group.
    
 
 
 
 
- 
+ 
 
 
 
@@ -71,9 +71,9 @@ In previous versions of App-V 5.0, connection groups were referred to as Dynamic
 
 -   [Operations for App-V 5.0](operations-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/managing-connection-groups51.md b/mdop/appv-v5/managing-connection-groups51.md
index 4de9c37aee..06ecc8b46b 100644
--- a/mdop/appv-v5/managing-connection-groups51.md
+++ b/mdop/appv-v5/managing-connection-groups51.md
@@ -22,7 +22,7 @@ Connection groups enable the applications within a package to interact with each
 **Note**  
 In some previous versions of App-V, connection groups were referred to as Dynamic Suite Composition.
 
- 
+ 
 
 **In this topic:**
 
@@ -33,33 +33,33 @@ In some previous versions of App-V, connection groups were referred to as Dynami
 
 
 
-
    [About the Connection Group Virtual Environment](about-the-connection-group-virtual-environment51.md)
    
+
    About the Connection Group Virtual Environment
    
 
    Describes the connection group virtual environment.
    
 
 
-
    [About the Connection Group File](about-the-connection-group-file51.md)
    
+
    About the Connection Group File
    
 
    Describes the connection group file.
    
 
 
-
    [How to Create a Connection Group](how-to-create-a-connection-group51.md)
    
+
    How to Create a Connection Group
    
 
    Explains how to create a new connection group.
    
 
 
-
    [How to Create a Connection Group with User-Published and Globally Published Packages](how-to-create-a-connection-group-with-user-published-and-globally-published-packages51.md)
    
+
    How to Create a Connection Group with User-Published and Globally Published Packages
    
 
    Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.
    
 
 
-
    [How to Delete a Connection Group](how-to-delete-a-connection-group51.md)
    
+
    How to Delete a Connection Group
    
 
    Explains how to delete a connection group.
    
 
 
-
    [How to Publish a Connection Group](how-to-publish-a-connection-group51.md)
    
+
    How to Publish a Connection Group
    
 
    Explains how to publish a connection group.
    
 
 
 
 
- 
+ 
 
 
 
@@ -71,9 +71,9 @@ In some previous versions of App-V, connection groups were referred to as Dynami
 
 -   [Operations for App-V 5.1](operations-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md b/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md
index 925c56feaf..b990ad8485 100644
--- a/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md
+++ b/mdop/appv-v5/migrating-from-a-previous-version-app-v-50.md
@@ -24,7 +24,7 @@ Consider the following sections when you plan your migration strategy:
 **Note**  
 For more information about the differences between App-V 4.6 and App-V 5.0, see the **Differences between App-V 4.6 and App-V 5.0 section** of [About App-V 5.0](about-app-v-50.md).
 
- 
+ 
 
 ## Converting packages created using a prior version of App-V
 
@@ -34,7 +34,7 @@ Use the package converter utility to upgrade virtual application packages create
 **Important**  
 After you convert an existing package you should test the package prior to deploying the package to ensure the conversion process was successful.
 
- 
+ 
 
 **What to know before you convert existing packages**
 
@@ -60,7 +60,7 @@ After you convert an existing package you should test the package prior to deplo
 
 
 
    Virtual packages using DSC are not linked after conversion.
    
-
    Link the packages using connection groups. See [Managing Connection Groups](managing-connection-groups.md).
    
+
    Link the packages using connection groups. See Managing Connection Groups.
    
 
 
 
    Environment variable conflicts are detected during conversion.
    
@@ -73,7 +73,7 @@ After you convert an existing package you should test the package prior to deplo
 
 
 
- 
+ 
 
 When converting a package check for failing files or shortcuts. Locate the item in App-V 4.6 package. It could possibly be hard-coded path. Convert the path.
 
@@ -82,7 +82,7 @@ It is recommended that you use the App-V 5.0 sequencer for converting critical a
 
 If a converted package does not open after you convert it, it is also recommended that you re-sequence the application using the App-V 5.0 sequencer.
 
- 
+ 
 
 [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v.md)
 
@@ -105,25 +105,25 @@ The following table displays the recommended method for upgrading clients.
 
 
 
    Upgrade your environment to App-V 4.6 SP2
    
-
    [Application Virtualization Deployment and Upgrade Considerations](../appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md).
    
+
    Application Virtualization Deployment and Upgrade Considerations.
    
 
 
 
    Install the App-V 5.0 client with co-existence enabled.
    
-
    [How to Deploy the App-V 4.6 and the App-V 5.0 Client on the Same Computer](how-to-deploy-the-app-v-46-and-the-app-v--50-client-on-the-same-computer.md).
    
+
    How to Deploy the App-V 4.6 and the App-V 5.0 Client on the Same Computer.
    
 
 
 
    Sequence and roll out App-V 5.0 packages. As needed, unpublish App-V 4.6 packages.
    
-
    [How to Sequence a New Application with App-V 5.0](how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md).
    
+
    How to Sequence a New Application with App-V 5.0.
    
 
 
 
 
- 
+ 
 
 **Important**  
 You must be running App-V 4.6 SP3 to use coexistence mode. Additionally, when you sequence a package, you must configure the Managing Authority setting, which is in the **User Configuration** is located in the **User Configuration** section.
 
- 
+ 
 
 ## Migrating the App-V 5.0 Server Full Infrastructure
 
@@ -144,15 +144,15 @@ There is no direct method to upgrade to a full App-V 5.0 infrastructure. Use the
 
 
 
    Upgrade your environment to App-V 4.6 SP3.
    
-
    [Application Virtualization Deployment and Upgrade Considerations](../appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md).
    
+
    Application Virtualization Deployment and Upgrade Considerations.
    
 
 
 
    Deploy App-V 5.0 version of the client.
    
-
    [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-gb18030.md).
    
+
    How to Deploy the App-V Client.
    
 
 
 
    Install App-V 5.0 server.
    
-
    [How to Deploy the App-V 5.0 Server](how-to-deploy-the-app-v-50-server-50sp3.md).
    
+
    How to Deploy the App-V 5.0 Server.
    
 
 
 
    Migrate existing packages.
    
@@ -161,7 +161,7 @@ There is no direct method to upgrade to a full App-V 5.0 infrastructure. Use the
 
 
 
- 
+ 
 
 ## Additional Migration tasks
 
@@ -189,9 +189,9 @@ You can also perform additional migration tasks such as reconfiguring end points
 
 [A simplified Microsoft App-V 5.1 Management Server upgrade procedure](https://go.microsoft.com/fwlink/p/?LinkId=786330)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md
index a392a1f2ff..33eb8f92b7 100644
--- a/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md
+++ b/mdop/appv-v5/migrating-to-app-v-51-from-a-previous-version.md
@@ -25,7 +25,7 @@ App-V 5.1 packages are exactly the same as App-V 5.0 packages. There has been no
 
 For more information about the differences between App-V 4.6 and App-V 5.1, see the **Differences between App-V 4.6 and App-V 5.0 section** of [About App-V 5.0](about-app-v-50.md).
 
- 
+ 
 
 ## Improvements to the App-V 5.1 Package Converter
 
@@ -62,7 +62,7 @@ You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom
 
 
 
- 
+ 
 
 ### Example conversion statement
 
@@ -168,7 +168,7 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\
 
 
 
- 
+ 
 
 ## Converting packages created using a prior version of App-V
 
@@ -178,7 +178,7 @@ Use the package converter utility to upgrade virtual application packages create
 **Important**  
 After you convert an existing package you should test the package prior to deploying the package to ensure the conversion process was successful.
 
- 
+ 
 
 **What to know before you convert existing packages**
 
@@ -196,7 +196,7 @@ After you convert an existing package you should test the package prior to deplo
 
 
 
    Virtual packages using DSC are not linked after conversion.
    
-
    Link the packages using connection groups. See [Managing Connection Groups](managing-connection-groups51.md).
    
+
    Link the packages using connection groups. See Managing Connection Groups.
    
 
 
 
    Environment variable conflicts are detected during conversion.
    
@@ -209,7 +209,7 @@ After you convert an existing package you should test the package prior to deplo
 
 
 
- 
+ 
 
 When converting a package check for failing files or shortcuts. Locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
 
@@ -218,7 +218,7 @@ It is recommended that you use the App-V 5.1 sequencer for converting critical a
 
 If a converted package does not open after you convert it, it is also recommended that you re-sequence the application using the App-V 5.1 sequencer.
 
- 
+ 
 
 [How to Convert a Package Created in a Previous Version of App-V](how-to-convert-a-package-created-in-a-previous-version-of-app-v51.md)
 
@@ -241,25 +241,25 @@ The following table displays the recommended method for upgrading clients.
 
 
 
    Upgrade your environment to the latest version of App-V 4.6
    
-
    [Application Virtualization Deployment and Upgrade Considerations](../appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md).
    
+
    Application Virtualization Deployment and Upgrade Considerations.
    
 
 
 
    Install the App-V 5.1 client with co-existence enabled.
    
-
    [How to Deploy the App-V 4.6 and the App-V 5.1 Client on the Same Computer](how-to-deploy-the-app-v-46-and-the-app-v--51-client-on-the-same-computer.md).
    
+
    How to Deploy the App-V 4.6 and the App-V 5.1 Client on the Same Computer.
    
 
 
 
    Sequence and roll out App-V 5.1 packages. As needed, unpublish App-V 4.6 packages.
    
-
    [How to Sequence a New Application with App-V 5.1](how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md).
    
+
    How to Sequence a New Application with App-V 5.1.
    
 
 
 
 
- 
+ 
 
 **Important**  
 You must be running the latest version of App-V 4.6 to use coexistence mode. Additionally, when you sequence a package, you must configure the Managing Authority setting, which is in the **User Configuration** is located in the **User Configuration** section.
 
- 
+ 
 
 ## Migrating the App-V 5.1 Server Full Infrastructure
 
@@ -280,15 +280,15 @@ There is no direct method to upgrade to a full App-V 5.1 infrastructure. Use the
 
 
 
    Upgrade your environment to the latest version of App-V 4.6.
    
-
    [Application Virtualization Deployment and Upgrade Considerations](../appv-v4/application-virtualization-deployment-and-upgrade-considerations-copy.md).
    
+
    Application Virtualization Deployment and Upgrade Considerations.
    
 
 
 
    Deploy App-V 5.1 version of the client.
    
-
    [How to Deploy the App-V Client](how-to-deploy-the-app-v-client-51gb18030.md).
    
+
    How to Deploy the App-V Client.
    
 
 
 
    Install App-V 5.1 server.
    
-
    [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md).
    
+
    How to Deploy the App-V 5.1 Server.
    
 
 
 
    Migrate existing packages.
    
@@ -297,7 +297,7 @@ There is no direct method to upgrade to a full App-V 5.1 infrastructure. Use the
 
 
 
- 
+ 
 
 ## Additional Migration tasks
 
@@ -325,9 +325,9 @@ You can also perform additional migration tasks such as reconfiguring end points
 
 [A simplified Microsoft App-V 5.1 Management Server upgrade procedure](https://go.microsoft.com/fwlink/p/?LinkId=786330)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
index 25a6a2a7fc..1850499cde 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
@@ -29,10 +29,10 @@ You should read and understand the following information before reading this doc
 
 -   [Microsoft Application Virtualization 5.0 Sequencing Guide](https://go.microsoft.com/fwlink/?LinkId=269953)
 
-**Note**  
-Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk **\*** review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
+**Note**  
+Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk **\\*** review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
+
 
- 
 
 Finally, this document will provide you with the information to configure the computer running App-V 5.0 client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V 5.0 in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
 
@@ -55,7 +55,7 @@ Use the information in the following section for more information:
 
 -   Steps to Prepare the Base Image – Whether in a non-persistent VDI or RDSH environment, only a few steps must be completed in the base image to enable this approach.
 
--   Use UE-V 2.0 as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
+-   Use UE-V 2.0 as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
 
 [User Experience Walk-through](#bkmk-uewt)
 
@@ -88,7 +88,7 @@ Deployment Environment
 
 
 
- 
+
 
 Expected Configuration
 
@@ -109,7 +109,7 @@ Expected Configuration
 
 
 
- 
+
 
 IT Administration
 
@@ -126,7 +126,7 @@ IT Administration
 
 
 
- 
+
 
 ### Usage Scenario
 
@@ -153,7 +153,7 @@ As you review the two scenarios, keep in mind that these approach the extremes.
 
 
 
- 
+
 
 ### Preparing your Environment
 
@@ -178,7 +178,7 @@ The following table displays the required steps to prepare the base image and th
 
      
 
    • Install the Hotfix Package 4 for Application Virtualization 5.0 SP2 client version of the client.
      • 
 
    • Install UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
      • 
-
    • Configure for Shared Content Store (SCS) mode. For more information see [How to Install the App-V 5.0 Client for Shared Content Store Mode](how-to-install-the-app-v-50-client-for-shared-content-store-mode.md).
      • 
+
    • Configure for Shared Content Store (SCS) mode. For more information see How to Install the App-V 5.0 Client for Shared Content Store Mode.
      • 
 
    • Configure Preserve User Integrations on Login Registry DWORD.
      • 
 
    • Pre-configure all user- and global-targeted packages for example, Add-AppvClientPackage.
      • 
 
    • Pre-configure all user- and global-targeted connection groups for example, Add-AppvClientConnectionGroup.
      • 
@@ -198,7 +198,7 @@ The following table displays the required steps to prepare the base image and th
 
        
 
      • Install the Hotfix Package 4 for Application Virtualization 5.0 SP2 client version of the client.
        • 
 
      • Install UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
        • 
-
      • Configure for Shared Content Store (SCS) mode. For more information see [How to Install the App-V 5.0 Client for Shared Content Store Mode](how-to-install-the-app-v-50-client-for-shared-content-store-mode.md).
        • 
+
      • Configure for Shared Content Store (SCS) mode. For more information see How to Install the App-V 5.0 Client for Shared Content Store Mode.
        • 
 
      • Configure Preserve User Integrations on Login Registry DWORD.
        • 
 
      • Pre-configure all global-targeted packages for example, Add-AppvClientPackage.
        • 
 
      • Pre-configure all global-targeted connection groups for example, Add-AppvClientConnectionGroup.
        • 
@@ -209,7 +209,7 @@ The following table displays the required steps to prepare the base image and th
 
 
 
- 
+
 
 **Configurations** - For critical App-V Client configurations and for a little more context and how-to, review the following information:
 
@@ -251,7 +251,7 @@ The following table displays the required steps to prepare the base image and th
 
 
        MaxConcurrentPublishingRefresh
        
 
          
-
        • Configure in the Registry under HKEY_LOCAL_MACHINE \Software \ Microsoft \ AppV \Client \ Publishing.
          • 
+
        • Configure in the Registry under HKEY_LOCAL_MACHINE <strong>Software \ Microsoft \ AppV <strong>Client \ Publishing.
          • 
 
        • Create the DWORD value MaxConcurrentPublishingrefresh with the desired maximum number of concurrent publishing refreshes.
          • 
 
        • The App-V client service and computer do not need to be restarted.
          • 
 
        
@@ -262,7 +262,7 @@ The following table displays the required steps to prepare the base image and th
 
 
 
- 
+
 
 ### Configure UE-V solution for App-V Approach
 
@@ -272,7 +272,7 @@ For more information see [Getting Started With User Experience Virtualization 2.
 
 In essence all that is required is to install the UE-V client and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information around UE-V templates see [The UE-V specific resource for acquiring and registering the template](https://technet.microsoft.com/library/dn458936.aspx).
 
-**Note**  
+**Note**  
 Without performing an additional configuration step, the Microsoft User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
 
 UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V would not currently support the following 2 scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
@@ -281,12 +281,12 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
 
 -   If a user has an application installed on one device but not another with .lnk files enabled.
 
- 
 
-**Important**  
+
+**Important**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+
 
 Using the Microsoft Registry Editor (regedit.exe), navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **UEV** \\ **Agent** \\ **Configuration** \\ **ExcludedFileTypes** and remove **.lnk** from the excluded file types.
 
@@ -401,7 +401,7 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
 
 
 
- 
+
 
 @@ -426,13 +426,13 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
 
        
 

 
        
 
- 
+
 
 ### Impact to Package Life Cycle
 
 Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section:
 
-App-V 5.0 SP2 introduced the concept of pending states. In the past,
+App-V 5.0 SP2 introduced the concept of pending states. In the past,
 
 -   If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the un-publish or publish operation, respectively, would fail.
 
@@ -456,11 +456,11 @@ About NGEN technology
 
 Server Performance Tuning Guidelines for
 
--   [Microsoft Windows Server 2012 R2](https://msdn.microsoft.com/library/windows/hardware/dn529133.aspx)
+-   [Microsoft Windows Server 2012 R2](https://msdn.microsoft.com/library/windows/hardware/dn529133.aspx)
 
--   [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
+-   [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
 
--   [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx)
+-   [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx)
 
 **Server Roles**
 
@@ -474,18 +474,18 @@ Server Performance Tuning Guidelines for
 
 **Windows Client (Guest OS) Performance Tuning Guidance**
 
--   [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
+-   [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
 
 -   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
 
--   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
+-   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
 
 -   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
 
 ## Sequencing Steps to Optimize Packages for Publishing Performance
 
 
-App-V 5.0 and App-V 5.0 SP2 provide significant value in their respective releases. Several features facilitate new scenarios or enabled new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations.
+App-V 5.0 and App-V 5.0 SP2 provide significant value in their respective releases. Several features facilitate new scenarios or enabled new customer deployment scenarios. These following features can impact the performance of the publishing and launch operations.
 
 @@ -516,7 +516,7 @@ App-V 5.0 and App-V 5.0 SP2 provide significant value in their respective relea
 
        
 

 
        
 
- 
+
 
 ### Removing FB1
 
@@ -552,10 +552,10 @@ Removing FB1 does not require the original application installer. After completi
 
     "C:\\UpgradedPackages"
 
-    **Note**  
+    **Note**  
     This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
 
-     
+
 
 @@ -582,7 +582,7 @@ Removing FB1 does not require the original application installer. After completi
 
        
 

 
        
 
- 
+
 
 ### Creating a new virtual application package on the sequencer
 
@@ -590,7 +590,7 @@ If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is ins
 
 **Client Side**:
 
-When publishing a virtual application package, the App-V 5.0 SP2 Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Insataller (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
+When publishing a virtual application package, the App-V 5.0 SP2 Client will detect if a required SxS dependency is already installed. If the dependency is unavailable on the computer and it is included in the package, a traditional Windows Insataller (.**msi**) installation of the SxS assembly will be initiated. As previously documented, simply install the dependency on the computer running the client to ensure that the Windows Installer (.msi) installation will not occur.
 
 @@ -619,7 +619,7 @@ When publishing a virtual application package, the App-V 5.0 SP2 Client will de
 
        
 

 
        
 
- 
+
 
 ### Disabling a Dynamic Configuration using Powershell
 
@@ -669,7 +669,7 @@ For documentation on How to Apply a Dynamic Configuration, see:
 
 
 
- 
+
 
 ### Determining what virtual fonts exist in the package
 
@@ -685,12 +685,14 @@ For documentation on How to Apply a Dynamic Configuration, see:
 
     <appv:Font Path="\[{Fonts}\]\\private\\CalibriL.ttf" DelayLoad="true"></appv:Font>
 
-    **Note**  
+    **Note**  
     If there are fonts marked as **DelayLoad**, those will not impact first launch.
 
-     
 
-    </appv:Fonts>
+
+~~~
+</appv:Fonts>
+~~~
 
 ### Excluding virtual fonts from the package
 
@@ -749,9 +751,9 @@ The following terms are used when describing concepts and actions related to App
 
 [Microsoft Application Virtualization 5.0 Administrator's Guide](microsoft-application-virtualization-50-administrators-guide.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
index 8d7cad0c33..2833f23817 100644
--- a/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
+++ b/mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
@@ -29,10 +29,10 @@ You should read and understand the following information before reading this doc
 
 -   [Microsoft Application Virtualization Sequencing Guide](https://go.microsoft.com/fwlink/?LinkId=269953)
 
-**Note**  
-Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk **\*** review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
+**Note**  
+Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk **\\*** review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
+
 
- 
 
 Finally, this document will provide you with the information to configure the computer running App-V 5.1 client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V 5.1 in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
 
@@ -55,7 +55,7 @@ Use the information in the following section for more information:
 
 -   Steps to Prepare the Base Image – Whether in a non-persistent VDI or RDSH environment, only a few steps must be completed in the base image to enable this approach.
 
--   Use UE-V 2.1 as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
+-   Use UE-V 2.1 as the User Profile Management (UPM) solution for the App-V approach – the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
 
 [User Experience Walk-through](#bkmk-uewt)
 
@@ -88,7 +88,7 @@ Deployment Environment
 
 
 
- 
+
 
 Expected Configuration
 
@@ -109,7 +109,7 @@ Expected Configuration
 
 
 
- 
+
 
 IT Administration
 
@@ -126,7 +126,7 @@ IT Administration
 
 
 
- 
+
 
 ### Usage Scenario
 
@@ -153,7 +153,7 @@ As you review the two scenarios, keep in mind that these approach the extremes.
 
 
 
- 
+
 
 ### Preparing your Environment
 
@@ -178,7 +178,7 @@ The following table displays the required steps to prepare the base image and th
 
          
 
        • Install the App-V 5.1 client version of the client.
          • 
 
        • Install UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
          • 
-
        • Configure for Shared Content Store (SCS) mode. For more information see [How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md).
          • 
+
        • Configure for Shared Content Store (SCS) mode. For more information see How to Install the App-V 5.1 Client for Shared Content Store Mode.
          • 
 
        • Configure Preserve User Integrations on Login Registry DWORD.
          • 
 
        • Pre-configure all user- and global-targeted packages for example, Add-AppvClientPackage.
          • 
 
        • Pre-configure all user- and global-targeted connection groups for example, Add-AppvClientConnectionGroup.
          • 
@@ -198,7 +198,7 @@ The following table displays the required steps to prepare the base image and th
 
            
 
          • Install the App-V 5.1 client version of the client.
            • 
 
          • Install UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
            • 
-
          • Configure for Shared Content Store (SCS) mode. For more information see [How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md).
            • 
+
          • Configure for Shared Content Store (SCS) mode. For more information see How to Install the App-V 5.1 Client for Shared Content Store Mode.
            • 
 
          • Configure Preserve User Integrations on Login Registry DWORD.
            • 
 
          • Pre-configure all global-targeted packages for example, Add-AppvClientPackage.
            • 
 
          • Pre-configure all global-targeted connection groups for example, Add-AppvClientConnectionGroup.
            • 
@@ -209,7 +209,7 @@ The following table displays the required steps to prepare the base image and th
 
 
 
- 
+
 
 **Configurations** - For critical App-V Client configurations and for a little more context and how-to, review the following information:
 
@@ -251,7 +251,7 @@ The following table displays the required steps to prepare the base image and th
 
 
            MaxConcurrentPublishingRefresh
            
 
              
-
            • Configure in the Registry under HKEY_LOCAL_MACHINE \Software \ Microsoft \ AppV \Client \ Publishing.
              • 
+
            • Configure in the Registry under HKEY_LOCAL_MACHINE <strong>Software \ Microsoft \ AppV <strong>Client \ Publishing.
              • 
 
            • Create the DWORD value MaxConcurrentPublishingrefresh with the desired maximum number of concurrent publishing refreshes.
              • 
 
            • The App-V client service and computer do not need to be restarted.
              • 
 
            
@@ -262,7 +262,7 @@ The following table displays the required steps to prepare the base image and th
 
 
 
- 
+
 
 ### Configure UE-V solution for App-V Approach
 
@@ -272,7 +272,7 @@ For more information see [Getting Started With User Experience Virtualization 2.
 
 In essence all that is required is to install the UE-V client and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information around UE-V templates see [The UE-V specific resource for acquiring and registering the template](https://technet.microsoft.com/library/dn458926.aspx).
 
-**Note**  
+**Note**  
 Without performing an additional configuration step, the Microsoft User Environment Virtualization (UE-V) will not be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
 
 UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user’s device will have the same set of applications installed to the same location and every .lnk file is valid for all the users’ devices. For example, UE-V would not currently support the following 2 scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
@@ -281,12 +281,12 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
 
 -   If a user has an application installed on one device but not another with .lnk files enabled.
 
- 
 
-**Important**  
+
+**Important**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+
 
 Using the Microsoft Registry Editor (regedit.exe), navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **UEV** \\ **Agent** \\ **Configuration** \\ **ExcludedFileTypes** and remove **.lnk** from the excluded file types.
 
@@ -304,12 +304,12 @@ To enable an optimized login experience, for example the App-V 5.1 approach for
 
 -   Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
 
-    **Note**  
+    **Note**  
     App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
 
     App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
 
-     
+
 
 -   Capturing changes to the locations, which constitute the user integrations, prior to session logoff.
 
@@ -408,7 +408,7 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
 
 
 
- 
+
 
 @@ -433,13 +433,13 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
 
            
 

 
            
 
- 
+
 
 ### Impact to Package Life Cycle
 
 Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (un-published) virtual application packages, it is recommended you update the base image to reflect these changes. To understand why review the following section:
 
-App-V 5.0 SP2 introduced the concept of pending states. In the past,
+App-V 5.0 SP2 introduced the concept of pending states. In the past,
 
 -   If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the un-publish or publish operation, respectively, would fail.
 
@@ -463,11 +463,11 @@ About NGEN technology
 
 Server Performance Tuning Guidelines for
 
--   [Microsoft Windows Server 2012 R2](https://msdn.microsoft.com/library/windows/hardware/dn529133.aspx)
+-   [Microsoft Windows Server 2012 R2](https://msdn.microsoft.com/library/windows/hardware/dn529133.aspx)
 
--   [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
+-   [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
 
--   [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx)
+-   [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx)
 
 **Server Roles**
 
@@ -481,11 +481,11 @@ Server Performance Tuning Guidelines for
 
 **Windows Client (Guest OS) Performance Tuning Guidance**
 
--   [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
+-   [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
 
 -   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
 
--   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
+-   [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
 
 -   [Optimization Script: (Provided by Microsoft Support)](http://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
 
@@ -523,7 +523,7 @@ Several App-V features facilitate new scenarios or enable new customer deploymen
 
 
 
- 
+
 
 ### Removing FB1
 
@@ -559,10 +559,10 @@ Removing FB1 does not require the original application installer. After completi
 
     "C:\\UpgradedPackages"
 
-    **Note**  
+    **Note**  
     This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
 
-     
+
 
 @@ -589,7 +589,7 @@ Removing FB1 does not require the original application installer. After completi
 
            
 

 
            
 
- 
+
 
 ### Creating a new virtual application package on the sequencer
 
@@ -626,7 +626,7 @@ When publishing a virtual application package, the App-V Client will detect if a
 
 
 
- 
+
 
 ### Disabling a Dynamic Configuration using Powershell
 
@@ -676,7 +676,7 @@ For documentation on How to Apply a Dynamic Configuration, see:
 
 
 
- 
+
 
 ### Determining what virtual fonts exist in the package
 
@@ -692,12 +692,14 @@ For documentation on How to Apply a Dynamic Configuration, see:
 
     <appv:Font Path="\[{Fonts}\]\\private\\CalibriL.ttf" DelayLoad="true"></appv:Font>
 
-    **Note**  
+    **Note**  
     If there are fonts marked as **DelayLoad**, those will not impact first launch.
 
-     
 
-    </appv:Fonts>
+
+~~~
+</appv:Fonts>
+~~~
 
 ### Excluding virtual fonts from the package
 
@@ -756,9 +758,9 @@ The following terms are used when describing concepts and actions related to App
 
 [Microsoft Application Virtualization 5.1 Administrator's Guide](microsoft-application-virtualization-51-administrators-guide.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/planning-for-high-availability-with-app-v-50.md b/mdop/appv-v5/planning-for-high-availability-with-app-v-50.md
index 1f974dd93f..b861440d22 100644
--- a/mdop/appv-v5/planning-for-high-availability-with-app-v-50.md
+++ b/mdop/appv-v5/planning-for-high-availability-with-app-v-50.md
@@ -58,7 +58,7 @@ Review the following for more information about configuring IIS and Network Load
     **Note**  
     The IIS Network Load Balancing functionality in Windows Server 2012 is generally the same as in Windows Server 2008 R2. However, some task details are changed in Windows Server 2012. For information on new ways to do tasks, see [Common Management Tasks and Navigation in Windows Server 2012 R2 Preview and Windows Server 2012](https://go.microsoft.com/fwlink/?LinkId=316371) (https://go.microsoft.com/fwlink/?LinkId=316371).
 
-     
+     
 
 ## Support for clustered file servers when running (SCS) mode
 
@@ -111,7 +111,7 @@ Use the following steps to modify the connection string to include **failover pa
 **Important**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+ 
 
 1.  Login to the management server and open **regedit**.
 
@@ -124,7 +124,7 @@ This topic describes how to change the Windows registry by using Registry Editor
     **Note**  
     Database Mirroring is on the list of Deprecated Database Engine Features for Microsoft SQL Server 2012 due to the **AlwaysOn** feature available with Microsoft SQL Server 2012.
 
-     
+     
 
 Click any of the following links for more information:
 
@@ -146,9 +146,9 @@ The App-V 5.0 management server database supports deployments to computers runni
 
 [Planning to Deploy App-V](planning-to-deploy-app-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md b/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md
index 9849aeac9f..c3e0e18888 100644
--- a/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md
+++ b/mdop/appv-v5/planning-for-high-availability-with-app-v-51.md
@@ -58,7 +58,7 @@ Review the following for more information about configuring IIS and Network Load
     **Note**  
     The IIS Network Load Balancing functionality in Windows Server 2012 is generally the same as in Windows Server 2008 R2. However, some task details are changed in Windows Server 2012. For information on new ways to do tasks, see [Common Management Tasks and Navigation in Windows Server 2012 R2 Preview and Windows Server 2012](https://go.microsoft.com/fwlink/?LinkId=316371) (https://go.microsoft.com/fwlink/?LinkId=316371).
 
-     
+     
 
 ## Support for clustered file servers when running (SCS) mode
 
@@ -111,7 +111,7 @@ Use the following steps to modify the connection string to include **failover pa
 **Important**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+ 
 
 1.  Login to the management server and open **regedit**.
 
@@ -124,7 +124,7 @@ This topic describes how to change the Windows registry by using Registry Editor
     **Note**  
     Database Mirroring is on the list of Deprecated Database Engine Features for Microsoft SQL Server 2012 due to the **AlwaysOn** feature available with Microsoft SQL Server 2012.
 
-     
+     
 
 Click any of the following links for more information:
 
@@ -151,9 +151,9 @@ The App-V 5.1 management server database supports deployments to computers runni
 
 [Planning to Deploy App-V](planning-to-deploy-app-v51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md
index 8dc2bc2d73..0413cff809 100644
--- a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md
+++ b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v.md
@@ -69,7 +69,7 @@ The following table shows the supported App-V coexistence scenarios. We recommen
 
 
 
- 
+ 
 
 ### Requirements for running coexisting clients
 
@@ -97,16 +97,16 @@ The following table provides link to the TechNet documentation about the release
 
 
 
            App-V 4.6 SP3
            
-
            [About Microsoft Application Virtualization 4.6 SP3](https://technet.microsoft.com/library/dn511019.aspx)
            
+
            About Microsoft Application Virtualization 4.6 SP3
            
 
 
 
            App-V 5.0 SP3
            
-
            [About Microsoft Application Virtualization 5.0 SP3](about-app-v-50-sp3.md)
            
+
            About Microsoft Application Virtualization 5.0 SP3
            
 
 
 
 
- 
+ 
 
 For more information about how to configure App-V 5.0 client coexistence, see:
 
@@ -135,9 +135,9 @@ For more information about using the package converter to convert a package, see
 
 [Planning to Deploy App-V](planning-to-deploy-app-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md
index 79caeaacb9..a895f50b35 100644
--- a/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md
+++ b/mdop/appv-v5/planning-for-migrating-from-a-previous-version-of-app-v51.md
@@ -69,7 +69,7 @@ The following table shows the supported App-V coexistence scenarios. We recommen
 
 
 
- 
+ 
 
 ### Requirements for running coexisting clients
 
@@ -82,7 +82,7 @@ To run coexisting clients, you must:
 **Note**  
 App-V 5.1 packages can run side by side with App-V 4.6 packages if you have coexisting installations of App-V 5.1 and 4.6. However, App-V 5.1 packages cannot interact with App-V 4.6 packages in the same virtual environment.
 
- 
+ 
 
 ### Client downloads and documentation
 
@@ -102,16 +102,16 @@ The following table provides links to the App-V 4.6 client downloads and to the
 
 
 
            App-V 4.6 SP3
            
-
            [About Microsoft Application Virtualization 4.6 SP3](https://technet.microsoft.com/library/dn511019.aspx)
            
+
            About Microsoft Application Virtualization 4.6 SP3
            
 
 
 
            App-V 4.6 SP3
            
-
            [About Microsoft Application Virtualization 5.1](about-app-v-51.md)
            
+
            About Microsoft Application Virtualization 5.1
            
 
 
 
 
- 
+ 
 
 For more information about how to configure App-V 5.1 client coexistence, see:
 
@@ -140,9 +140,9 @@ For more information about using the package converter to convert a package, see
 
 [Planning to Deploy App-V](planning-to-deploy-app-v51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md b/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md
index 25a538f860..d27170ec67 100644
--- a/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md
+++ b/mdop/appv-v5/planning-for-the-app-v-50-sequencer-and-client-deployment.md
@@ -27,7 +27,7 @@ App-V 5.0 uses a process called sequencing to create virtualized applications an
 **Note**  
 For information about the new functionality of App-V 5.0 sequencer, see the **Changes to the sequencer** section of [What's New in App-V 5.0](whats-new-in-app-v-50.md).
 
- 
+ 
 
 The computer that runs the App-V 5.0 sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
 
@@ -42,7 +42,7 @@ Ideally, you should install the sequencer on a computer running as a virtual mac
 **Important**  
 You should have your corporate security team review and approve the sequencing process plan. For security reasons, you should keep the sequencer operations in a lab that is separate from the production environment. The separation arrangement can be as simple or as comprehensive as necessary, based on your business requirements. The sequencing computers must be able to connect to the corporate network to copy finished packages to the production servers. However, because the sequencing computers are typically operated without antivirus protection, they must not be on the corporate network unprotected. For example, you might be able to operate behind a firewall or on an isolated network segment. You might also be able to use virtual machines that are configured to share an isolated virtual network. Follow your corporate security policies to safely address these concerns.
 
- 
+ 
 
 [How to Install the Sequencer](how-to-install-the-sequencer-beta-gb18030.md)
 
@@ -97,9 +97,9 @@ The following list displays some of the benefits of using the App-V 5.0 shared c
 
 [Planning to Deploy App-V](planning-to-deploy-app-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md b/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md
index e1c6a12f3c..a86ccf90cc 100644
--- a/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md
+++ b/mdop/appv-v5/planning-for-the-app-v-50-server-deployment.md
@@ -54,7 +54,7 @@ The App-V 5.0 Management Server contains the repository of packages and their as
 **Note**  
 The Management Server does not perform any load balancing. The associated metadata is simply passed to the publishing server for use when processing client requests.
 
- 
+ 
 
 ## Server-Related Protocols and External Features
 
@@ -97,7 +97,7 @@ The following displays information about server-related protocols used by the Ap
 
 
 
- 
+ 
 
 
 
@@ -111,9 +111,9 @@ The following displays information about server-related protocols used by the Ap
 
 [Deploying the App-V 5.0 Server](deploying-the-app-v-50-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md b/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md
index 1ce8a1bc54..03e04d5ec3 100644
--- a/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md
+++ b/mdop/appv-v5/planning-for-the-app-v-51-sequencer-and-client-deployment.md
@@ -27,7 +27,7 @@ App-V 5.1 uses a process called sequencing to create virtualized applications an
 **Note**  
 For information about the new functionality of App-V 5.1 sequencer, see the **Sequencer Improvements** section of [About App-V 5.1](about-app-v-51.md).
 
- 
+ 
 
 The computer that runs the App-V 5.1 sequencer must meet the minimum system requirements. For a list of these requirements, see [App-V 5.1 Supported Configurations](app-v-51-supported-configurations.md).
 
@@ -42,7 +42,7 @@ Ideally, you should install the sequencer on a computer running as a virtual mac
 **Important**  
 You should have your corporate security team review and approve the sequencing process plan. For security reasons, you should keep the sequencer operations in a lab that is separate from the production environment. The separation arrangement can be as simple or as comprehensive as necessary, based on your business requirements. The sequencing computers must be able to connect to the corporate network to copy finished packages to the production servers. However, because the sequencing computers are typically operated without antivirus protection, they must not be on the corporate network unprotected. For example, you might be able to operate behind a firewall or on an isolated network segment. You might also be able to use virtual machines that are configured to share an isolated virtual network. Follow your corporate security policies to safely address these concerns.
 
- 
+ 
 
 ## Planning for App-V 5.1 client deployment
 
@@ -100,9 +100,9 @@ The following list displays some of the benefits of using the App-V 5.1 shared c
 
 [How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md b/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md
index c699fc9186..7d2ec754d2 100644
--- a/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md
+++ b/mdop/appv-v5/planning-for-the-app-v-51-server-deployment.md
@@ -54,7 +54,7 @@ The App-V 5.1 Management Server contains the repository of packages and their as
 **Note**  
 The Management Server does not perform any load balancing. The associated metadata is simply passed to the publishing server for use when processing client requests.
 
- 
+ 
 
 ## Server-Related Protocols and External Features
 
@@ -97,7 +97,7 @@ The following displays information about server-related protocols used by the Ap
 
 
 
- 
+ 
 
 
 
@@ -111,9 +111,9 @@ The following displays information about server-related protocols used by the Ap
 
 [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office.md b/mdop/appv-v5/planning-for-using-app-v-with-office.md
index 87c81d9939..76440328d4 100644
--- a/mdop/appv-v5/planning-for-using-app-v-with-office.md
+++ b/mdop/appv-v5/planning-for-using-app-v-with-office.md
@@ -35,7 +35,7 @@ You can use the App-V 5.0 Sequencer to create plug-in packages for Language Pack
 **Note**  
 Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
 
- 
+ 
 
 ## Supported versions of Microsoft Office
 
@@ -105,7 +105,7 @@ The following table lists the versions of Microsoft Office that App-V supports,
 
 
 
- 
+ 
 
 ## Planning for using App-V with coexisting versions of Office
 
@@ -132,16 +132,16 @@ Before implementing Office coexistence, review the following Office documentatio
 
 
 
            Office 2013
            
-
            [Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](https://support.microsoft.com/kb/2784668)
            
+
            Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office
            
 
 
 
            Office 2010
            
-
            [Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](https://support.microsoft.com/kb/2121447)
            
+
            Information about how to use Office 2010 suites and programs on a computer that is running another version of Office
            
 
 
 
 
- 
+ 
 
 The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSi) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
 
@@ -152,7 +152,7 @@ The following tables summarize the supported coexistence scenarios. They are org
 **Note**  
 Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
 
- 
+ 
 
 ### Windows integrations & Office coexistence
 
@@ -185,7 +185,7 @@ The Windows Installer-based and Click-to-Run Office installation methods integra
 
 
 
- 
+ 
 
 Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069).
 
@@ -296,7 +296,7 @@ The Office 2013 App-V package supports the following integration points with the
 
 
 
            Active X Controls:
            
-
            For more information on ActiveX controls, refer to [ActiveX Control API Reference](https://go.microsoft.com/fwlink/p/?LinkId=331361).
            
+
            For more information on ActiveX controls, refer to ActiveX Control API Reference.
            
 
 
 
               Groove.SiteClient
            
@@ -381,16 +381,16 @@ The Office 2013 App-V package supports the following integration points with the
 
 
 
- 
+ 
 
 
 
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office51.md b/mdop/appv-v5/planning-for-using-app-v-with-office51.md
index dd4361df78..cb8f378a54 100644
--- a/mdop/appv-v5/planning-for-using-app-v-with-office51.md
+++ b/mdop/appv-v5/planning-for-using-app-v-with-office51.md
@@ -35,14 +35,14 @@ You can use the App-V 5.1 Sequencer to create plug-in packages for Language Pack
 >**Note**  
 Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.
 
- 
+ 
 
 ## Supported versions of Microsoft Office
 
 See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products.
 >**Note**  You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer.
 
- 
+ 
 
 ## Planning for using App-V with coexisting versions of Office
 
@@ -69,16 +69,16 @@ Before implementing Office coexistence, review the following Office documentatio
 
 
 
            Office 2013
            
-
            [Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office](https://support.microsoft.com/kb/2784668)
            
+
            Information about how to use Office 2013 suites and programs (MSI deployment) on a computer that is running another version of Office
            
 
 
 
            Office 2010
            
-
            [Information about how to use Office 2010 suites and programs on a computer that is running another version of Office](https://support.microsoft.com/kb/2121447)
            
+
            Information about how to use Office 2010 suites and programs on a computer that is running another version of Office
            
 
 
 
 
- 
+ 
 
 The Office documentation provides extensive guidance on coexistence for Windows Installer-based (MSi) and Click-to-Run installations of Office. This App-V topic on coexistence supplements the Office guidance with information that is more specific to App-V deployments.
 
@@ -89,7 +89,7 @@ The following tables summarize the supported coexistence scenarios. They are org
 >**Note**  
 Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.
 
- 
+ 
 
 ### Windows integrations & Office coexistence
 
@@ -122,7 +122,7 @@ The Windows Installer-based and Click-to-Run Office installation methods integra
 
 
 
- 
+ 
 
 Microsoft recommends that you deploy Office coexistence with only one integrated Office instance. For example, if you’re using App-V to deploy Office 2010 and Office 2013, you should sequence Office 2010 in non-integrated mode. For more information about sequencing Office in non-integration (isolated) mode, see [How to sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069).
 
@@ -233,7 +233,7 @@ The Office 2013 App-V package supports the following integration points with the
 
 
 
            Active X Controls:
            
-
            For more information on ActiveX controls, refer to [ActiveX Control API Reference](https://go.microsoft.com/fwlink/p/?LinkId=331361).
            
+
            For more information on ActiveX controls, refer to ActiveX Control API Reference.
            
 
 
 
               Groove.SiteClient
            
@@ -318,16 +318,16 @@ The Office 2013 App-V package supports the following integration points with the
 
 
 
- 
+ 
 
 
 
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md
index e6b9ed32ea..e5be2f3b21 100644
--- a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md
+++ b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v.md
@@ -48,11 +48,11 @@ This topic contains the following sections:
 
              
 
            • Files under %appdata%\Microsoft\AppV\Client\Catalog
              • 
 
            • Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages
              
-
              For more detail, see [Application Publishing and Client Interaction](application-publishing-and-client-interaction.md#bkmk-clt-inter-roam-reqs).
              • 
+
              For more detail, see Application Publishing and Client Interaction.
              
 
            
 
          • Ensure that the following folders are available to each user who logs into the computer that is running the App-V 5.0 SP2 or later client:
            
 
              
-
            • %AppData% is configured to the desired network location (with or without [Offline Files](https://technet.microsoft.com/library/cc780552.aspx) support).
              • 
+
            • %AppData% is configured to the desired network location (with or without Offline Files support).
              • 
 
            • %LocalAppData% is configured to the desired local folder.
              • 
 
            • 
 
          
@@ -85,13 +85,13 @@ This topic contains the following sections:
 
 
 
-
           
          
+
           
          
 
        
 
 
 
 
- 
+
 
 ## How to configure folder redirection for use with App-V
 
@@ -126,23 +126,22 @@ The following table describes how folder redirection works when %AppData% is red
 
      • Entries to the AppData folder are made using the user context, not the system context.
        • 
 
      
 
      
-Note  
-
      The App-V client folder redirection sometimes fails to move files from %AppData% to %LocalAppData%. See [Release Notes for App-V 5.0 SP2](release-notes-for-app-v-50-sp2.md#bkmk-folderredirection).
      
+Note
      The App-V client folder redirection sometimes fails to move files from %AppData% to %LocalAppData%. See Release Notes for App-V 5.0 SP2.
      
 
      
 
      
- 
+
 
      
 
 
 
      When the virtual environment shuts down
      
 
      The local cached data in AppData (roaming) is zipped up and copied to the “real” roaming AppData folder in %AppData%. A time stamp, which indicates the last known upload, is simultaneously saved as a registry key under:
      
-
      HKCU\Software\Microsoft\AppV\Client\Packages\<PACKAGE_GUID>\AppDataTime
      
+
      HKCU\Software\Microsoft\AppV\Client\Packages&lt;PACKAGE_GUID>\AppDataTime
      
 
      To provide redundancy, App-V 5.0 keeps the three most recent copies of the compressed data under %AppData%.
      
 
 
 
 
- 
+
 
 ## Overview of folder redirection
 
@@ -168,25 +167,25 @@ The following table describes how folder redirection works when %AppData% is red
 
 
 
      Usage example
      
-
      You can redirect the Documents folder, which is usually stored on the computer's local hard disk, to a network location. The user can access the documents in the folder from any computer on the network.
      
+
      You can redirect the Documents folder, which is usually stored on the computer's local hard disk, to a network location. The user can access the documents in the folder from any computer on the network.
      
 
 
 
      More resources
      
-
      [Folder redirection overview](https://technet.microsoft.com/library/cc778976.aspx)
      
+
      Folder redirection overview
      
 
 
 
 
- 
 
 
 
 
 
 
- 
-
- 
+
+
+
+
 
 
 
diff --git a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md
index 5b13c714d6..b64d421000 100644
--- a/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md
+++ b/mdop/appv-v5/planning-to-use-folder-redirection-with-app-v51.md
@@ -48,11 +48,11 @@ This topic contains the following sections:
 
        
 
      • Files under %appdata%\Microsoft\AppV\Client\Catalog
        • 
 
      • Registry settings under HKEY_CURRENT_USER\Software\Microsoft\AppV\Client\Packages
        
-
        For more detail, see [Application Publishing and Client Interaction](application-publishing-and-client-interaction.md#bkmk-clt-inter-roam-reqs).
        • 
+
        For more detail, see Application Publishing and Client Interaction.
        
 
      
 
    • Ensure that the following folders are available to each user who logs into the computer that is running the App-V 5.0 SP2 or later client:
      
 
        
-
      • %AppData% is configured to the desired network location (with or without [Offline Files](https://technet.microsoft.com/library/cc780552.aspx) support).
        • 
+
      • %AppData% is configured to the desired network location (with or without Offline Files support).
        • 
 
      • %LocalAppData% is configured to the desired local folder.
        • 
 
      • 
 
    
@@ -85,13 +85,13 @@ This topic contains the following sections:
 
 
 
-
     
    
+
     
    
 
 
 
 
 
- 
+
 
 ## How to configure folder redirection for use with App-V
 
@@ -126,23 +126,22 @@ The following table describes how folder redirection works when %AppData% is red
 
  • Entries to the AppData folder are made using the user context, not the system context.
    • 
 
 
    
-Note  
-
    The App-V client folder redirection sometimes fails to move files from %AppData% to %LocalAppData%. See [Release Notes for App-V 5.0 SP2](release-notes-for-app-v-50-sp2.md#bkmk-folderredirection).
    
+Note
    The App-V client folder redirection sometimes fails to move files from %AppData% to %LocalAppData%. See Release Notes for App-V 5.0 SP2.
    
 
    
 
    
- 
+
 
    
 
 
 
    When the virtual environment shuts down
    
 
    The local cached data in AppData (roaming) is zipped up and copied to the “real” roaming AppData folder in %AppData%. A time stamp, which indicates the last known upload, is simultaneously saved as a registry key under:
    
-
    HKCU\Software\Microsoft\AppV\Client\Packages\<PACKAGE_GUID>\AppDataTime
    
+
    HKCU\Software\Microsoft\AppV\Client\Packages&lt;PACKAGE_GUID>\AppDataTime
    
 
    To provide redundancy, App-V keeps the three most recent copies of the compressed data under %AppData%.
    
 
 
 
 
- 
+
 
 ## Overview of folder redirection
 
@@ -168,25 +167,25 @@ The following table describes how folder redirection works when %AppData% is red
 
 
 
    Usage example
    
-
    You can redirect the Documents folder, which is usually stored on the computer's local hard disk, to a network location. The user can access the documents in the folder from any computer on the network.
    
+
    You can redirect the Documents folder, which is usually stored on the computer's local hard disk, to a network location. The user can access the documents in the folder from any computer on the network.
    
 
 
 
    More resources
    
-
    [Folder redirection overview](https://technet.microsoft.com/library/cc778976.aspx)
    
+
    Folder redirection overview
    
 
 
 
 
- 
 
 
 
 
 
 
- 
-
- 
+
+
+
+
 
 
 
diff --git a/mdop/appv-v5/release-notes-for-app-v-50-sp1.md b/mdop/appv-v5/release-notes-for-app-v-50-sp1.md
index c19447b6b2..2437a3abaa 100644
--- a/mdop/appv-v5/release-notes-for-app-v-50-sp1.md
+++ b/mdop/appv-v5/release-notes-for-app-v-50-sp1.md
@@ -36,7 +36,7 @@ We are interested in your feedback on App-V 5.0. You can send your feedback to <
 **Note**  
 This email address is not a support channel, but your feedback will help us to plan for future changes in our documentation and product releases.
 
- 
+ 
 
 For the latest information about MDOP and additional learning resources, see the [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) page.
 
@@ -64,9 +64,9 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win
 
 [About App-V 5.0](about-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/release-notes-for-app-v-50-sp2.md b/mdop/appv-v5/release-notes-for-app-v-50-sp2.md
index 147b264d62..5f24db040f 100644
--- a/mdop/appv-v5/release-notes-for-app-v-50-sp2.md
+++ b/mdop/appv-v5/release-notes-for-app-v-50-sp2.md
@@ -36,7 +36,7 @@ We are interested in your feedback on App-V 5.0. You can send your feedback to <
 **Note**  
 This email address is not a support channel, but your feedback will help us to plan for future changes in our documentation and product releases.
 
- 
+ 
 
 For the latest information about MDOP and additional learning resources, see the [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) page.
 
@@ -58,7 +58,7 @@ If the following folder exists, then you must delete it:
 **Note**  
 You must have elevated privileges to delete this folder.
 
- 
+ 
 
 To use a script, for each user account on the computer and for each package id that was published after installing Hotfix Package 4 for Application Virtualization 5.0 SP2:
 
@@ -160,9 +160,9 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win
 
 [About App-V 5.0 SP2](about-app-v-50-sp2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/release-notes-for-app-v-50.md b/mdop/appv-v5/release-notes-for-app-v-50.md
index 8d2f1559c6..4e86811e9d 100644
--- a/mdop/appv-v5/release-notes-for-app-v-50.md
+++ b/mdop/appv-v5/release-notes-for-app-v-50.md
@@ -36,7 +36,7 @@ We are interested in your feedback on App-V 5.0. You can send your feedback to <
 **Note**  
 This email address is not a support channel, but your feedback will help us to plan for future changes in our documentation and product releases.
 
- 
+ 
 
 For the latest information about MDOP and additional learning resources, see the [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) page.
 
@@ -76,9 +76,9 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win
 
 [About App-V 5.0](about-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/release-notes-for-app-v-51.md b/mdop/appv-v5/release-notes-for-app-v-51.md
index d0a0cddc95..f6c42f34ad 100644
--- a/mdop/appv-v5/release-notes-for-app-v-51.md
+++ b/mdop/appv-v5/release-notes-for-app-v-51.md
@@ -131,7 +131,7 @@ The Permissions.sql script should be updated according to **Step 2** in [KB arti
 **Important**  
 **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
 
- 
+ 
 
 ## Microsoft Visual Studio 2012 not supported
 
@@ -179,7 +179,7 @@ Occassionally when mounting a package, a "File Not Found" (0x80070002) error is
 
 Default
 5
    
-**Note**: this value is the default if the registry key is not defined or a value <=5 is specified.
+Note: this value is the default if the registry key is not defined or a value <=5 is specified.
 
 
 
@@ -195,9 +195,9 @@ Occassionally when mounting a package, a "File Not Found" (0x80070002) error is
 
 [About App-V 5.1](about-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md
index ec086782d8..8fb9c2b17a 100644
--- a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md
+++ b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications.md
@@ -67,7 +67,7 @@ There is no Group Policy setting available to manage this registry key, so you h
 
 
 
- 
+ 
 
 ### Steps to create the subkey
 
@@ -112,7 +112,7 @@ There is no Group Policy setting available to manage this registry key, so you h
     
     
 
-     
+     
 
 2.  Set the new registry subkey’s value to the PackageId and VersionId of the package, separating the values with an underscore.
 
@@ -141,7 +141,7 @@ Use the following example syntax, and substitute the name of your package for **
 
 `Start-AppvVirtualProcess -AppvClientObject $AppVName cmd.exe`
 
-If you don’t know the exact name of your package, you can use the command line **Get-AppvClientPackage \*executable\***, where **executable** is the name of the application, for example: Get-AppvClientPackage \*Word\*.
+If you don’t know the exact name of your package, you can use the command line **Get-AppvClientPackage \*executable\\**, where **executable* is the name of the application, for example: Get-AppvClientPackage \*Word\*.
 
 ## Command line switch /appvpid:<PID>
 
@@ -171,7 +171,7 @@ To get the package GUID and version GUID of your application, run the **Get-Appv
 
 -   Version ID of the desired package
 
-If you don’t know the exact name of your package, use the command line **Get-AppvClientPackage \*executable\***, where **executable** is the name of the application, for example: Get-AppvClientPackage \*Word\*.
+If you don’t know the exact name of your package, use the command line **Get-AppvClientPackage \*executable\\**, where **executable* is the name of the application, for example: Get-AppvClientPackage \*Word\*.
 
 This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
 
@@ -185,9 +185,9 @@ This method lets you launch any command within the context of an App-V package,
 
 [Technical Reference for App-V 5.0](technical-reference-for-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md
index c875250171..147684b66e 100644
--- a/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md
+++ b/mdop/appv-v5/running-a-locally-installed-application-inside-a-virtual-environment-with-virtualized-applications51.md
@@ -67,7 +67,7 @@ There is no Group Policy setting available to manage this registry key, so you h
 
 
 
- 
+ 
 
 ### Steps to create the subkey
 
@@ -112,7 +112,7 @@ There is no Group Policy setting available to manage this registry key, so you h
     
     
 
-     
+     
 
 2.  Set the new registry subkey’s value to the PackageId and VersionId of the package, separating the values with an underscore.
 
@@ -141,7 +141,7 @@ Use the following example syntax, and substitute the name of your package for **
 
 `Start-AppvVirtualProcess -AppvClientObject $AppVName cmd.exe`
 
-If you don’t know the exact name of your package, you can use the command line **Get-AppvClientPackage \*executable\***, where **executable** is the name of the application, for example: Get-AppvClientPackage \*Word\*.
+If you don’t know the exact name of your package, you can use the command line **Get-AppvClientPackage \*executable\\**, where **executable* is the name of the application, for example: Get-AppvClientPackage \*Word\*.
 
 ## Command line switch /appvpid:<PID>
 
@@ -171,7 +171,7 @@ To get the package GUID and version GUID of your application, run the **Get-Appv
 
 -   Version ID of the desired package
 
-If you don’t know the exact name of your package, use the command line **Get-AppvClientPackage \*executable\***, where **executable** is the name of the application, for example: Get-AppvClientPackage \*Word\*.
+If you don’t know the exact name of your package, use the command line **Get-AppvClientPackage \*executable\\**, where **executable* is the name of the application, for example: Get-AppvClientPackage \*Word\*.
 
 This method lets you launch any command within the context of an App-V package, regardless of whether the package is currently running.
 
@@ -185,9 +185,9 @@ This method lets you launch any command within the context of an App-V package,
 
 [Technical Reference for App-V 5.1](technical-reference-for-app-v-51.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md b/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md
index 7797a01f6d..ab6061698c 100644
--- a/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md
+++ b/mdop/appv-v5/viewing-app-v-server-publishing-metadata.md
@@ -58,7 +58,7 @@ In App-V 5.0 SP3, you must provide the following values in the address when you
 
 
 
- 
+
 
 ## Query syntax for viewing publishing metadata
 
@@ -114,9 +114,9 @@ The following table provides the syntax and query examples.
 
 
 
-
     
    
+
     
    
 
    To get the name of the Publishing server and the port number (http://<PubServer>:<Publishing Port#>) from the App-V Client, look at the URL configuration of the Get-AppvPublishingServer PowerShell cmdlet.
    
-
    http://pubsvr01:2718/?clientversion=5.0.10066.0&clientos=WindowsClient_6.2_x64
    
+
    http://pubsvr01:2718/?clientversion=5.0.10066.0&clientos=WindowsClient_6.2_x64
    
 
    In the example:
    
 
      
 
    • A Windows Server 2012 R2 named “pubsvr01” hosts the Publishing service.
      • 
@@ -127,20 +127,19 @@ The following table provides the syntax and query examples.
 
      App-V 5.0 through App-V 5.0 SP2
      
 
      http://<PubServer>:<Publishing Port#>/ 
      
 
      
-Note  
-
      ClientVersion and ClientOS are supported only in App-V 5.0 SP3.
      
+Note
      ClientVersion and ClientOS are supported only in App-V 5.0 SP3.
      
 
      
 
      
- 
+
 
      
 
      See the information for App-V 5.0 SP3.
      
-
      http://pubsvr01:2718
      
+
      http://pubsvr01:2718
      
 
      In the example, A Windows Server 2012 R2 named “pubsvr01” hosts the Management and Publishing services.
      
 
 
 
 
- 
+
 
 ## Query values for client operating system and version
 
@@ -224,7 +223,7 @@ In your publishing metadata query, enter the string values that correspond to th
 
 
 
- 
+
 
 ## Definition of publishing metadata
 
@@ -249,9 +248,9 @@ You can view the metadata for each request in an Internet browser by using a que
 
 [Technical Reference for App-V 5.0](technical-reference-for-app-v-50.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md b/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md
index 84cb9bd16e..9d1b578f94 100644
--- a/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md
+++ b/mdop/appv-v5/viewing-app-v-server-publishing-metadata51.md
@@ -58,7 +58,7 @@ In App-V 5.1, you must provide the following values in the address when you quer
 
 
 
- 
+
 
 ## Query syntax for viewing publishing metadata
 
@@ -114,9 +114,9 @@ The following table provides the syntax and query examples.
 
 
 
-
       
      
+
       
      
 
      To get the name of the Publishing server and the port number (http://<PubServer>:<Publishing Port#>) from the App-V Client, look at the URL configuration of the Get-AppvPublishingServer PowerShell cmdlet.
      
-
      http://pubsvr01:2718/?clientversion=5.0.10066.0&clientos=WindowsClient_6.2_x64
      
+
      http://pubsvr01:2718/?clientversion=5.0.10066.0&clientos=WindowsClient_6.2_x64
      
 
      In the example:
      
 
        
 
      • A Windows Server 2012 R2 named “pubsvr01” hosts the Publishing service.
        • 
@@ -127,20 +127,19 @@ The following table provides the syntax and query examples.
 
        App-V 5.0 through App-V 5.0 SP2
        
 
        http://<PubServer>:<Publishing Port#>/ 
        
 
        
-Note  
-
        ClientVersion and ClientOS are supported only in App-V 5.0 SP3 and App-V 5.1.
        
+Note
        ClientVersion and ClientOS are supported only in App-V 5.0 SP3 and App-V 5.1.
        
 
        
 
        
- 
+
 
        
 
        See the information for App-V 5.0 SP3 and App-V 5.1.
        
-
        http://pubsvr01:2718
        
+
        http://pubsvr01:2718
        
 
        In the example, A Windows Server 2012 R2 named “pubsvr01” hosts the Management and Publishing services.
        
 
 
 
 
- 
+
 
 ## Query values for client operating system and version
 
@@ -234,7 +233,7 @@ In your publishing metadata query, enter the string values that correspond to th
 
 
 
- 
+
 
 ## Definition of publishing metadata
 
@@ -259,9 +258,9 @@ You can view the metadata for each request in an Internet browser by using a que
 
 [Technical Reference for App-V 5.1](technical-reference-for-app-v-51.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/appv-v5/whats-new-in-app-v-50.md b/mdop/appv-v5/whats-new-in-app-v-50.md
index af2d250201..6f816996a0 100644
--- a/mdop/appv-v5/whats-new-in-app-v-50.md
+++ b/mdop/appv-v5/whats-new-in-app-v-50.md
@@ -110,13 +110,13 @@ The following table displays information about what has changed with the App-V 5
 
        If no stream optimization is performed, packages are stream faulted when they are requested by computers running the App-V 5.0 client until they can launch.
        
 
 
-
        Q:\
        
-
        App-V 5.0 uses the native file system and no longer requires a Q:\.
        
+
        Q:</p>
+
        App-V 5.0 uses the native file system and no longer requires a Q:.
        
 
 
 
 
- 
+ 
 
 ## Sequencing error detection
 
@@ -164,9 +164,9 @@ There is no file or application cache available with App-V 5.0.
 
 [About App-V 5.0](about-app-v-50.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/about-dart-10.md b/mdop/dart-v10/about-dart-10.md
index 9a3cc07ba4..ad6c4560a0 100644
--- a/mdop/dart-v10/about-dart-10.md
+++ b/mdop/dart-v10/about-dart-10.md
@@ -29,7 +29,7 @@ DaRT 10 includes the following enhancements and changes as described in this top
     **Note**  
     For earlier versions of the Windows operating systems, continue to use the earlier versions of DaRT.
 
-     
+     
 
 -   **Windows Defender**
 
@@ -45,7 +45,7 @@ DaRT 10 includes the following enhancements and changes as described in this top
     **Note**  
     Windows ADK 10.0 is not required if you are installing only Remote Connection Viewer or Crash Analyzer.
 
-     
+     
 
 -   **Windows 10 Debugging Tools**
 
@@ -88,9 +88,9 @@ DaRT 10 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is par
 
 [Release Notes for DaRT 10](release-notes-for-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/accessibility-for-dart-10.md b/mdop/dart-v10/accessibility-for-dart-10.md
index 48f6a42b66..7414466c4f 100644
--- a/mdop/dart-v10/accessibility-for-dart-10.md
+++ b/mdop/dart-v10/accessibility-for-dart-10.md
@@ -33,7 +33,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Documentation in alternative formats
 
@@ -67,13 +67,13 @@ For information about the availability of Microsoft product documentation and bo
 
        (609) 987-8116
        
 
 
-
        [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
        
+
        http://www.learningally.org/
        
 
        Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
        
 
 
 
 
- 
+ 
 
 ## Customer service for people with hearing impairments
 
@@ -96,9 +96,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with DaRT 10](getting-started-with-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/creating-the-dart-10-recovery-image.md b/mdop/dart-v10/creating-the-dart-10-recovery-image.md
index cb6c574a75..3f47366774 100644
--- a/mdop/dart-v10/creating-the-dart-10-recovery-image.md
+++ b/mdop/dart-v10/creating-the-dart-10-recovery-image.md
@@ -92,7 +92,7 @@ On the Drivers tab of the Advanced Options page, you can add additional device d
 **Important**  
 When you select drivers to include, be aware that wireless connectivity (such as Bluetooth or 802.11a/b/g/n) is not supported in DaRT.
 
- 
+ 
 
 **To add drivers to the recovery image**
 
@@ -105,7 +105,7 @@ When you select drivers to include, be aware that wireless connectivity (such as
     **Note**  
     The driver file is provided by the manufacturer of the storage or network controller.
 
-     
+     
 
 4.  Repeat Steps 2 and 3 for every driver that you want to include.
 
@@ -144,7 +144,7 @@ The DaRT wizard checks for the tools in the `HKLM\Software\Microsoft\Windows Kit
 
 `%ProgramFilesX86%\Windows Kits\10.0\Debuggers\x86`
 
- 
+ 
 
 **To add the debugging tools for Crash Analyzer**
 
@@ -182,7 +182,7 @@ If you select the Edit Image check box on this page, you can customize the recov
     **Note**  
     The size of the image will vary, depending on the tools that you select and the files that you add in the wizard.
 
-     
+     
 
 2.  In the **Image name** box, enter a name for the DaRT recovery image, or accept the default name, which is DaRT10.
 
@@ -232,7 +232,7 @@ On the Create Bootable Media page, you can optionally copy the image file to a C
 **Note**  
 The Preboot execution environment (PXE) and local image deployment are not supported natively by this tool since they require additional enterprise tools, such as System Center Configuration Manager server and Microsoft Development Toolkit.
 
- 
+ 
 
 **To copy the recovery image to a CD, DVD, or USB**
 
@@ -243,7 +243,7 @@ The Preboot execution environment (PXE) and local image deployment are not suppo
     **Note**  
     If a drive is not recognized and you install a new drive, you can click **Refresh** to force the wizard to update the list of available drives.
 
-     
+     
 
 3.  Click the **Create Bootable Media** button.
 
@@ -256,9 +256,9 @@ The Preboot execution environment (PXE) and local image deployment are not suppo
 
 [Deploying DaRT 10](deploying-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/dart-10-deployment-checklist.md b/mdop/dart-v10/dart-10-deployment-checklist.md
index f912cdc8a7..3dfa45cfc5 100644
--- a/mdop/dart-v10/dart-10-deployment-checklist.md
+++ b/mdop/dart-v10/dart-10-deployment-checklist.md
@@ -22,7 +22,7 @@ This checklist can be used to help you during Microsoft Diagnostics and Recovery
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for product deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -41,31 +41,31 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
        
 

        
 Checklist box
 
        Decide on the best DaRT 10 deployment option for your requirements and deploy it.
        [Deploying DaRT 10 to Administrator Computers](deploying-dart-10-to-administrator-computers.md)
        Deploying DaRT 10 to Administrator Computers
        		
 
        
 
        
 Checklist box
 
        Use the DaRT Recovery Image wizard to create the DaRT recovery image ISO.
        [Creating the DaRT 10 Recovery Image](creating-the-dart-10-recovery-image.md)
        Creating the DaRT 10 Recovery Image
        		
 
        
 
        
 Checklist box
 
        Decide on the best DaRT 10 recovery image deployment option for your requirements and deploy it.
        [Deploying the DaRT Recovery Image](deploying-the-dart-recovery-image-dart-10.md)
        Deploying the DaRT Recovery Image
        		
 
        
         
 
        
 
- 
+ 
 
 ## Related topics
 
 
 [Deploying DaRT 10](deploying-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/dart-10-planning-checklist.md b/mdop/dart-v10/dart-10-planning-checklist.md
index d369e0236a..f7fc8ef40c 100644
--- a/mdop/dart-v10/dart-10-planning-checklist.md
+++ b/mdop/dart-v10/dart-10-planning-checklist.md
@@ -22,7 +22,7 @@ This checklist can be used to help you plan for preparing your computing environ
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for product deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -41,31 +41,31 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
        
 

        
 Checklist box
 
        Review the DaRT 10 Supported Configurations information to confirm that the computers you have selected for client or feature installation meet the minimum hardware and operating system requirements.
        [DaRT 10 Supported Configurations](dart-10-supported-configurations.md)
        DaRT 10 Supported Configurations
        		
 
        
 
        
 Checklist box
 
        Understand the deployment prerequisites and decide which tools to include on the DaRT recovery image.
        [Planning to Create the DaRT 10 Recovery Image](planning-to-create-the-dart-10-recovery-image.md)
        Planning to Create the DaRT 10 Recovery Image
        		
 
        
 
        
 Checklist box
 
        Determine which method, or methods, you will use to deploy the DaRT recovery image.
        [Planning How to Save and Deploy the DaRT 10 Recovery Image](planning-how-to-save-and-deploy-the-dart-10-recovery-image.md)
        Planning How to Save and Deploy the DaRT 10 Recovery Image
        		
 
        
         
 
        
 
- 
+ 
 
 ## Related topics
 
 
 [Planning for DaRT 10](planning-for-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/dart-10-supported-configurations.md b/mdop/dart-v10/dart-10-supported-configurations.md
index 10008cd844..e700bfa7fa 100644
--- a/mdop/dart-v10/dart-10-supported-configurations.md
+++ b/mdop/dart-v10/dart-10-supported-configurations.md
@@ -59,7 +59,7 @@ The following table lists the installation prerequisites for the administrator c
 
 
 
- 
+ 
 
 ### Help desk computer prerequisites
 
@@ -88,7 +88,7 @@ The following table lists the installation prerequisites for the help desk compu
 
 
 
- 
+ 
 
 ### End-user computer prerequisites
 
@@ -104,12 +104,12 @@ The following table lists the operating systems that are supported for the DaRT
 **Note**  
 Make sure that you allocate enough space for any additional tools that you want to install on the administrator computer.
 
- 
+ 
 
 **Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+ 
 
 @@ -150,7 +150,7 @@ Microsoft provides support for the current service pack and, in some cases, the
 
        
 

 
        
 
- 
+ 
 
 ###  DaRT help desk computer system requirements
 
@@ -239,7 +239,7 @@ The following table lists the operating systems that are supported for the DaRT
 
 
 
- 
+ 
 
 DaRT also has the following minimum hardware requirements for the end-user computer:
 
@@ -290,16 +290,16 @@ The Diagnostics and Recovery Toolset window in DaRT 10 requires that the end-use
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Planning to Deploy DaRT 10](planning-to-deploy-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/deploying-the-dart-recovery-image-dart-10.md b/mdop/dart-v10/deploying-the-dart-recovery-image-dart-10.md
index 3029ebafc0..6367ad326e 100644
--- a/mdop/dart-v10/deploying-the-dart-recovery-image-dart-10.md
+++ b/mdop/dart-v10/deploying-the-dart-recovery-image-dart-10.md
@@ -30,7 +30,7 @@ Extract the boot.wim file from the ISO image and deploy in the recovery partitio
 **Important**  
 The **DaRT Recovery Image Wizard** provides the option to burn the image to a CD, DVD or UFD, but the other methods of saving and deploying the recovery image require additional steps that involve tools that are not included in DaRT. Some guidance and links for these other methods are provided in this section.
 
- 
+ 
 
 ## Deploy the DaRT recovery image as part of a recovery partition
 
@@ -51,9 +51,9 @@ You can host the recovery image on a central network boot server, such as Window
 
 [Deploying DaRT 10](deploying-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/getting-started-with-dart-10.md b/mdop/dart-v10/getting-started-with-dart-10.md
index b92651f3b5..0fc0d27b12 100644
--- a/mdop/dart-v10/getting-started-with-dart-10.md
+++ b/mdop/dart-v10/getting-started-with-dart-10.md
@@ -23,7 +23,7 @@ Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning
 >A downloadable version of this administrator’s guide is not available. However, you can click **Download PDF** at the bottom of the Table of Contents pane to get a PDF version of this guide.
 >
 >Additional information about this product can also be found on the [Diagnostics and Recovery Toolset documentation download page.](https://www.microsoft.com/download/details.aspx?id=27754)
- 
+ 
 
 ## Getting started with DaRT 10
 
@@ -58,9 +58,9 @@ DaRT 10 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is par
 
 [Troubleshooting DaRT 10](troubleshooting-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/how-to-deploy-dart-10.md b/mdop/dart-v10/how-to-deploy-dart-10.md
index 9446ca8dc0..805de4c46d 100644
--- a/mdop/dart-v10/how-to-deploy-dart-10.md
+++ b/mdop/dart-v10/how-to-deploy-dart-10.md
@@ -22,7 +22,7 @@ The following instructions explain how to deploy Microsoft Diagnostics and Recov
 **Important**  
 Before you install DaRT, see [DaRT 10 Supported Configurations](dart-10-supported-configurations.md) to ensure that you have installed all of the prerequisite software and that the computer meets the minimum system requirements. The computer onto which you install DaRT must be running Windows 10.
 
- 
+ 
 
 You can install DaRT using one of two different configurations:
 
@@ -86,7 +86,7 @@ msiexec.exe /i MSDaRT.msi /l*v log.txt
 **Note**  
 You can add /qn or /qb to perform a silent installation.
 
- 
+ 
 
 **To validate the DaRT installation**
 
@@ -101,9 +101,9 @@ You can add /qn or /qb to perform a silent installation.
 
 [Deploying DaRT 10 to Administrator Computers](deploying-dart-10-to-administrator-computers.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-10.md b/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-10.md
index bb7e4a368d..16d8853966 100644
--- a/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-10.md
+++ b/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-10.md
@@ -30,7 +30,7 @@ After you have finished running the Microsoft Diagnostics and Recovery Toolset (
         **Note**  
         If you burned a CD or DVD of the recovery image, you can open the files on the CD or DVD and copy the boot.wim file from the \\sources folder. This lets you skip the need to mount the image.
 
-         
+         
 
 2.  Deploy the boot.wim file to a WDS server that can be accessed from end-user computers in your enterprise.
 
@@ -47,9 +47,9 @@ For more information about how to deploy DaRT as a remote partition, see [Walkth
 
 [Planning for DaRT 10](planning-for-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-10.md b/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-10.md
index 4acad5c3eb..4fa7467fc0 100644
--- a/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-10.md
+++ b/mdop/dart-v10/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-10.md
@@ -34,7 +34,7 @@ After you have finished running the Microsoft Diagnostics and Recovery Toolset (
         **Note**  
         If you burned a CD, DVD, or USB of the recovery image, you can open the files on the removable media and copy the boot.wim file from the \\sources folder. If you copy boot.wim file, you don’t need to mount the image.
 
-         
+         
 
 3.  Use the boot.wim file to create a bootable recovery partition by using your company’s standard method for creating a custom Windows RE image.
 
@@ -53,9 +53,9 @@ After you have finished running the Microsoft Diagnostics and Recovery Toolset (
 
 [Planning for DaRT 10](planning-for-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-10.md b/mdop/dart-v10/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-10.md
index f3371f7130..688b37b172 100644
--- a/mdop/dart-v10/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-10.md
+++ b/mdop/dart-v10/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-10.md
@@ -39,18 +39,20 @@ Use these instructions to recover a computer when you are physically present at
 
 6.  Select the installation that you want to repair or diagnose, and then click **Next**.
 
-    **Note**  
+    **Note**  
     If the Windows Recovery Environment (WinRE) detects or suspects that Windows 10 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically.
 
-     
 
-    If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-    The **System Recovery Options** window appears and lists various recovery tools.
+~~~
+If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-7.  On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset**.
+The **System Recovery Options** window appears and lists various recovery tools.
+~~~
 
-    The **Diagnostics and Recovery Toolset** window opens. You can now run any of the individual tools or wizards that were included when the DaRT recovery image was created.
+7. On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset**.
+
+   The **Diagnostics and Recovery Toolset** window opens. You can now run any of the individual tools or wizards that were included when the DaRT recovery image was created.
 
 You can click **Help** on the **Diagnostics and Recovery Toolset** window to open the client Help file that provides detailed instruction and information needed to run the individual DaRT tools. You can also click the **Solution Wizard** on the **Diagnostics and Recovery Toolset** window to choose the best tool for the situation, based on a brief interview that the wizard provides.
 
@@ -58,41 +60,40 @@ For general information about any of the DaRT tools, see [Overview of the Tools
 
 **How to run DaRT at the command prompt**
 
--   To run DaRT at the command prompt, specify the **netstart.exe** command then use any of the following parameters:
+- To run DaRT at the command prompt, specify the **netstart.exe** command then use any of the following parameters:
+
+  
+  +  +  +  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
        



        Parameter
        Description
        -network
        Initializes the network services.
        -remount
        Remaps the drive letters.
        -prompt
        Displays messages that ask the end user to specify whether to initialize the network and remap the drives.
        
+  
        
+  Warning
        The end user’s response to the prompt overrides the –network and –remount switches.
        
+  
        
+  
        
+
+  
        
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        



        Parameter
        Description
        -network
        Initializes the network services.
        -remount
        Remaps the drive letters.
        -prompt
        Displays messages that ask the end user to specify whether to initialize the network and remap the drives.
        
-    
        
-    Warning  
-    
        The end user’s response to the prompt overrides the –network and –remount switches.
        
-    
        
-    
        
-     
-    
        
 
-     
 
 ## Related topics
 
@@ -101,9 +102,9 @@ For general information about any of the DaRT tools, see [Overview of the Tools
 
 [Recovering Computers Using DaRT 10](recovering-computers-using-dart-10.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/dart-v10/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-10.md b/mdop/dart-v10/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-10.md
index 189504fa13..1b7f39a897 100644
--- a/mdop/dart-v10/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-10.md
+++ b/mdop/dart-v10/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-10.md
@@ -35,113 +35,116 @@ If you disabled the DaRT tools when you created the recovery image, you still ha
 
     Whichever method that you use to boot into DaRT, you must enable the boot device in the BIOS for the boot option or options that you want to make available to the end user.
 
-    **Note**  
+    **Note**  
     Configuring the BIOS is unique, depending on the kind of hard disk drive, network adapters, and other hardware that is used in your organization.
 
-     
 
-    As the computer is booting into the DaRT recovery image, the **NetStart** dialog box appears.
 
-2.  When you are asked whether you want to initialize network services, select one of the following:
+~~~
+As the computer is booting into the DaRT recovery image, the **NetStart** dialog box appears.
+~~~
 
-    **Yes** - it is assumed that a DHCP server is present on the network, and an attempt is made to obtain an IP address from the server. If the network uses static IP addresses instead of DHCP, you can later use the **TCP/IP Configuration** tool in DaRT to specify a static IP address.
+2. When you are asked whether you want to initialize network services, select one of the following:
 
-    **No** - skip the network initialization process.
+   **Yes** - it is assumed that a DHCP server is present on the network, and an attempt is made to obtain an IP address from the server. If the network uses static IP addresses instead of DHCP, you can later use the **TCP/IP Configuration** tool in DaRT to specify a static IP address.
 
-3.  Indicate whether you want to remap the drive letters. When you run Windows online, the system volume is typically mapped to drive C. However, when you run Windows offline under WinRE, the original system volume might be mapped to another drive, and this can cause confusion. If you decide to remap, DaRT tries to map the offline drive letters to match the online drive letters. Remapping is performed only if an offline operating system is selected later in the startup process.
+   **No** - skip the network initialization process.
 
-4.  On the **System Recovery Options** dialog box, select a keyboard layout.
+3. Indicate whether you want to remap the drive letters. When you run Windows online, the system volume is typically mapped to drive C. However, when you run Windows offline under WinRE, the original system volume might be mapped to another drive, and this can cause confusion. If you decide to remap, DaRT tries to map the offline drive letters to match the online drive letters. Remapping is performed only if an offline operating system is selected later in the startup process.
 
-5.  Check the displayed system root directory, the kind of operating system installed, and the partition size. If you do not see your operating system listed, and suspect that the lack of drivers is a possible cause of the failure, click **Load Drivers** to load the suspect drivers, and then insert the installation media for the device and select the driver.
+4. On the **System Recovery Options** dialog box, select a keyboard layout.
 
-6.  Select the installation that you want to repair or diagnose, and then click **Next**.
+5. Check the displayed system root directory, the kind of operating system installed, and the partition size. If you do not see your operating system listed, and suspect that the lack of drivers is a possible cause of the failure, click **Load Drivers** to load the suspect drivers, and then insert the installation media for the device and select the driver.
 
-    **Note**  
-    If the Windows Recovery Environment (WinRE) detects or suspects that Windows 10 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically. For information about how to resolve this issue, see [Troubleshooting DaRT 10](troubleshooting-dart-10.md).
+6. Select the installation that you want to repair or diagnose, and then click **Next**.
 
-     
+   **Note**  
+   If the Windows Recovery Environment (WinRE) detects or suspects that Windows 10 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically. For information about how to resolve this issue, see [Troubleshooting DaRT 10](troubleshooting-dart-10.md).
 
-    If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-    The **System Recovery Options** window appears and lists various recovery tools.
 
-7.  On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset** to open the **Diagnostics and Recovery Toolset**.
+~~~
+If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-8.  On the **Diagnostics and Recovery Toolset** window, click **Remote Connection** to open the **DaRT Remote Connection** window. If you are prompted to give the help desk remote access, click **OK**.
+The **System Recovery Options** window appears and lists various recovery tools.
+~~~
 
-    The DaRT Remote Connection window opens and displays a ticket number, IP address, and port information.
+7. On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset** to open the **Diagnostics and Recovery Toolset**.
 
-9.  On the help desk computer, open the **DaRT Remote Connection Viewer**.
+8. On the **Diagnostics and Recovery Toolset** window, click **Remote Connection** to open the **DaRT Remote Connection** window. If you are prompted to give the help desk remote access, click **OK**.
+
+   The DaRT Remote Connection window opens and displays a ticket number, IP address, and port information.
+
+9. On the help desk computer, open the **DaRT Remote Connection Viewer**.
 
 10. Click **Start**, click **All Programs**, click **Microsoft DaRT 10**, and then click **DaRT Remote Connection Viewer**.
 
 11. In the **DaRT Remote Connection** window, enter the required ticket, IP address, and port information.
 
-    **Note**  
-    This information is created on the end-user computer and must be provided by the end user. There might be multiple IP addresses to choose from, depending on how many are available on the end-user computer.
+   **Note**  
+   This information is created on the end-user computer and must be provided by the end user. There might be multiple IP addresses to choose from, depending on how many are available on the end-user computer.
+
 
-     
 
 12. Click **Connect**.
 
 The IT administrator now assumes control of the end-user computer and can run the DaRT tools remotely.
 
-**Note**  
+**Note**  
 A file is provided that is named inv32.xml and contains remote connection information, such as the port number and IP address. By default, the file is typically located at %windir%\\system32.
 
- 
+
 
 **To customize the Remote Connection process**
 
-1.  You can customize the Remote Connection process by editing the winpeshl.ini file. For more information about how to edit the winpeshl.ini file, see [Winpeshl.ini Files](https://go.microsoft.com/fwlink/?LinkId=219413).
+1. You can customize the Remote Connection process by editing the winpeshl.ini file. For more information about how to edit the winpeshl.ini file, see [Winpeshl.ini Files](https://go.microsoft.com/fwlink/?LinkId=219413).
 
-    Specify the following commands and parameters to customize how a remote connection is established with an end-user computer:
+   Specify the following commands and parameters to customize how a remote connection is established with an end-user computer:
 
-    
-    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        




        CommandParameterDescription
        RemoteRecovery.exe
        -nomessage
        Specifies that the confirmation prompt is not displayed. Remote Connection continues just as if the end user had responded "Yes" to the confirmation prompt.
        WaitForConnection.exe
        none
        Prevents a custom script from continuing until either Remote Connection is not running or a valid connection is established with the end-user computer.
        
-    
        
-    Important  
-    
        This command serves no function if it is specified independently. It must be specified in a script to function correctly.
        
-    
        
-    
        
-     
-    
        
+   
+   +   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        




        CommandParameterDescription
        RemoteRecovery.exe
        -nomessage
        Specifies that the confirmation prompt is not displayed. Remote Connection continues just as if the end user had responded "Yes" to the confirmation prompt.
        WaitForConnection.exe
        none
        Prevents a custom script from continuing until either Remote Connection is not running or a valid connection is established with the end-user computer.
        
+   
        
+   Important
        This command serves no function if it is specified independently. It must be specified in a script to function correctly.
        
+   
        
+   
        
 
-     
+   
        
 
-2.  The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
 
-    ``` syntax
-    [LaunchApps]
-    "%windir%\system32\netstart.exe -network -remount"
-    "cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"
-    "%windir%\system32\WaitForConnection.exe"
-    "%SYSTEMDRIVE%\sources\recovery\recenv.exe"
-    ```
+
+2. The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
+
+   ``` syntax
+   [LaunchApps]
+   "%windir%\system32\netstart.exe -network -remount"
+   "cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"
+   "%windir%\system32\WaitForConnection.exe"
+   "%SYSTEMDRIVE%\sources\recovery\recenv.exe"
+   ```
 
 When DaRT starts, it creates the file inv32.xml in \\Windows\\System32\\ on the RAM disk. This file contains connection information: IP address, port, and ticket number. You can copy this file to a network share to trigger a Help desk workflow. For example, a custom program can check the network share for connection files, and then create a support ticket or send email notifications.
 
@@ -176,14 +179,16 @@ When DaRT starts, it creates the file inv32.xml in \\Windows\\System32\\ on the
     
     
 
-     
 
-    **Note**  
-    The variables for these parameters are created on the end-user computer and must be provided by the end user.
 
-     
+~~~
+**Note**  
+The variables for these parameters are created on the end-user computer and must be provided by the end user.
+~~~
 
-2.  If all three parameters are specified and the data is valid, a connection is immediately tried when the program starts. If any parameter is not valid, the program starts as if there were no parameters specified.
+
+
+2. If all three parameters are specified and the data is valid, a connection is immediately tried when the program starts. If any parameter is not valid, the program starts as if there were no parameters specified.
 
 ## Related topics
 
@@ -192,9 +197,9 @@ When DaRT starts, it creates the file inv32.xml in \\Windows\\System32\\ on the
 
 [Recovering Computers Using DaRT 10](recovering-computers-using-dart-10.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/dart-v10/overview-of-the-tools-in-dart-10.md b/mdop/dart-v10/overview-of-the-tools-in-dart-10.md
index c18b6cc820..61ca954cfa 100644
--- a/mdop/dart-v10/overview-of-the-tools-in-dart-10.md
+++ b/mdop/dart-v10/overview-of-the-tools-in-dart-10.md
@@ -33,7 +33,7 @@ A description of the DaRT 10 tools follows.
 **Note**  
 The recovery of dynamic disks with DaRT is not supported.
 
- 
+ 
 
 ### Crash Analyzer
 
@@ -60,12 +60,12 @@ For more information about **Crash Analyzer**, see [Diagnosing System Failures w
 **Warning**  
 We recommend that you back up a disk before you use **Disk Commander** to repair it. By using **Disk Commander**, you can potentially damage volumes and make them inaccessible. Additionally, changes to one volume can affect other volumes because volumes on a disk share a partition table.
 
- 
+ 
 
 **Note**  
 The recovery of dynamic disks with DaRT is not supported.
 
- 
+ 
 
 ### Disk Wipe
 
@@ -74,7 +74,7 @@ You can use **Disk Wipe** to delete all data from a disk or volume, even the dat
 **Warning**  
 After wiping a disk or volume, you cannot recover the data. Verify the size and label of a volume before erasing it.
 
- 
+ 
 
 ### Explorer
 
@@ -87,7 +87,7 @@ The **Explorer** tool lets you browse the computer’s file system and network s
 **Note**  
 The recovery of dynamic disks with DaRT is not supported.
 
- 
+ 
 
 ### File Search
 
@@ -104,7 +104,7 @@ We recommend that you uninstall only one hotfix at a time, even though the tool
 **Important**  
 Programs that were installed or updated after a hotfix was installed might not work correctly after you uninstall a hotfix.
 
- 
+ 
 
 ### Locksmith
 
@@ -119,7 +119,7 @@ You can use **Registry Editor** to access and change the registry of the Windows
 **Warning**  
 Serious problems can occur if you change the registry incorrectly by using **Registry Editor**. These problems might require you to reinstall the operating system. Before you make changes to the registry, you should back up any valued data on the computer. Change the registry at your own risk.
 
- 
+ 
 
 ### SFC Scan
 
@@ -138,9 +138,9 @@ When you boot a problem computer into DaRT, it is set to automatically obtain it
 
 [Getting Started with DaRT 10](getting-started-with-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/planning-how-to-save-and-deploy-the-dart-10-recovery-image.md b/mdop/dart-v10/planning-how-to-save-and-deploy-the-dart-10-recovery-image.md
index b098731bec..0b4856b406 100644
--- a/mdop/dart-v10/planning-how-to-save-and-deploy-the-dart-10-recovery-image.md
+++ b/mdop/dart-v10/planning-how-to-save-and-deploy-the-dart-10-recovery-image.md
@@ -24,7 +24,7 @@ If your organization uses Active Directory Domain Services (AD DS), you may want
 **Note**  
 You may want to use more than one method in your organization. For example, you can boot into DaRT from a remote partition for most situations and have a USB flash drive available in case the end-user computer cannot connect to the network.
 
- 
+ 
 
 The following table shows some advantages and disadvantages of each method of using DaRT in your organization.
 
@@ -80,16 +80,16 @@ The following table shows some advantages and disadvantages of each method of us
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Planning to Deploy DaRT 10](planning-to-deploy-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md b/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md
index f265d99f72..25cd1696fb 100644
--- a/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md
+++ b/mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md
@@ -49,25 +49,25 @@ The following items are required or recommended for creating the DaRT recovery i
 
 
 
        Windows Debugging Tools for your platform
        
-
        Required when you run the Crash Analyzer to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: [Download and Install Debugging Tools for Windows](https://go.microsoft.com/fwlink/?LinkId=99934).
        
+
        Required when you run the Crash Analyzer to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: Download and Install Debugging Tools for Windows.
        
 
 
 
        Optional: Windows symbols files for use with Crash Analyzer
        
-
        Typically, debugging information is stored in a symbol file that is separate from the program. You must have access to the symbol information when you debug an application that has stopped responding, for example, if it stopped working. For more information, see [Diagnosing System Failures with Crash Analyzer](diagnosing-system-failures-with-crash-analyzer-dart-10.md).
        
+
        Typically, debugging information is stored in a symbol file that is separate from the program. You must have access to the symbol information when you debug an application that has stopped responding, for example, if it stopped working. For more information, see Diagnosing System Failures with Crash Analyzer.
        
 
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Planning to Deploy DaRT 10](planning-to-deploy-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/recovering-computers-using-dart-10.md b/mdop/dart-v10/recovering-computers-using-dart-10.md
index 7b5575997d..1d901afe01 100644
--- a/mdop/dart-v10/recovering-computers-using-dart-10.md
+++ b/mdop/dart-v10/recovering-computers-using-dart-10.md
@@ -34,7 +34,7 @@ Whichever method that you use to boot into DaRT, you must enable the boot device
 **Note**  
 Configuring the BIOS is unique, depending on the kind of hard disk drive, network adapters, and other hardware that is used in your organization.
 
- 
+ 
 
 ## Recover a local computer by using the DaRT recovery image
 
@@ -51,7 +51,7 @@ The Remote Connection feature in DaRT lets an IT administrator run the DaRT tool
 **Important**  
 The two computers establishing a remote connection must be part of the same network.
 
- 
+ 
 
 The **Diagnostics and Recovery Toolset** window includes the option to run DaRT on an end-user computer remotely from an administrator computer. The end user opens the DaRT tools on the problem computer and starts the remote session by clicking **Remote Connection**.
 
@@ -66,9 +66,9 @@ The IT administrator or help desk worker enters this information into the **DaRT
 
 [Operations for DaRT 10](operations-for-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v10/security-considerations-for-dart-10.md b/mdop/dart-v10/security-considerations-for-dart-10.md
index 2ec7d8182c..fc0621ba83 100644
--- a/mdop/dart-v10/security-considerations-for-dart-10.md
+++ b/mdop/dart-v10/security-considerations-for-dart-10.md
@@ -38,7 +38,7 @@ You can even configure the DaRT image so that the option to start a remote conne
 **Important**  
 After the remote connection is established, all the tools that you included in the recovery image, including those unavailable to the end user, will become available to any help desk worker who is working on the end–user computer.
 
- 
+ 
 
 For more information about including tools in the DaRT recovery image, see [Overview of the Tools in DaRT 10](overview-of-the-tools-in-dart-10.md).
 
@@ -50,7 +50,7 @@ If you deploy the DaRT recovery image by saving it to a USB flash drive or by cr
 **Note**  
 DaRT 10 supports BitLocker natively.
 
- 
+ 
 
 To include drive encryption, add the encryption solution files when you create the recovery image. Your encryption solution must be able to run on WinPE. End users who boot from the ISO are then able to access that encryption solution and unblock the drive.
 
@@ -64,9 +64,9 @@ By default, the communication between two computers that have established a **Re
 
 [Security and Privacy for DaRT 10](security-and-privacy-for-dart-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/accessibility-for-dart-70.md b/mdop/dart-v7/accessibility-for-dart-70.md
index 6f6fcecb10..5335e76631 100644
--- a/mdop/dart-v7/accessibility-for-dart-70.md
+++ b/mdop/dart-v7/accessibility-for-dart-70.md
@@ -33,7 +33,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Documentation in Alternative Formats
 
@@ -67,13 +67,13 @@ For information about the availability of Microsoft product documentation and bo
 
        (609) 987-8116
        
 
 
-
        [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
        
+
        http://www.learningally.org/
        
 
        Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
        
 
 
 
 
- 
+ 
 
 ## Customer Service for People with Hearing Impairments
 
@@ -96,9 +96,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with DaRT 7.0](getting-started-with-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md b/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md
index 2c10bd289c..0bb0012fb5 100644
--- a/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md
+++ b/mdop/dart-v7/creating-the-dart-70-recovery-image-dart-7.md
@@ -29,7 +29,7 @@ You can write the ISO to a recordable CD or DVD, save it to a USB flash drive, o
 **Note**  
 If your computer includes a CD-RW drive, the wizard offers to burn the ISO image to a blank CD or DVD. If your computer does not include a drive that is supported by the wizard, you can burn the ISO image onto a CD or DVD by using most programs that can burn a CD or DVD.
 
- 
+ 
 
 To create a bootable CD or DVD from the ISO image, you must have:
 
@@ -42,7 +42,7 @@ To create a bootable CD or DVD from the ISO image, you must have:
     **Important**  
     Test the CD or DVD that you create on all the different kinds of computers that you intend to support because some computers cannot start from all kinds of recordable media.
 
-     
+     
 
 To save the ISO image to a USB flash drive (UFD), you must have:
 
@@ -64,9 +64,9 @@ You can create a DaRT recovery image that can only be used for a certain number
 
 -   [Deploying DaRT 7.0](deploying-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md b/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md
index 47cc4769b7..2a1c1e2596 100644
--- a/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md
+++ b/mdop/dart-v7/dart-70-deployment-checklist-dart-7.md
@@ -22,7 +22,7 @@ This checklist can be used to help you during Microsoft Diagnostics and Recovery
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for product deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -41,31 +41,31 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
        
 

        
 Checklist box
 
        Decide on the best DaRT 7 deployment option for your requirements and deploy it.
        [Deploying DaRT 7.0 to Administrator Computers](deploying-dart-70-to-administrator-computers-dart-7.md)
        Deploying DaRT 7.0 to Administrator Computers
        		
 
        
 
        
 Checklist box
 
        Use the DaRT Recovery Image Wizard to create the DaRT recovery image ISO.
        [Creating the DaRT 7.0 Recovery Image](creating-the-dart-70-recovery-image-dart-7.md)
        Creating the DaRT 7.0 Recovery Image
        		
 
        
 
        
 Checklist box
 
        Decide on the best DaRT 7 recovery image deployment option for your requirements and deploy it.
        [Deploying the DaRT 7.0 Recovery Image](deploying-the-dart-70-recovery-image-dart-7.md)
        Deploying the DaRT 7.0 Recovery Image
        		
 
        
         
 
        
 
- 
+ 
 
 ## Related topics
 
 
 [Deploying DaRT 7.0](deploying-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/dart-70-planning-checklist-dart-7.md b/mdop/dart-v7/dart-70-planning-checklist-dart-7.md
index 099a1f0336..7612462738 100644
--- a/mdop/dart-v7/dart-70-planning-checklist-dart-7.md
+++ b/mdop/dart-v7/dart-70-planning-checklist-dart-7.md
@@ -22,7 +22,7 @@ This checklist can be used to help you plan for preparing your computing environ
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for product deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -41,31 +41,31 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
        
 

        
 Checklist box
 
        Review the DaRT 7 Supported Configurations information to confirm that the computers you have selected for client or feature installation meet the minimum hardware and operating system requirements.
        [DaRT 7.0 Supported Configurations](dart-70-supported-configurations-dart-7.md)
        DaRT 7.0 Supported Configurations
        		
 
        
 
        
 Checklist box
 
        Understand the deployment prerequisites and decide which tools to include on the DaRT recovery image.
        [Planning to Create the DaRT 7.0 Recovery Image](planning-to-create-the-dart-70-recovery-image.md)
        Planning to Create the DaRT 7.0 Recovery Image
        		
 
        
 
        
 Checklist box
 
        Determine which method, or methods, you will use to deploy the DaRT recovery image.
        [Planning How to Save and Deploy the DaRT 7.0 Recovery Image](planning-how-to-save-and-deploy-the-dart-70-recovery-image.md)
        Planning How to Save and Deploy the DaRT 7.0 Recovery Image
        		
 
        
         
 
        
 
- 
+ 
 
 ## Related topics
 
 
 [Planning for DaRT 7.0](planning-for-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md b/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md
index f29f24ee5c..fe84a514e2 100644
--- a/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md
+++ b/mdop/dart-v7/deploying-the-dart-70-recovery-image-dart-7.md
@@ -30,7 +30,7 @@ After you have created the International Organization for Standardization (ISO)
 **Important**  
 The **DaRT Recovery Image Wizard** only provides the option to burn a CD or DVD. All other methods of saving and deploying the recovery image require additional steps that involve tools that are not included in DaRT. Some guidance and links for these other methods are provided in this section.
 
- 
+ 
 
 ## Deploy the DaRT Recovery Image Using a USB Flash Drive
 
@@ -58,9 +58,9 @@ After you have finished running the DaRT Recovery Image Wizard and created the r
 
 -   [Deploying DaRT 7.0](deploying-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/getting-started-with-dart-70-new-ia.md b/mdop/dart-v7/getting-started-with-dart-70-new-ia.md
index d85f7a6580..ac081ea5fb 100644
--- a/mdop/dart-v7/getting-started-with-dart-70-new-ia.md
+++ b/mdop/dart-v7/getting-started-with-dart-70-new-ia.md
@@ -24,7 +24,7 @@ This section provides general information for administrators who are evaluating
 **Note**  
 A downloadable version of this document and the DaRT 7 Evaluation Guide can be downloaded from .
 
- 
+ 
 
 ## Getting Started With DaRT 7
 
@@ -54,9 +54,9 @@ A downloadable version of this document and the DaRT 7 Evaluation Guide can be d
 
 -   [Troubleshooting DaRT 7.0](troubleshooting-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/how-to-deploy-dart-70.md b/mdop/dart-v7/how-to-deploy-dart-70.md
index f5dd006044..32254f2c60 100644
--- a/mdop/dart-v7/how-to-deploy-dart-70.md
+++ b/mdop/dart-v7/how-to-deploy-dart-70.md
@@ -22,7 +22,7 @@ This topic provides instructions to deploy Microsoft Diagnostics and Recovery To
 **Important**  
 Before you install DaRT, ensure that the computer meets the minimum system requirements listed in [DaRT 7.0 Supported Configurations](dart-70-supported-configurations-dart-7.md).
 
- 
+ 
 
 **To install DaRT on an administrator computer**
 
@@ -77,16 +77,16 @@ Before you install DaRT, ensure that the computer meets the minimum system requi
 **Note**  
 You can add /qn or /qb to any of the DaRT installation command prompt options to perform a silent installation.
 
- 
+ 
 
 ## Related topics
 
 
 [Deploying DaRT 7.0 to Administrator Computers](deploying-dart-70-to-administrator-computers-dart-7.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md
index 901b1c1274..ec9f029614 100644
--- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md
+++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-7.md
@@ -30,7 +30,7 @@ After you have finished running the DaRT Recovery Image Wizard and created the r
         **Note**  
         If you burned a CD or DVD of the recovery image, you can open the files on the CD or DVD and copy the boot.wim file from the \\sources folder. This lets you skip the need to mount the image.
 
-         
+         
 
 2.  Deploy the boot.wim file to a WDS server that can be accessed from end-user computers in your enterprise.
 
@@ -47,9 +47,9 @@ For more information about how to deploy DaRT as a remote partition, see the fol
 
 [Deploying the DaRT 7.0 Recovery Image](deploying-the-dart-70-recovery-image-dart-7.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md
index d3093de574..bb9b4e45b5 100644
--- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md
+++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-7.md
@@ -34,7 +34,7 @@ After you have finished running the DaRT Recovery Image Wizard and created the r
         **Note**  
         If you burned a CD or DVD of the recovery image, you can open the files on the CD or DVD and copy the boot.wim file from the \\sources folder. This lets you skip the need to mount the image.
 
-         
+         
 
 3.  Use the boot.wim file to create a bootable recovery partition by using your company’s standard method for creating a custom Windows RE image.
 
@@ -51,9 +51,9 @@ For more information about how to deploy a recovery solution to reinstall the fa
 
 [Deploying the DaRT 7.0 Recovery Image](deploying-the-dart-70-recovery-image-dart-7.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md
index cb1a99962b..8c9ec4eebf 100644
--- a/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md
+++ b/mdop/dart-v7/how-to-deploy-the-dart-recovery-image-using-a-usb-flash-drive-dart-7.md
@@ -47,7 +47,7 @@ You can also manually copy the ISO image file to a UFD by following the steps pr
         **Note**  
         The previous code example assumes Disk 1 is the UFD. If it is necessary, replace DISK 1 with your disk number.
 
-         
+         
 
 2.  By using your company’s preferred method of mounting an image, mount the ISO image file that you created in the **Create Startup Image** dialog box of the **DaRT Recovery Image Wizard**. This requires that you have a method available to mount an image file.
 
@@ -56,16 +56,16 @@ You can also manually copy the ISO image file to a UFD by following the steps pr
     **Note**  
     If you burned a CD or DVD of the recovery image, you can open the files on the CD or DVD and copy the contents to the UFD. This lets you skip the need to mount the image.
 
-     
+     
 
 ## Related topics
 
 
 [Deploying the DaRT 7.0 Recovery Image](deploying-the-dart-70-recovery-image-dart-7.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md b/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md
index 35965f5549..f24b5b6941 100644
--- a/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md
+++ b/mdop/dart-v7/how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md
@@ -17,30 +17,32 @@ ms.date: 06/16/2016
 # How to Recover Local Computers Using the DaRT Recovery Image
 
 
-To recover a local computer by using Microsoft Diagnostics and Recovery Toolset (DaRT) 7, you must be physically present at the end-user computer that is experiencing problems that require DaRT. You can also run DaRT remotely by following the instructions at [How to Recover Remote Computers Using the DaRT Recovery Image](how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md).
+To recover a local computer by using Microsoft Diagnostics and Recovery Toolset (DaRT) 7, you must be physically present at the end-user computer that is experiencing problems that require DaRT. You can also run DaRT remotely by following the instructions at [How to Recover Remote Computers Using the DaRT Recovery Image](how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md).
 
 **To recover a local computer by using DaRT**
 
 1.  As the computer is booting into the DaRT recovery image, the **NetStart** dialog box appears. You are asked whether you want to initialize network services. If you click **Yes**, it is assumed that a DHCP server is present on the network and an attempt is made to obtain an IP address from the server. If the network uses static IP addresses instead of DHCP, you can later use the **TCP/IP Configuration** tool in DaRT to specify a static IP address.
 
-    To skip the network initialization process, click **No**.
+    To skip the network initialization process, click **No**.
 
 2.  Following the network initialization dialog box, you are asked whether you want to remap the drive letters. When you run Windows online, the system volume is typically mapped to drive C. However, when you run Windows offline under WinRE, the original system volume might be mapped to another drive, and this can cause confusion. If you decide to remap, DaRT tries to map the offline drive letters to match the online drive letters. Remapping is performed only if an offline operating system is selected later in the startup process.
 
 3.  Following the remapping dialog box, a **System Recovery Options** dialog box appears and asks you to select a keyboard layout. Then it displays the system root directory, the kind of operating system installed, and the partition size. If you do not see your operating system listed, and suspect that the lack of drivers is a possible cause of the failure, click **Load Drivers** to load the suspect drivers. This prompts you to insert the installation media for the device and to select the driver. Select the installation that you want to repair or diagnose, and then click **Next**.
 
-    **Note**  
+    **Note**  
     If the Windows Recovery Environment (WinRE) detects or suspects that Windows 7 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically.
 
-     
 
-    If any of the registry hives are corrupted or missing, Registry Editor, and several other DaRT utilities, will have limited functionality. If no operating system is selected, some tools will not be available.
 
-    The **System Recovery Options** window appears and lists various recovery tools.
+~~~
+If any of the registry hives are corrupted or missing, Registry Editor, and several other DaRT utilities, will have limited functionality. If no operating system is selected, some tools will not be available.
 
-4.  On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset**.
+The **System Recovery Options** window appears and lists various recovery tools.
+~~~
 
-    The **Diagnostics and Recovery Toolset** window opens. You can now run any of the individual tools or wizards that were included when the DaRT recovery image was created.
+4. On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset**.
+
+   The **Diagnostics and Recovery Toolset** window opens. You can now run any of the individual tools or wizards that were included when the DaRT recovery image was created.
 
 You can click **Help** on the **Diagnostics and Recovery Toolset** window to open the client Help file that provides detailed instruction and information needed to run the individual DaRT tools. You can also click the **Solution Wizard** on the **Diagnostics and Recovery Toolset** window to choose the best tool for the situation, based on a brief interview that the wizard provides.
 
@@ -48,54 +50,53 @@ For general information about any of the DaRT tools, see [Overview of the Tools
 
 **To run DaRT at the command prompt**
 
-1.  You can run DaRT at the command prompt by specifying the **netstart.exe** command and by using any of the following parameters:
+1. You can run DaRT at the command prompt by specifying the **netstart.exe** command and by using any of the following parameters:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        



        ParameterDescription
        -network
        Initializes the network services.
        -remount
        Remaps the drive letters.
        -prompt
        Displays messages asking the end user to specify whether to initialize the network and remap the drives.
        
-    
        
-    Important  
-    
        The end user’s response to the prompts overrides the -network and -remount switches.
        
-    
        
-    
        
-     
-    
        
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        



        ParameterDescription
        -network
        Initializes the network services.
        -remount
        Remaps the drive letters.
        -prompt
        Displays messages asking the end user to specify whether to initialize the network and remap the drives.
        
+   
        
+   Important
        The end user’s response to the prompts overrides the -network and -remount switches.
        
+   
        
+   
        
 
-     
+   
        
 
-2.  You can customize DaRT so that a computer that boots into DaRT automatically opens the **Remote Connection** tool that is used to establish a remote connection with the help desk.
+
+
+2. You can customize DaRT so that a computer that boots into DaRT automatically opens the **Remote Connection** tool that is used to establish a remote connection with the help desk.
 
 ## Related topics
 
 
 [Recovering Computers Using DaRT 7.0](recovering-computers-using-dart-70-dart-7.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md b/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md
index 635e47c68a..2fac900255 100644
--- a/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md
+++ b/mdop/dart-v7/how-to-recover-remote-computers-using-the-dart-recovery-image-dart-7.md
@@ -17,12 +17,12 @@ ms.date: 08/30/2016
 # How to Recover Remote Computers Using the DaRT Recovery Image
 
 
-The Remote Connection feature in Microsoft Diagnostics and Recovery Toolset (DaRT) 7 lets an IT administrator run the DaRT tools remotely on an end-user computer. After certain information is provided by the end user (or by a helpdesk professional working on the end-user computer), the IT administrator or helpdesk agent can take control of the end user's computer and run the necessary DaRT tools remotely.
+The Remote Connection feature in Microsoft Diagnostics and Recovery Toolset (DaRT) 7 lets an IT administrator run the DaRT tools remotely on an end-user computer. After certain information is provided by the end user (or by a helpdesk professional working on the end-user computer), the IT administrator or helpdesk agent can take control of the end user's computer and run the necessary DaRT tools remotely.
 
-**Important**  
+**Important**  
 The two computers establishing a remote connection must be part of the same network.
 
- 
+
 
 **To recover a remote computer by using DaRT**
 
@@ -38,105 +38,106 @@ The two computers establishing a remote connection must be part of the same netw
 
     Whichever method that you use to boot into DaRT, you must enable the boot device in the BIOS for the boot option or options that you want to make available to the end user.
 
-    **Note**  
+    **Note**  
     Configuring the BIOS is unique, depending on the kind of hard disk drive, network adapters, and other hardware that is used in your organization.
 
-     
+
 
 2.  As the computer is booting into the DaRT recovery image, the **NetStart** dialog box appears. You are asked whether you want to initialize network services. If you click **Yes**, it is assumed that a DHCP server is present on the network and an attempt is made to obtain an IP address from the server. If the network uses static IP addresses instead of DHCP, you can later use the **TCP/IP Configuration** tool in DaRT to specify a static IP address.
 
-    To skip the network initialization process, click **No**.
+    To skip the network initialization process, click **No**.
 
 3.  Following the network initialization dialog box, you are asked whether you want to remap the drive letters. When you run Windows online, the system volume is typically mapped to drive C. However, when you run Windows offline under WinRE, the original system volume might be mapped to another drive, and this can cause confusion. If you decide to remap, DaRT tries to map the offline drive letters to match the online drive letters. Remapping is performed only if an offline operating system is selected later in the startup process.
 
 4.  Following the remapping dialog box, a **System Recovery Options** dialog box appears and asks you to select a keyboard layout. Then it displays the system root directory, the kind of operating system installed, and the partition size. If you do not see your operating system listed, and suspect that the lack of drivers is a possible cause of the failure, click **Load Drivers** to load the suspect drivers. This prompts you to insert the installation media for the device and to select the driver. Select the installation that you want to repair or diagnose, and then click **Next**.
 
-    **Note**  
+    **Note**  
     If the Windows Recovery Environment (WinRE) detects or suspects that Windows 7 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically. For information about this situation including how to resolve it, see [Troubleshooting DaRT 7.0](troubleshooting-dart-70-new-ia.md).
 
-     
 
-    If any of the registry hives are corrupted or missing, Registry Editor, and several other DaRT utilities, will have limited functionality. If no operating system is selected, some tools will not be available.
 
-    The **System Recovery Options** window appears and lists various recovery tools.
+~~~
+If any of the registry hives are corrupted or missing, Registry Editor, and several other DaRT utilities, will have limited functionality. If no operating system is selected, some tools will not be available.
 
-5.  On the **System Recovery Options** window, select **Microsoft Diagnostics and Recovery Toolset** to open the **Diagnostics and Recovery Toolset** window.
+The **System Recovery Options** window appears and lists various recovery tools.
+~~~
 
-6.  On the **Diagnostics and Recovery Toolset** window, click **Remote Connection** to open the **DaRT Remote Connection** window. If you are prompted to give the help desk remote access, click **OK**.
+5. On the **System Recovery Options** window, select **Microsoft Diagnostics and Recovery Toolset** to open the **Diagnostics and Recovery Toolset** window.
 
-    The DaRT Remote Connection window opens and displays a ticket number, IP address, and port information.
+6. On the **Diagnostics and Recovery Toolset** window, click **Remote Connection** to open the **DaRT Remote Connection** window. If you are prompted to give the help desk remote access, click **OK**.
 
-7.  On the helpdesk agent computer, open the **DaRT Remote Connection Viewer**.
+   The DaRT Remote Connection window opens and displays a ticket number, IP address, and port information.
 
-    Click **Start**, click **All Programs**, click **Microsoft DaRT 7**, and then click **DaRT Remote Connection Viewer**.
+7. On the helpdesk agent computer, open the **DaRT Remote Connection Viewer**.
 
-8.  In the **DaRT Remote Connection** window, enter the required ticket, IP address, and port information.
+   Click **Start**, click **All Programs**, click **Microsoft DaRT 7**, and then click **DaRT Remote Connection Viewer**.
 
-    **Note**  
-    This information is created on the end-user computer and must be provided by the end user. There might be multiple IP addresses to choose from, depending on how many are available on the end-user computer.
+8. In the **DaRT Remote Connection** window, enter the required ticket, IP address, and port information.
 
-     
+   **Note**  
+   This information is created on the end-user computer and must be provided by the end user. There might be multiple IP addresses to choose from, depending on how many are available on the end-user computer.
 
-9.  Click **Connect**.
+
+
+9. Click **Connect**.
 
 The IT administrator now assumes control of the end-user computer and can run the DaRT tools remotely.
 
-**Note**  
+**Note**  
 A file is provided that is named inv32.xml and contains remote connection information, such as the port number and IP address. By default, the file is typically located at %windir%\\system32.
 
- 
+
 
 **To customize the Remote Connection process**
 
-1.  You can customize the Remote Connection process by editing the winpeshl.ini file. For more information about how to edit the winpeshl.ini file, see [Winpeshl.ini Files](https://go.microsoft.com/fwlink/?LinkId=219413).
+1. You can customize the Remote Connection process by editing the winpeshl.ini file. For more information about how to edit the winpeshl.ini file, see [Winpeshl.ini Files](https://go.microsoft.com/fwlink/?LinkId=219413).
 
-    Specify the following commands and parameters to customize how a remote connection is established with an end-user computer:
+   Specify the following commands and parameters to customize how a remote connection is established with an end-user computer:
 
-    
-    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        




        CommandParameterDescription
        RemoteRecovery.exe
        -nomessage
        Specifies that the confirmation prompt is not displayed. Remote Connection continues just as if the end user had responded "Yes" to the confirmation prompt.
        WaitForConnection.exe
        none
        Prevents a custom script from continuing until either Remote Connection is not running or a valid connection is established with the end-user computer.
        
-    
        
-    Important  
-    
        This command serves no function if it is specified independently. It must be specified in a script to function correctly.
        
-    
        
-    
        
-     
-    
        
+   
+   +   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        




        CommandParameterDescription
        RemoteRecovery.exe
        -nomessage
        Specifies that the confirmation prompt is not displayed. Remote Connection continues just as if the end user had responded "Yes" to the confirmation prompt.
        WaitForConnection.exe
        none
        Prevents a custom script from continuing until either Remote Connection is not running or a valid connection is established with the end-user computer.
        
+   
        
+   Important
        This command serves no function if it is specified independently. It must be specified in a script to function correctly.
        
+   
        
+   
        
 
-     
+   
        
 
-2.  The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
 
-    ``` syntax
-    [LaunchApps]
-    "%windir%\system32\netstart.exe -network -remount"
-    "cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"
-    "%windir%\system32\WaitForConnection.exe"
-    "%SYSTEMDRIVE%\sources\recovery\recenv.exe"
-    ```
+
+2. The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
+
+   ``` syntax
+   [LaunchApps]
+   "%windir%\system32\netstart.exe -network -remount"
+   "cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"
+   "%windir%\system32\WaitForConnection.exe"
+   "%SYSTEMDRIVE%\sources\recovery\recenv.exe"
+   ```
 
 **To run the Remote Connection Viewer at the command prompt**
 
@@ -169,23 +170,25 @@ A file is provided that is named inv32.xml and contains remote connection inform
     
     
 
-     
 
-    **Note**  
-    The variables for these parameters are created on the end-user computer and must be provided by the end user.
 
-     
+~~~
+**Note**  
+The variables for these parameters are created on the end-user computer and must be provided by the end user.
+~~~
 
-2.  If all three parameters are specified and the data is valid, a connection is immediately tried when the program starts. If any parameter is not valid, the program starts as if there were no parameters specified.
+
+
+2. If all three parameters are specified and the data is valid, a connection is immediately tried when the program starts. If any parameter is not valid, the program starts as if there were no parameters specified.
 
 ## Related topics
 
 
 [Recovering Computers Using DaRT 7.0](recovering-computers-using-dart-70-dart-7.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md b/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md
index 069dabb05c..2000d0e0f8 100644
--- a/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md
+++ b/mdop/dart-v7/how-to-run-the-crash-analyzer-in-stand-alone-mode-on-a-computer-other-than-an-end-user-computer-dart-7.md
@@ -36,7 +36,7 @@ If you cannot access the Microsoft Debugging Tools for Windows or the symbol fil
         **Note**  
         Use the Search tool in DaRT 7 to locate the copied crash dump file.
 
-         
+         
 
 3.  The **Crash Analyzer** scans the crash dump file and reports a probable cause of the crash. You can view more information about the crash, such as the specific crash message and description, the drivers loaded at the time of the crash, and the full output of the analysis.
 
@@ -47,9 +47,9 @@ If you cannot access the Microsoft Debugging Tools for Windows or the symbol fil
 
 [Diagnosing System Failures with Crash Analyzer](diagnosing-system-failures-with-crash-analyzer--dart-7.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md b/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md
index 18c527463b..4a03441b10 100644
--- a/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md
+++ b/mdop/dart-v7/how-to-run-the-crash-analyzer-on-an-end-user-computer-dart-7.md
@@ -46,7 +46,7 @@ Typically, you run Microsoft Diagnostics and Recovery Toolset (DaRT) 7 Crash An
         **Note**  
         If you do not have access to the **System Properties** window, you can search for dump files on the end-user computer by using the **Search** tool in DaRT.
 
-         
+         
 
 3.  The **Crash Analyzer** scans the crash dump file and reports a probable cause of the crash. You can view more information about the crash, such as the specific crash message and description, the drivers loaded at the time of the crash, and the full output of the analysis.
 
@@ -57,9 +57,9 @@ Typically, you run Microsoft Diagnostics and Recovery Toolset (DaRT) 7 Crash An
 
 [Diagnosing System Failures with Crash Analyzer](diagnosing-system-failures-with-crash-analyzer--dart-7.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md b/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md
index b24667de14..64a13002bc 100644
--- a/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md
+++ b/mdop/dart-v7/how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md
@@ -42,7 +42,7 @@ The **DaRT Recovery Image Wizard** requires the following information:
 **Note**  
 The ISO image size can vary, depending on the tools that were selected in the **DaRT Recovery Image Wizard**.
 
- 
+ 
 
 ## To create the recovery image using the DaRT Recovery Image Wizard
 
@@ -74,7 +74,7 @@ You can either specify the location of the debugging tools on the computer where
 **Note**  
 If you include the **Crash Analyzer** in the ISO image, we recommend that you also include the Debugging Tools for Windows.
 
- 
+ 
 
 Follow these steps to add the Debugging Tools for Windows:
 
@@ -101,7 +101,7 @@ If you decide not to include the latest definitions on the recovery image, or if
 **Important**  
 You cannot scan if there are no definitions.
 
- 
+ 
 
 After you have finished, click **Next**.
 
@@ -110,14 +110,14 @@ After you have finished, click **Next**.
 **Caution**  
 By default, when you add a driver to the DaRT recovery image, all additional files and subfolders that are located in that folder are added into the recovery image. For more information, see [Troubleshooting DaRT 7.0](troubleshooting-dart-70-new-ia.md).
 
- 
+ 
 
 You should include additional drivers on the recovery image for DaRT 7 that you may need when repairing a computer. These may typically include storage or network controllers that are not included on the Windows DVD.
 
 **Important**  
 When you select drivers to include, be aware that wireless connectivity (such as Bluetooth or 802.11a/b/g/n) is not supported in DaRT.
 
- 
+ 
 
 **To add a storage or network controller driver to the recovery image**
 
@@ -128,7 +128,7 @@ When you select drivers to include, be aware that wireless connectivity (such as
     **Note**  
     The **driver** file is provided by the manufacturer of the storage or network controller.
 
-     
+     
 
 3.  Repeat Steps 1 and 2 for every driver that you want to include.
 
@@ -171,7 +171,7 @@ If the **DaRT Recovery Image Wizard** detects a compatible CD-RW drive on your c
     **Note**  
     If a drive is not recognized and you install a new drive, you can click **Refresh Drive List** to force the wizard to update the list of available drives.
 
-     
+     
 
 3.  Click **Next**.
 
@@ -180,9 +180,9 @@ If the **DaRT Recovery Image Wizard** detects a compatible CD-RW drive on your c
 
 [Creating the DaRT 7.0 Recovery Image](creating-the-dart-70-recovery-image-dart-7.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md
index c499a06afe..ccd74f662c 100644
--- a/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md
+++ b/mdop/dart-v7/overview-of-the-tools-in-dart-70-new-ia.md
@@ -33,7 +33,7 @@ You can use **Registry Editor** to access and change the registry of the Windows
 **Caution**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+ 
 
 ### Locksmith
 
@@ -70,7 +70,7 @@ For more information about **Crash Analyzer**, see [Diagnosing System Failures w
 **Warning**  
 We recommend that you back up a disk before you use **Disk Commander** to repair it. By using **Disk Commander**, you can potentially damage volumes and make them inaccessible. Additionally, changes to one volume can affect other volumes because volumes on a disk share a partition table.
 
- 
+ 
 
 ### Disk Wipe
 
@@ -79,7 +79,7 @@ You can use **Disk Wipe** to delete all data from a disk or volume, even the dat
 **Warning**  
 After wiping a disk or volume, you cannot recover the data. Verify the size and label of a volume before erasing it.
 
- 
+ 
 
 ### Computer Management
 
@@ -106,7 +106,7 @@ We recommend that you uninstall only one hotfix at a time, even though the tool
 **Important**  
 Programs that were installed or updated after a hotfix was installed might not work correctly after you uninstall a hotfix.
 
- 
+ 
 
 ### SFC Scan
 
@@ -123,7 +123,7 @@ The **Search** tool opens a **File Search** window that you can use to find docu
 **Important**  
 Environments with the Standalone System Sweeper deployed should instead use the Windows Defender Offline (WDO) protection image for malware detection. Because of how the Standalone System Sweeper tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images.
 
- 
+ 
 
 The **Standalone System Sweeper** can help detect malware and unwanted software and warn you of security risks. You can use this tool to scan a computer for and remove malware even when the installed Windows operating system is not running. When the **Standalone System Sweeper** detects malicious or unwanted software, it prompts you to remove, quarantine, or allow for each item.
 
@@ -136,16 +136,16 @@ The **Remote Connection** tool in DaRT lets you remotely run the DaRT tools on a
 **Important**  
 The two computers establishing a remote connection must be part of the same network.
 
- 
+ 
 
 ## Related topics
 
 
 [Getting Started with DaRT 7.0](getting-started-with-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md b/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md
index e8efcbcf86..f99585b92a 100644
--- a/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md
+++ b/mdop/dart-v7/planning-how-to-save-and-deploy-the-dart-70-recovery-image.md
@@ -27,7 +27,7 @@ You can save and deploy the DaRT recovery image by using the following methods.
 **Note**  
 You might want to use more than one method in your organization. For example, you can boot into DaRT from a remote partition for most situations and have a USB flash drive available in case the end-user computer cannot connect to the network.
 
- 
+ 
 
 The following table shows some advantages and disadvantages of each method of using DaRT in your organization.
 
@@ -71,16 +71,16 @@ The following table shows some advantages and disadvantages of each method of us
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Planning to Deploy DaRT 7.0](planning-to-deploy-dart-70.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/planning-to-deploy-dart-70.md b/mdop/dart-v7/planning-to-deploy-dart-70.md
index d09259dc38..f1f21b158b 100644
--- a/mdop/dart-v7/planning-to-deploy-dart-70.md
+++ b/mdop/dart-v7/planning-to-deploy-dart-70.md
@@ -51,7 +51,7 @@ Several methods can be used to save and deploy the DaRT recovery image. When you
 **Note**  
 You might want to use more than one method in your organization. For example, you can boot into DaRT from a remote partition for most situations and have a USB flash drive available in case the end-user computer cannot connect to the network.
 
- 
+ 
 
 [Planning How to Save and Deploy the DaRT 7.0 Recovery Image](planning-how-to-save-and-deploy-the-dart-70-recovery-image.md)
 
@@ -60,9 +60,9 @@ You might want to use more than one method in your organization. For example, yo
 
 [Planning for DaRT 7.0](planning-for-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md b/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md
index 459d98884e..35e35b8a3e 100644
--- a/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md
+++ b/mdop/dart-v7/recovering-computers-using-dart-70-dart-7.md
@@ -39,7 +39,7 @@ Whichever method that you use to boot into DaRT, you must enable the boot device
 **Note**  
 Configuring the BIOS is unique, depending on the kind of hard disk drive, network adapters, and other hardware that is used in your organization.
 
- 
+ 
 
 [How to Recover Local Computers Using the DaRT Recovery Image](how-to-recover-local-computers-using-the-dart-recovery-image-dart-7.md)
 
@@ -51,7 +51,7 @@ The Remote Connection feature in DaRT lets an IT administrator run the DaRT tool
 **Important**  
 The two computers establishing a remote connection must be part of the same network.
 
- 
+ 
 
 The **Diagnostics and Recovery Toolset** window includes the option to run DaRT on an end-user computer remotely from an administrator computer. The end user opens the DaRT tools on the problem computer and starts the remote session by clicking **Remote Connection**.
 
@@ -66,9 +66,9 @@ The IT administrator or helpdesk agent enters this information into the **DaRT R
 
 [Operations for DaRT 7.0](operations-for-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/release-notes-for-dart-70-new-ia.md b/mdop/dart-v7/release-notes-for-dart-70-new-ia.md
index 718f97ba50..87506ac590 100644
--- a/mdop/dart-v7/release-notes-for-dart-70-new-ia.md
+++ b/mdop/dart-v7/release-notes-for-dart-70-new-ia.md
@@ -108,9 +108,9 @@ All other trademarks are property of their respective owners.
 
 [About DaRT 7.0](about-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md b/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md
index 1d089d9495..7d51161f65 100644
--- a/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md
+++ b/mdop/dart-v7/security-considerations-for-dart-70-dart-7.md
@@ -35,7 +35,7 @@ You can even configure the DaRT image so that the option to start a remote conne
 **Important**  
 After the remote connection is established, all the tools that you included in the recovery image, including those unavailable to the end user, will become available to the helpdesk agent working on the end–user computer.
 
- 
+ 
 
 For more information about including tools in the DaRT recovery image, see [How to Use the DaRT Recovery Image Wizard to Create the Recovery Image](how-to-use-the-dart-recovery-image-wizard-to-create-the-recovery-image-dart-7.md).
 
@@ -49,7 +49,7 @@ Your encryption method should be deployed and enabled in all computers.
 **Note**  
 DaRT 7 supports BitLocker natively.
 
- 
+ 
 
 ## To help maintain security between two computers during Remote Connection
 
@@ -61,9 +61,9 @@ By default, the communication between two computers that have established a **Re
 
 [Operations for DaRT 7.0](operations-for-dart-70-new-ia.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/about-dart-80-dart-8.md b/mdop/dart-v8/about-dart-80-dart-8.md
index a4ad194f81..7de3d83f67 100644
--- a/mdop/dart-v8/about-dart-80-dart-8.md
+++ b/mdop/dart-v8/about-dart-80-dart-8.md
@@ -22,7 +22,7 @@ Microsoft Diagnostics and Recovery Toolset (DaRT) 8.0 helps you troubleshoot and
 **Note**  
 DaRT does not support the recovery of dynamic disks.
 
- 
+ 
 
 DaRT also provides tools to help you fix a problem as soon as you determine the cause. For example, you can use the tools in DaRT to disable a faulty device driver, remove hotfixes, restore deleted files, and scan the computer for malware even when you cannot or should not start the installed Windows operating system.
 
@@ -73,9 +73,9 @@ This technology is a part of the Microsoft Desktop Optimization Pack (MDOP). MDO
 
 [Release Notes for DaRT 8.0](release-notes-for-dart-80--dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/about-dart-81.md b/mdop/dart-v8/about-dart-81.md
index f173ef7d0d..a2d81ba1e5 100644
--- a/mdop/dart-v8/about-dart-81.md
+++ b/mdop/dart-v8/about-dart-81.md
@@ -36,10 +36,10 @@ Microsoft Diagnostics and Recovery Toolset (DaRT) 8.1 provides the following enh
 
     You can create DaRT images by using Windows Server 2012 R2 or Windows 8.1.
 
-    **Note**  
+    **Note**  
     For earlier versions of the Windows Server and Windows operating systems, continue to use the earlier versions of DaRT.
 
-     
+
 
 -   **Customer feedback**
 
@@ -52,16 +52,18 @@ Microsoft Diagnostics and Recovery Toolset (DaRT) 8.1 provides the following enh
 ## Requirements
 
 
--   **Windows Assessment and Development Kit 8.1**
+-   **Windows Assessment and Development Kit 8.1**
 
-    Windows Assessment and Development Kit (ADK) 8.1 is a required prerequisite for the DaRT Recovery Image Wizard. Windows ADK 8.1 contains deployment tools that are used to customize, deploy, and service Windows images. It also contains the Windows Preinstallation Environment (Windows PE).
+    Windows Assessment and Development Kit (ADK) 8.1 is a required prerequisite for the DaRT Recovery Image Wizard. Windows ADK 8.1 contains deployment tools that are used to customize, deploy, and service Windows images. It also contains the Windows Preinstallation Environment (Windows PE).
 
-    **Note**  
-    Windows ADK 8.1 is not required if you are installing only Remote Connection Viewer or Crash Analyzer.
+    **Note**  
+    Windows ADK 8.1 is not required if you are installing only Remote Connection Viewer or Crash Analyzer.
 
-     
 
-    To download Windows ADK 8.1, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1](https://www.microsoft.com/download/details.aspx?id=39982) in the Microsoft Download Center.
+
+~~~
+To download Windows ADK 8.1, see [Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1](https://www.microsoft.com/download/details.aspx?id=39982) in the Microsoft Download Center.
+~~~
 
 -   **Microsoft .NET Framework 4.5.1**
 
@@ -110,9 +112,9 @@ DaRT 8.1 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is pa
 
 [Release Notes for DaRT 8.1](release-notes-for-dart-81.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/dart-v8/accessibility-for-dart-80-dart-8.md b/mdop/dart-v8/accessibility-for-dart-80-dart-8.md
index 57d6d22878..936d93ea7d 100644
--- a/mdop/dart-v8/accessibility-for-dart-80-dart-8.md
+++ b/mdop/dart-v8/accessibility-for-dart-80-dart-8.md
@@ -33,7 +33,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Documentation in alternative formats
 
@@ -67,13 +67,13 @@ For information about the availability of Microsoft product documentation and bo
 
        (609) 987-8116
        
 
 
-
        [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
        
+
        http://www.learningally.org/
        
 
        Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
        
 
 
 
 
- 
+ 
 
 ## Customer service for people with hearing impairments
 
@@ -96,9 +96,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with DaRT 8.0](getting-started-with-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
index 808bdd1d96..0dfd0b39f2 100644
--- a/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
@@ -92,7 +92,7 @@ On the Drivers tab of the Advanced Options page, you can add additional device d
 **Important**  
 When you select drivers to include, be aware that wireless connectivity (such as Bluetooth or 802.11a/b/g/n) is not supported in DaRT.
 
- 
+ 
 
 **To add drivers to the recovery image**
 
@@ -105,7 +105,7 @@ When you select drivers to include, be aware that wireless connectivity (such as
     **Note**  
     The driver file is provided by the manufacturer of the storage or network controller.
 
-     
+     
 
 4.  Repeat Steps 2 and 3 for every driver that you want to include.
 
@@ -144,7 +144,7 @@ The DaRT wizard checks for the tools in the `HKLM\Software\Microsoft\Windows Kit
 
 `%ProgramFilesX86%\Windows Kits\8.0\Debuggers\x86`
 
- 
+ 
 
 **To add the debugging tools for Crash Analyzer**
 
@@ -180,7 +180,7 @@ On the Defender tab of the Advanced Options page, you add definitions, which are
         **Important**  
         You cannot scan if there are no definitions.
 
-         
+         
 
 3.  Click **Next**.
 
@@ -206,7 +206,7 @@ If you select the Edit Image check box on this page, you can customize the recov
     **Note**  
     The size of the image will vary, depending on the tools that you select and the files that you add in the wizard.
 
-     
+     
 
 2.  In the **Image name** box, enter a name for the DaRT recovery image, or accept the default name, which is DaRT8.
 
@@ -256,7 +256,7 @@ On the Create Bootable Media page, you can optionally copy the image file to a C
 **Note**  
 The Preboot execution environment (PXE) and local image deployment are not supported natively by this tool since they require additional enterprise tools, such as System Center Configuration Manager server and Microsoft Development Toolkit.
 
- 
+ 
 
 **To copy the recovery image to a CD, DVD, or USB**
 
@@ -267,7 +267,7 @@ The Preboot execution environment (PXE) and local image deployment are not suppo
     **Note**  
     If a drive is not recognized and you install a new drive, you can click **Refresh** to force the wizard to update the list of available drives.
 
-     
+     
 
 3.  Click the **Create Bootable Media** button.
 
@@ -280,9 +280,9 @@ The Preboot execution environment (PXE) and local image deployment are not suppo
 
 [Deploying DaRT 8.0](deploying-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md b/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md
index 4473090f37..eca291304a 100644
--- a/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md
+++ b/mdop/dart-v8/dart-80-deployment-checklist-dart-8.md
@@ -22,7 +22,7 @@ This checklist can be used to help you during Microsoft Diagnostics and Recovery
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for product deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -41,31 +41,31 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
        
 

        
 Checklist box
 
        Decide on the best DaRT 8.0 deployment option for your requirements and deploy it.
        [Deploying DaRT 8.0 to Administrator Computers](deploying-dart-80-to-administrator-computers-dart-8.md)
        Deploying DaRT 8.0 to Administrator Computers
        		
 
        
 
        
 Checklist box
 
        Use the DaRT Recovery Image wizard to create the DaRT recovery image ISO.
        [Creating the DaRT 8.0 Recovery Image](creating-the-dart-80-recovery-image-dart-8.md)
        Creating the DaRT 8.0 Recovery Image
        		
 
        
 
        
 Checklist box
 
        Decide on the best DaRT 8.0 recovery image deployment option for your requirements and deploy it.
        [Deploying the DaRT Recovery Image](deploying-the-dart-recovery-image-dart-8.md)
        Deploying the DaRT Recovery Image
        		
 
        
         
 
        
 
- 
+ 
 
 ## Related topics
 
 
 [Deploying DaRT 8.0](deploying-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/dart-80-planning-checklist-dart-8.md b/mdop/dart-v8/dart-80-planning-checklist-dart-8.md
index e7ce89a340..7e29d01395 100644
--- a/mdop/dart-v8/dart-80-planning-checklist-dart-8.md
+++ b/mdop/dart-v8/dart-80-planning-checklist-dart-8.md
@@ -22,7 +22,7 @@ This checklist can be used to help you plan for preparing your computing environ
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for product deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -41,31 +41,31 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
        
 

        
 Checklist box
 
        Review the DaRT 8.0 Supported Configurations information to confirm that the computers you have selected for client or feature installation meet the minimum hardware and operating system requirements.
        [DaRT 8.0 Supported Configurations](dart-80-supported-configurations-dart-8.md)
        DaRT 8.0 Supported Configurations
        		
 
        
 
        
 Checklist box
 
        Understand the deployment prerequisites and decide which tools to include on the DaRT recovery image.
        [Planning to Create the DaRT 8.0 Recovery Image](planning-to-create-the-dart-80-recovery-image-dart-8.md)
        Planning to Create the DaRT 8.0 Recovery Image
        		
 
        
 
        
 Checklist box
 
        Determine which method, or methods, you will use to deploy the DaRT recovery image.
        [Planning How to Save and Deploy the DaRT 8.0 Recovery Image](planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md)
        Planning How to Save and Deploy the DaRT 8.0 Recovery Image
        		
 
        
         
 
        
 
- 
+ 
 
 ## Related topics
 
 
 [Planning for DaRT 8.0](planning-for-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/dart-80-supported-configurations-dart-8.md b/mdop/dart-v8/dart-80-supported-configurations-dart-8.md
index f4406de71d..1498448738 100644
--- a/mdop/dart-v8/dart-80-supported-configurations-dart-8.md
+++ b/mdop/dart-v8/dart-80-supported-configurations-dart-8.md
@@ -63,7 +63,7 @@ The following table lists the installation prerequisites for the administrator c
 
 
 
- 
+ 
 
 ### Help desk computer prerequisites
 
@@ -96,7 +96,7 @@ The following table lists the installation prerequisites for the help desk compu
 
 
 
- 
+ 
 
 ### End-user computer prerequisites
 
@@ -112,12 +112,12 @@ The following table lists the operating systems that are supported for the DaRT
 **Note**  
 Make sure that you allocate enough space for any additional tools that you want to install on the administrator computer.
 
- 
+ 
 
 **Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+ 
 
 @@ -166,7 +166,7 @@ Microsoft provides support for the current service pack and, in some cases, the
 
        
 

 
        
 
- 
+ 
 
 ###  DaRT help desk computer system requirements
 
@@ -231,7 +231,7 @@ The following table lists the operating systems that are supported for the DaRT
 
 
 
- 
+ 
 
 DaRT also has the following minimum hardware requirements for the end-user computer:
 
@@ -290,16 +290,16 @@ The Diagnostics and Recovery Toolset window in DaRT requires that the end-user c
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Planning to Deploy DaRT 8.0](planning-to-deploy-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md
index d2f744b909..99ebca995c 100644
--- a/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md
+++ b/mdop/dart-v8/deploying-the-dart-recovery-image-dart-8.md
@@ -30,7 +30,7 @@ Extract the boot.wim file from the ISO image and deploy in the recovery partitio
 **Important**  
 The **DaRT Recovery Image Wizard** provides the option to burn the image to a CD, DVD or UFD, but the other methods of saving and deploying the recovery image require additional steps that involve tools that are not included in DaRT. Some guidance and links for these other methods are provided in this section.
 
- 
+ 
 
 ## Deploy the DaRT recovery image as part of a recovery partition
 
@@ -51,9 +51,9 @@ You can host the recovery image on a central network boot server, such as Window
 
 [Deploying DaRT 8.0](deploying-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/getting-started-with-dart-80-dart-8.md b/mdop/dart-v8/getting-started-with-dart-80-dart-8.md
index 4ce003894a..faa25ee39e 100644
--- a/mdop/dart-v8/getting-started-with-dart-80-dart-8.md
+++ b/mdop/dart-v8/getting-started-with-dart-80-dart-8.md
@@ -24,7 +24,7 @@ A downloadable version of this administrator’s guide is not available. However
 
 Additional downloadable information about this product can also be found at .
 
- 
+ 
 
 ## Getting started with DaRT 8.0
 
@@ -59,9 +59,9 @@ DaRT 8.0 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is pa
 
 [Troubleshooting DaRT 8.0](troubleshooting-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md b/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md
index f26137b348..e31d87e179 100644
--- a/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md
+++ b/mdop/dart-v8/how-to-deploy-dart-80-dart-8.md
@@ -22,7 +22,7 @@ The following instructions explain how to deploy Microsoft Diagnostics and Recov
 **Important**  
 Before you install DaRT, see [DaRT 8.0 Supported Configurations](dart-80-supported-configurations-dart-8.md) to ensure that you have installed all of the prerequisite software and that the computer meets the minimum system requirements. The computer onto which you install DaRT must be running Windows 8 or Windows Server 2012.
 
- 
+ 
 
 You can install DaRT using one of two different configurations:
 
@@ -86,7 +86,7 @@ msiexec.exe /i MSDaRT80.msi /l*v log.txt
 **Note**  
 You can add /qn or /qb to perform a silent installation.
 
- 
+ 
 
 **To validate the DaRT installation**
 
@@ -101,9 +101,9 @@ You can add /qn or /qb to perform a silent installation.
 
 [Deploying DaRT 8.0 to Administrator Computers](deploying-dart-80-to-administrator-computers-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md
index c01d043f5c..a717b3888e 100644
--- a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md
+++ b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-a-remote-partition-dart-8.md
@@ -30,7 +30,7 @@ After you have finished running the Microsoft Diagnostics and Recovery Toolset (
         **Note**  
         If you burned a CD or DVD of the recovery image, you can open the files on the CD or DVD and copy the boot.wim file from the \\sources folder. This lets you skip the need to mount the image.
 
-         
+         
 
 2.  Deploy the boot.wim file to a WDS server that can be accessed from end-user computers in your enterprise.
 
@@ -47,9 +47,9 @@ For more information about how to deploy DaRT as a remote partition, see [Walkth
 
 [Planning for DaRT 8.0](planning-for-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md
index 5cf5f6749e..c5d594b59c 100644
--- a/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md
+++ b/mdop/dart-v8/how-to-deploy-the-dart-recovery-image-as-part-of-a-recovery-partition-dart-8.md
@@ -34,7 +34,7 @@ After you have finished running the Microsoft Diagnostics and Recovery Toolset (
         **Note**  
         If you burned a CD, DVD, or USB of the recovery image, you can open the files on the removable media and copy the boot.wim file from the \\sources folder. If you copy boot.wim file, you don’t need to mount the image.
 
-         
+         
 
 3.  Use the boot.wim file to create a bootable recovery partition by using your company’s standard method for creating a custom Windows RE image.
 
@@ -53,9 +53,9 @@ After you have finished running the Microsoft Diagnostics and Recovery Toolset (
 
 [Planning for DaRT 8.0](planning-for-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md
index 348178406b..dca11766bc 100644
--- a/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md
+++ b/mdop/dart-v8/how-to-recover-local-computers-by-using-the-dart-recovery-image-dart-8.md
@@ -39,18 +39,20 @@ Use these instructions to recover a computer when you are physically present at
 
 6.  Select the installation that you want to repair or diagnose, and then click **Next**.
 
-    **Note**  
+    **Note**  
     If the Windows Recovery Environment (WinRE) detects or suspects that Windows 8 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically.
 
-     
 
-    If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-    The **System Recovery Options** window appears and lists various recovery tools.
+~~~
+If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-7.  On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset**.
+The **System Recovery Options** window appears and lists various recovery tools.
+~~~
 
-    The **Diagnostics and Recovery Toolset** window opens. You can now run any of the individual tools or wizards that were included when the DaRT recovery image was created.
+7. On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset**.
+
+   The **Diagnostics and Recovery Toolset** window opens. You can now run any of the individual tools or wizards that were included when the DaRT recovery image was created.
 
 You can click **Help** on the **Diagnostics and Recovery Toolset** window to open the client Help file that provides detailed instruction and information needed to run the individual DaRT tools. You can also click the **Solution Wizard** on the **Diagnostics and Recovery Toolset** window to choose the best tool for the situation, based on a brief interview that the wizard provides.
 
@@ -58,41 +60,40 @@ For general information about any of the DaRT tools, see [Overview of the Tools
 
 **How to run DaRT at the command prompt**
 
--   To run DaRT at the command prompt, specify the **netstart.exe** command then use any of the following parameters:
+- To run DaRT at the command prompt, specify the **netstart.exe** command then use any of the following parameters:
+
+  
+  +  +  +  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
        



        Parameter
        Description
        -network
        Initializes the network services.
        -remount
        Remaps the drive letters.
        -prompt
        Displays messages that ask the end user to specify whether to initialize the network and remap the drives.
        
+  
        
+  Warning
        The end user’s response to the prompt overrides the –network and –remount switches.
        
+  
        
+  
        
+
+  
        
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        



        Parameter
        Description
        -network
        Initializes the network services.
        -remount
        Remaps the drive letters.
        -prompt
        Displays messages that ask the end user to specify whether to initialize the network and remap the drives.
        
-    
        
-    Warning  
-    
        The end user’s response to the prompt overrides the –network and –remount switches.
        
-    
        
-    
        
-     
-    
        
 
-     
 
 ## Related topics
 
@@ -101,9 +102,9 @@ For general information about any of the DaRT tools, see [Overview of the Tools
 
 [Recovering Computers Using DaRT 8.0](recovering-computers-using-dart-80-dart-8.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md b/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md
index 7cd1a013a2..ea9f968420 100644
--- a/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md
+++ b/mdop/dart-v8/how-to-recover-remote-computers-by-using-the-dart-recovery-image-dart-8.md
@@ -35,113 +35,116 @@ If you disabled the DaRT tools when you created the recovery image, you still ha
 
     Whichever method that you use to boot into DaRT, you must enable the boot device in the BIOS for the boot option or options that you want to make available to the end user.
 
-    **Note**  
+    **Note**  
     Configuring the BIOS is unique, depending on the kind of hard disk drive, network adapters, and other hardware that is used in your organization.
 
-     
 
-    As the computer is booting into the DaRT recovery image, the **NetStart** dialog box appears.
 
-2.  When you are asked whether you want to initialize network services, select one of the following:
+~~~
+As the computer is booting into the DaRT recovery image, the **NetStart** dialog box appears.
+~~~
 
-    **Yes** - it is assumed that a DHCP server is present on the network, and an attempt is made to obtain an IP address from the server. If the network uses static IP addresses instead of DHCP, you can later use the **TCP/IP Configuration** tool in DaRT to specify a static IP address.
+2. When you are asked whether you want to initialize network services, select one of the following:
 
-    **No** - skip the network initialization process.
+   **Yes** - it is assumed that a DHCP server is present on the network, and an attempt is made to obtain an IP address from the server. If the network uses static IP addresses instead of DHCP, you can later use the **TCP/IP Configuration** tool in DaRT to specify a static IP address.
 
-3.  Indicate whether you want to remap the drive letters. When you run Windows online, the system volume is typically mapped to drive C. However, when you run Windows offline under WinRE, the original system volume might be mapped to another drive, and this can cause confusion. If you decide to remap, DaRT tries to map the offline drive letters to match the online drive letters. Remapping is performed only if an offline operating system is selected later in the startup process.
+   **No** - skip the network initialization process.
 
-4.  On the **System Recovery Options** dialog box, select a keyboard layout.
+3. Indicate whether you want to remap the drive letters. When you run Windows online, the system volume is typically mapped to drive C. However, when you run Windows offline under WinRE, the original system volume might be mapped to another drive, and this can cause confusion. If you decide to remap, DaRT tries to map the offline drive letters to match the online drive letters. Remapping is performed only if an offline operating system is selected later in the startup process.
 
-5.  Check the displayed system root directory, the kind of operating system installed, and the partition size. If you do not see your operating system listed, and suspect that the lack of drivers is a possible cause of the failure, click **Load Drivers** to load the suspect drivers, and then insert the installation media for the device and select the driver.
+4. On the **System Recovery Options** dialog box, select a keyboard layout.
 
-6.  Select the installation that you want to repair or diagnose, and then click **Next**.
+5. Check the displayed system root directory, the kind of operating system installed, and the partition size. If you do not see your operating system listed, and suspect that the lack of drivers is a possible cause of the failure, click **Load Drivers** to load the suspect drivers, and then insert the installation media for the device and select the driver.
 
-    **Note**  
-    If the Windows Recovery Environment (WinRE) detects or suspects that Windows 8 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically. For information about how to resolve this issue, see [Troubleshooting DaRT 8.0](troubleshooting-dart-80-dart-8.md).
+6. Select the installation that you want to repair or diagnose, and then click **Next**.
 
-     
+   **Note**  
+   If the Windows Recovery Environment (WinRE) detects or suspects that Windows 8 did not start correctly the last time that it was tried, **Startup Repair** might start to run automatically. For information about how to resolve this issue, see [Troubleshooting DaRT 8.0](troubleshooting-dart-80-dart-8.md).
 
-    If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-    The **System Recovery Options** window appears and lists various recovery tools.
 
-7.  On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset** to open the **Diagnostics and Recovery Toolset**.
+~~~
+If any of the registry hives are corrupted or missing, Registry Editor and several other DaRT utilities will have limited functionality. If no operating system is selected, some tools will not be available.
 
-8.  On the **Diagnostics and Recovery Toolset** window, click **Remote Connection** to open the **DaRT Remote Connection** window. If you are prompted to give the help desk remote access, click **OK**.
+The **System Recovery Options** window appears and lists various recovery tools.
+~~~
 
-    The DaRT Remote Connection window opens and displays a ticket number, IP address, and port information.
+7. On the **System Recovery Options** window, click **Microsoft Diagnostics and Recovery Toolset** to open the **Diagnostics and Recovery Toolset**.
 
-9.  On the help desk computer, open the **DaRT Remote Connection Viewer**.
+8. On the **Diagnostics and Recovery Toolset** window, click **Remote Connection** to open the **DaRT Remote Connection** window. If you are prompted to give the help desk remote access, click **OK**.
+
+   The DaRT Remote Connection window opens and displays a ticket number, IP address, and port information.
+
+9. On the help desk computer, open the **DaRT Remote Connection Viewer**.
 
 10. Click **Start**, click **All Programs**, click **Microsoft DaRT 8.0**, and then click **DaRT Remote Connection Viewer**.
 
 11. In the **DaRT Remote Connection** window, enter the required ticket, IP address, and port information.
 
-    **Note**  
-    This information is created on the end-user computer and must be provided by the end user. There might be multiple IP addresses to choose from, depending on how many are available on the end-user computer.
+   **Note**  
+   This information is created on the end-user computer and must be provided by the end user. There might be multiple IP addresses to choose from, depending on how many are available on the end-user computer.
+
 
-     
 
 12. Click **Connect**.
 
 The IT administrator now assumes control of the end-user computer and can run the DaRT tools remotely.
 
-**Note**  
+**Note**  
 A file is provided that is named inv32.xml and contains remote connection information, such as the port number and IP address. By default, the file is typically located at %windir%\\system32.
 
- 
+
 
 **To customize the Remote Connection process**
 
-1.  You can customize the Remote Connection process by editing the winpeshl.ini file. For more information about how to edit the winpeshl.ini file, see [Winpeshl.ini Files](https://go.microsoft.com/fwlink/?LinkId=219413).
+1. You can customize the Remote Connection process by editing the winpeshl.ini file. For more information about how to edit the winpeshl.ini file, see [Winpeshl.ini Files](https://go.microsoft.com/fwlink/?LinkId=219413).
 
-    Specify the following commands and parameters to customize how a remote connection is established with an end-user computer:
+   Specify the following commands and parameters to customize how a remote connection is established with an end-user computer:
 
-    
-    -    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
        




        CommandParameterDescription
        RemoteRecovery.exe
        -nomessage
        Specifies that the confirmation prompt is not displayed. Remote Connection continues just as if the end user had responded "Yes" to the confirmation prompt.
        WaitForConnection.exe
        none
        Prevents a custom script from continuing until either Remote Connection is not running or a valid connection is established with the end-user computer.
        
-    
        
-    Important  
-    
        This command serves no function if it is specified independently. It must be specified in a script to function correctly.
        
-    
        
-    
        
-     
-    
        
+   
+   +   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
        




        CommandParameterDescription
        RemoteRecovery.exe
        -nomessage
        Specifies that the confirmation prompt is not displayed. Remote Connection continues just as if the end user had responded "Yes" to the confirmation prompt.
        WaitForConnection.exe
        none
        Prevents a custom script from continuing until either Remote Connection is not running or a valid connection is established with the end-user computer.
        
+   
        
+   Important
        This command serves no function if it is specified independently. It must be specified in a script to function correctly.
        
+   
        
+   
        
 
-     
+   
        
 
-2.  The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
 
-    ``` syntax
-    [LaunchApps]
-    "%windir%\system32\netstart.exe -network -remount"
-    "cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"
-    "%windir%\system32\WaitForConnection.exe"
-    "%SYSTEMDRIVE%\sources\recovery\recenv.exe"
-    ```
+
+2. The following is an example of a winpeshl.ini file that is customized to open the **Remote Connection** tool as soon as an attempt is made to boot into DaRT:
+
+   ``` syntax
+   [LaunchApps]
+   "%windir%\system32\netstart.exe -network -remount"
+   "cmd /C start %windir%\system32\RemoteRecovery.exe -nomessage"
+   "%windir%\system32\WaitForConnection.exe"
+   "%SYSTEMDRIVE%\sources\recovery\recenv.exe"
+   ```
 
 When DaRT starts, it creates the file inv32.xml in \\Windows\\System32\\ on the RAM disk. This file contains connection information: IP address, port, and ticket number. You can copy this file to a network share to trigger a Help desk workflow. For example, a custom program can check the network share for connection files, and then create a support ticket or send email notifications.
 
@@ -176,14 +179,16 @@ When DaRT starts, it creates the file inv32.xml in \\Windows\\System32\\ on the
     
     
 
-     
 
-    **Note**  
-    The variables for these parameters are created on the end-user computer and must be provided by the end user.
 
-     
+~~~
+**Note**  
+The variables for these parameters are created on the end-user computer and must be provided by the end user.
+~~~
 
-2.  If all three parameters are specified and the data is valid, a connection is immediately tried when the program starts. If any parameter is not valid, the program starts as if there were no parameters specified.
+
+
+2. If all three parameters are specified and the data is valid, a connection is immediately tried when the program starts. If any parameter is not valid, the program starts as if there were no parameters specified.
 
 ## Related topics
 
@@ -192,9 +197,9 @@ When DaRT starts, it creates the file inv32.xml in \\Windows\\System32\\ on the
 
 [Recovering Computers Using DaRT 8.0](recovering-computers-using-dart-80-dart-8.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md
index e0df0176f6..7cffb8401b 100644
--- a/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md
+++ b/mdop/dart-v8/overview-of-the-tools-in-dart-80-dart-8.md
@@ -33,7 +33,7 @@ A description of the DaRT 8.0 tools follows.
 **Note**  
 The recovery of dynamic disks with DaRT is not supported.
 
- 
+ 
 
 ### Crash Analyzer
 
@@ -50,7 +50,7 @@ For more information about **Crash Analyzer**, see [Diagnosing System Failures w
 **Important**  
 Environments with the DaRT Defender deployed should instead use the Windows Defender Offline (WDO) protection image for malware detection. Because of how the Defender tool integrates into DaRT, all supported DaRT version deployments cannot apply these anti-malware updates to their DaRT images. For more information, see [Microsoft Diagnostics and Recovery Toolset (DaRT) users should use Windows Defender Offline (WDO) for malware detection](microsoft-diagnostics-and-recovery-toolset--dart--users-should-use-windows-defender-offline--wdo--for-malware-detection.md).
 
- 
+ 
 
 **Defender** can help detect malware and unwanted software and warn you of security risks. You can use this tool to scan a computer for and remove malware even when the installed Windows operating system is not running. When **Defender** detects malicious or unwanted software, it prompts you to remove, quarantine, or allow for each item.
 
@@ -71,12 +71,12 @@ Malware that uses rootkits can mask itself from the running operating system. If
 **Warning**  
 We recommend that you back up a disk before you use **Disk Commander** to repair it. By using **Disk Commander**, you can potentially damage volumes and make them inaccessible. Additionally, changes to one volume can affect other volumes because volumes on a disk share a partition table.
 
- 
+ 
 
 **Note**  
 The recovery of dynamic disks with DaRT is not supported.
 
- 
+ 
 
 ### Disk Wipe
 
@@ -85,7 +85,7 @@ You can use **Disk Wipe** to delete all data from a disk or volume, even the dat
 **Warning**  
 After wiping a disk or volume, you cannot recover the data. Verify the size and label of a volume before erasing it.
 
- 
+ 
 
 ### Explorer
 
@@ -98,7 +98,7 @@ The **Explorer** tool lets you browse the computer’s file system and network s
 **Note**  
 The recovery of dynamic disks with DaRT is not supported.
 
- 
+ 
 
 ### File Search
 
@@ -115,7 +115,7 @@ We recommend that you uninstall only one hotfix at a time, even though the tool
 **Important**  
 Programs that were installed or updated after a hotfix was installed might not work correctly after you uninstall a hotfix.
 
- 
+ 
 
 ### Locksmith
 
@@ -130,7 +130,7 @@ You can use **Registry Editor** to access and change the registry of the Windows
 **Warning**  
 Serious problems can occur if you change the registry incorrectly by using **Registry Editor**. These problems might require you to reinstall the operating system. Before you make changes to the registry, you should back up any valued data on the computer. Change the registry at your own risk.
 
- 
+ 
 
 ### SFC Scan
 
@@ -149,9 +149,9 @@ When you boot a problem computer into DaRT, it is set to automatically obtain it
 
 [Getting Started with DaRT 8.0](getting-started-with-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md
index 3e33763b18..4f95c0b2fa 100644
--- a/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/planning-how-to-save-and-deploy-the-dart-80-recovery-image-dart-8.md
@@ -24,7 +24,7 @@ If your organization uses Active Directory Domain Services (AD DS), you may want
 **Note**  
 You may want to use more than one method in your organization. For example, you can boot into DaRT from a remote partition for most situations and have a USB flash drive available in case the end-user computer cannot connect to the network.
 
- 
+ 
 
 The following table shows some advantages and disadvantages of each method of using DaRT in your organization.
 
@@ -80,16 +80,16 @@ The following table shows some advantages and disadvantages of each method of us
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Planning to Deploy DaRT 8.0](planning-to-deploy-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md b/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md
index a3adfc482b..4acce8e180 100644
--- a/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md
+++ b/mdop/dart-v8/planning-to-create-the-dart-80-recovery-image-dart-8.md
@@ -49,7 +49,7 @@ The following items are required or recommended for creating the DaRT recovery i
 
 
 
        Windows Debugging Tools for your platform
        
-
        Required when you run the Crash Analyzer to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: [Download and Install Debugging Tools for Windows](https://go.microsoft.com/fwlink/?LinkId=99934).
        
+
        Required when you run the Crash Analyzer to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: Download and Install Debugging Tools for Windows.
        
 
 
 
        Optional: Defender definitions
        
@@ -57,21 +57,21 @@ The following items are required or recommended for creating the DaRT recovery i
 
 
 
        Optional: Windows symbols files for use with Crash Analyzer
        
-
        Typically, debugging information is stored in a symbol file that is separate from the program. You must have access to the symbol information when you debug an application that has stopped responding, for example, if it stopped working. For more information, see [Diagnosing System Failures with Crash Analyzer](diagnosing-system-failures-with-crash-analyzer--dart-8.md).
        
+
        Typically, debugging information is stored in a symbol file that is separate from the program. You must have access to the symbol information when you debug an application that has stopped responding, for example, if it stopped working. For more information, see Diagnosing System Failures with Crash Analyzer.
        
 
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Planning to Deploy DaRT 8.0](planning-to-deploy-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md b/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md
index a75d6d79e6..10b50735d0 100644
--- a/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md
+++ b/mdop/dart-v8/recovering-computers-using-dart-80-dart-8.md
@@ -34,7 +34,7 @@ Whichever method that you use to boot into DaRT, you must enable the boot device
 **Note**  
 Configuring the BIOS is unique, depending on the kind of hard disk drive, network adapters, and other hardware that is used in your organization.
 
- 
+ 
 
 ## Recover a local computer by using the DaRT recovery image
 
@@ -51,7 +51,7 @@ The Remote Connection feature in DaRT lets an IT administrator run the DaRT tool
 **Important**  
 The two computers establishing a remote connection must be part of the same network.
 
- 
+ 
 
 The **Diagnostics and Recovery Toolset** window includes the option to run DaRT on an end-user computer remotely from an administrator computer. The end user opens the DaRT tools on the problem computer and starts the remote session by clicking **Remote Connection**.
 
@@ -66,9 +66,9 @@ The IT administrator or help desk worker enters this information into the **DaRT
 
 [Operations for DaRT 8.0](operations-for-dart-80-dart-8.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/dart-v8/release-notes-for-dart-80--dart-8.md b/mdop/dart-v8/release-notes-for-dart-80--dart-8.md
index 3a65704d88..7ec6427eb0 100644
--- a/mdop/dart-v8/release-notes-for-dart-80--dart-8.md
+++ b/mdop/dart-v8/release-notes-for-dart-80--dart-8.md
@@ -40,7 +40,7 @@ We are interested in your feedback on DaRT 8.0. You can send your feedback to AGPM 4.0 - Windows Vista SP1, Windows 7, Windows Server 2008, Windows Server 2008 R2
        
 
        AGPM 3.0- Windows Vista SP1, Windows Server 2008
        
 
        AGPM 2.5 - Windows Vista, Windows Server 2003
        
-
        [Overview of Microsoft Advanced Group Policy Management](agpm/index.md)
        
-
        [AGPM 4.0 SP3](agpm/whats-new-in-agpm-40-sp3.md)
        
-
        [AGPM 4.0 SP2](agpm/whats-new-in-agpm-40-sp2.md)
        
-
        [AGPM 4.0 SP1](https://go.microsoft.com/fwlink/p/?LinkId=286715) (https://go.microsoft.com/fwlink/p/?LinkId=286715)
        
-
        [AGPM 4.0](agpm/whats-new-in-agpm-40-sp1.md)
        
-
        [AGPM 3.0](agpm/whats-new-in-agpm-30.md)
        
-
        [AGPM 2.5](agpm/agpm-25-navengl.md)
        
-
        [AGPM Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=232275)
        
+
        Overview of Microsoft Advanced Group Policy Management
        
+
        AGPM 4.0 SP3
        
+
        AGPM 4.0 SP2
        
+
        AGPM 4.0 SP1 (https://go.microsoft.com/fwlink/p/?LinkId=286715)
        
+
        AGPM 4.0
        
+
        AGPM 3.0
        
+
        AGPM 2.5
        
+
        AGPM Whitepapers on the Microsoft Download Center
        
 
 
 
        Microsoft Application Virtualization (App-V) lets you make applications available to end user computers without installing the applications directly on those computers.
        
-
        [Microsoft Application Virtualization 5.1 Administrator's Guide](appv-v5/microsoft-application-virtualization-51-administrators-guide.md)
        
-
        [About App-V 5.0 SP3](appv-v5/about-app-v-50-sp3.md)
        
-
        [About App-V 5.0 SP2](appv-v5/about-app-v-50-sp2.md)
        
-
        [About App-V 5.0 SP1](appv-v5/about-app-v-50-sp1.md)
        
-
        [Microsoft Application Virtualization 5.0 Administrator's Guide](appv-v5/microsoft-application-virtualization-50-administrators-guide.md)
        
-
        [About Microsoft Application Virtualization 4.6 SP3](appv-v4/about-microsoft-application-virtualization-46-sp3.md)
        
-
        [About Microsoft Application Virtualization 4.6 SP2](appv-v4/about-microsoft-application-virtualization-46-sp2.md)
        
-
        [About Microsoft Application Virtualization 4.6 SP1](appv-v4/about-microsoft-application-virtualization-46-sp1.md)
        
-
        [About Microsoft Application Virtualization 4.6](appv-v4/about-microsoft-application-virtualization-46.md)
        
-
        [About Microsoft Application Virtualization 4.5](appv-v4/about-microsoft-application-virtualization-45.md)
        
-
        [App-V Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231902)
        
-
        [App-V 5.0 eBooks](https://go.microsoft.com/fwlink/p/?LinkId=309570) (https://go.microsoft.com/fwlink/p/?LinkId=309570)
        
+
        Microsoft Application Virtualization 5.1 Administrator's Guide
        
+
        About App-V 5.0 SP3
        
+
        About App-V 5.0 SP2
        
+
        About App-V 5.0 SP1
        
+
        Microsoft Application Virtualization 5.0 Administrator's Guide
        
+
        About Microsoft Application Virtualization 4.6 SP3
        
+
        About Microsoft Application Virtualization 4.6 SP2
        
+
        About Microsoft Application Virtualization 4.6 SP1
        
+
        About Microsoft Application Virtualization 4.6
        
+
        About Microsoft Application Virtualization 4.5
        
+
        App-V Whitepapers on the Microsoft Download Center
        
+
        App-V 5.0 eBooks (https://go.microsoft.com/fwlink/p/?LinkId=309570)
        
 
 
 
        Microsoft BitLocker Administration and Monitoring (MBAM) provides an administrative interface to enterprise-wide BitLocker drive encryption.
        
-
        [Microsoft BitLocker Administration and Monitoring 2.5](mbam-v25/index.md)
        
-
        [MBAM 2.5 Video Demonstration: Deploying MBAM 2.5](https://go.microsoft.com/fwlink/?LinkId=518206) 
        
-
        [About MBAM 2.5 SP1](mbam-v25/about-mbam-25-sp1.md)
        
-
        [About MBAM 2.0 SP1](mbam-v2/about-mbam-20-sp1.md)
        
-
        [Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide](mbam-v2/index.md)
        
-
        [Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide](mbam-v1/index.md)
        
-
        [MBAM Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=231905) (https://go.microsoft.com/fwlink/p/?LinkId=231905)
        
-
        [MBAM 1.0 eBooks](https://go.microsoft.com/fwlink/p/?LinkId=309571) (https://go.microsoft.com/fwlink/p/?LinkId=309571)
        
+
        Microsoft BitLocker Administration and Monitoring 2.5
        
+
        MBAM 2.5 Video Demonstration: Deploying MBAM 2.5 
        
+
        About MBAM 2.5 SP1
        
+
        About MBAM 2.0 SP1
        
+
        Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide
        
+
        Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide
        
+
        MBAM Whitepapers on the Microsoft Download Center (https://go.microsoft.com/fwlink/p/?LinkId=231905)
        
+
        MBAM 1.0 eBooks (https://go.microsoft.com/fwlink/p/?LinkId=309571)
        
 
 
 
        Microsoft Diagnostics and Recovery Toolset (DaRT) helps troubleshoot and repair Windows-based computers.
        
@@ -81,53 +81,53 @@ The following table provides links to the product documentation for the MDOP pro
 
        DaRT 6.5 - Windows 7, Windows Server 2008 R2
        
 
        DaRT 6.0 - Windows Vista, Windows Server 2008
        
 
        DaRT 5.0 - Windows 2000, Windows XP, Windows Server 2003
        
-
        [Diagnostics and Recovery Toolset 10](dart-v10/index.md)
        
-
        [About DaRT 8.1](dart-v8/about-dart-81.md)
        
-
        [About DaRT 8.0 SP1](dart-v8/about-dart-80-sp1.md)
        
-
        [Diagnostics and Recovery Toolset 8 Administrator's Guide](dart-v8/index.md)
        
-
        [Diagnostics and Recovery Toolset 7 Administrator's Guide](dart-v7/index.md)
        
-
        [DaRT 6.5](https://go.microsoft.com/fwlink/p/?LinkId=232983) (https://go.microsoft.com/fwlink/p/?LinkId=232983)
        
-
        [DaRT Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=232274) (https://go.microsoft.com/fwlink/p/?LinkId=232274)
        
-
        [DaRT 8.0 eBook](https://go.microsoft.com/fwlink/p/?LinkId=309573) (https://go.microsoft.com/fwlink/p/?LinkId=309573)
        
-
        [DaRT 7.0 eBook](https://go.microsoft.com/fwlink/p/?LinkId=309572) (https://go.microsoft.com/fwlink/p/?LinkId=309572)
        
+
        Diagnostics and Recovery Toolset 10
        
+
        About DaRT 8.1
        
+
        About DaRT 8.0 SP1
        
+
        Diagnostics and Recovery Toolset 8 Administrator's Guide
        
+
        Diagnostics and Recovery Toolset 7 Administrator's Guide
        
+
        DaRT 6.5 (https://go.microsoft.com/fwlink/p/?LinkId=232983)
        
+
        DaRT Whitepapers on the Microsoft Download Center (https://go.microsoft.com/fwlink/p/?LinkId=232274)
        
+
        DaRT 8.0 eBook (https://go.microsoft.com/fwlink/p/?LinkId=309573)
        
+
        DaRT 7.0 eBook (https://go.microsoft.com/fwlink/p/?LinkId=309572)
        
 
 
 
        Microsoft Desktop Enterprise Monitoring (DEM) monitors and reports enterprise-wide desktop application and system failures.
        
-
        [DEM 3.5](https://go.microsoft.com/fwlink/p/?LinkId=232985) (https://go.microsoft.com/fwlink/p/?LinkId=232985)
        
-
        [DEM Whitepapers on the Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=232276) (https://go.microsoft.com/fwlink/p/?LinkId=232276)
        
+
        DEM 3.5 (https://go.microsoft.com/fwlink/p/?LinkId=232985)
        
+
        DEM Whitepapers on the Microsoft Download Center (https://go.microsoft.com/fwlink/p/?LinkId=232276)
        
 
 
 
        Microsoft Enterprise Desktop Virtualization (MED-V) uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization.
        
 
        MED-V 2.0 - Windows 7
        
 
        MED-V 1.0 SP1 - Windows 7, Windows Vista, Windows XP
        
 
        MED-V 1.0 - Windows Vista, Windows XP
        
-
        [Microsoft Enterprise Desktop Virtualization 2.0](medv-v2/index.md)
        
-
        [About MED-V 1.0 SP1](medv-v1/about-med-v-10-sp1.md)
        
-
        [Microsoft Enterprise Desktop Virtualization 1.0](medv-v1/index.md)
        
+
        Microsoft Enterprise Desktop Virtualization 2.0
        
+
        About MED-V 1.0 SP1
        
+
        Microsoft Enterprise Desktop Virtualization 1.0
        
 
 
 
 
        Microsoft User Experience Virtualization (UE-V) captures settings to apply to computers accessed by the user including desktop computers, laptop computers, and VDI sessions.
        
-
        [Microsoft User Experience Virtualization (UE-V) 2.x](uev-v2/index.md)
        
-
        [What's New in UE-V 2.1 SP1](uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md)
        
-
        [What's New in UE-V 2.1](uev-v2/whats-new-in-ue-v-21-new-uevv2.md)
        
-
        [What's New in UE-V 2.0](uev-v2/whats-new-in-ue-v-20-new-uevv2.md)
        
-
        [About User Experience Virtualization 1.0 SP1](uev-v1/about-user-experience-virtualization-10-sp1.md)
        
-
        [Microsoft User Experience Virtualization (UE-V) 1.0](uev-v1/index.md)
        
-
        [UE-V 1.0 eBooks](https://go.microsoft.com/fwlink/p/?LinkId=309574) (https://go.microsoft.com/fwlink/p/?LinkId=309574)
        
+
        Microsoft User Experience Virtualization (UE-V) 2.x
        
+
        What's New in UE-V 2.1 SP1
        
+
        What's New in UE-V 2.1
        
+
        What's New in UE-V 2.0
        
+
        About User Experience Virtualization 1.0 SP1
        
+
        Microsoft User Experience Virtualization (UE-V) 1.0
        
+
        UE-V 1.0 eBooks (https://go.microsoft.com/fwlink/p/?LinkId=309574)
        
 
 
-
        [MDOP Solutions and Scenarios](solutions/index.md)
        
-
        [Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0](solutions/virtualizing-microsoft-office-2013-for-application-virtualization--app-v--50-solutions.md)
        
-
        [Virtualizing Microsoft Office 2010 for Application Virtualization (App-V) 5.0](solutions/virtualizing-microsoft-office-2010-for-application-virtualization--app-v--50-solutions.md)
        
-
        [Creating App-V 4.5 Databases Using SQL Scripting](solutions/creating-app-v-45-databases-using-sql-scripting.md)
        
-
        [Application Publishing and Client Interaction for App-V 5](solutions/application-publishing-and-client-interaction-for-app-v-5-solutions.md)
        
-
        [How to Download and Deploy MDOP Group Policy (.admx) Templates](solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md)
        
+
        MDOP Solutions and Scenarios
        
+
        Virtualizing Microsoft Office 2013 for Application Virtualization (App-V) 5.0
        
+
        Virtualizing Microsoft Office 2010 for Application Virtualization (App-V) 5.0
        
+
        Creating App-V 4.5 Databases Using SQL Scripting
        
+
        Application Publishing and Client Interaction for App-V 5
        
+
        How to Download and Deploy MDOP Group Policy (.admx) Templates
        
 
 
 
 
- 
+ 
 
 ## Supplemental MDOP Product Guidance
 
@@ -142,21 +142,21 @@ In addition to the product documentation available online, supplemental product
 
 
 
        MDOP Virtual Labs
        
-
        For a list of available MDOP virtual labs, go to [Microsoft Desktop Optimization Pack (MDOP) Virtual Labs](https://go.microsoft.com/fwlink/p/?LinkId=234276) (https://go.microsoft.com/fwlink/p/?LinkId=234276).
        
+
        For a list of available MDOP virtual labs, go to Microsoft Desktop Optimization Pack (MDOP) Virtual Labs (https://go.microsoft.com/fwlink/p/?LinkId=234276).
        
 
 
 
        MDOP TechCenter
        
-
        For technical whitepapers, evaluation materials, blogs, and additional MDOP resources, go to [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=225286) (https://go.microsoft.com/fwlink/p/?LinkId=225286)
        
+
        For technical whitepapers, evaluation materials, blogs, and additional MDOP resources, go to MDOP TechCenter (https://go.microsoft.com/fwlink/p/?LinkId=225286)
        
 
        
 
 
 
        MDOP Forums
        
-
        Join in the MDOP community where you can ask and answer questions at the [MDOP TechNet Forum](https://go.microsoft.com/fwlink/p/?LinkId=286973) (https://go.microsoft.com/fwlink/p/?LinkId=286973).
        
+
        Join in the MDOP community where you can ask and answer questions at the MDOP TechNet Forum (https://go.microsoft.com/fwlink/p/?LinkId=286973).
        
 
 
 
 
- 
+ 
 
 ## How to Get MDOP
 
@@ -169,9 +169,9 @@ MDOP subscribers can download the software at the [Microsoft Volume Licensing we
 **Purchase MDOP**
 Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/licensing/how-to-buy/how-to-buy) website to find out how to purchase MDOP for your business.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/about-mbam-10.md b/mdop/mbam-v1/about-mbam-10.md
index 8868acfdc9..6649ff16d7 100644
--- a/mdop/mbam-v1/about-mbam-10.md
+++ b/mdop/mbam-v1/about-mbam-10.md
@@ -24,7 +24,7 @@ With Microsoft BitLocker Administration and Monitoring, you can select the BitLo
 **Note**  
 BitLocker is not covered in detail in this guide. For an overview of BitLocker, see [BitLocker Drive Encryption Overview](https://go.microsoft.com/fwlink/p/?LinkId=225013).
 
- 
+ 
 
 The following groups might be interested in using MBAM to manage BitLocker:
 
@@ -46,9 +46,9 @@ For more information and for latest updates, see [Release Notes for MBAM 1.0](re
 
 [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/accessibility-for-mbam-10.md b/mdop/mbam-v1/accessibility-for-mbam-10.md
index 4dc58460d9..6e772a734a 100644
--- a/mdop/mbam-v1/accessibility-for-mbam-10.md
+++ b/mdop/mbam-v1/accessibility-for-mbam-10.md
@@ -33,7 +33,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Documentation in Alternative Formats
 
@@ -67,13 +67,13 @@ For information about the availability of Microsoft product documentation and bo
 
        (609) 987-8116
        
 
 
-
        [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
        
+
        http://www.learningally.org/
        
 
        Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
        
 
 
 
 
- 
+ 
 
 ## Customer Service for People with Hearing Impairments
 
@@ -96,9 +96,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/administering-mbam-10-features.md b/mdop/mbam-v1/administering-mbam-10-features.md
index 42e7a01e28..86fabb6cde 100644
--- a/mdop/mbam-v1/administering-mbam-10-features.md
+++ b/mdop/mbam-v1/administering-mbam-10-features.md
@@ -34,7 +34,7 @@ The MBAM Hardware Compatibility feature can help you to ensure that only the com
 **Important**  
 When this feature is turned off, all computers where the MBAM policy is deployed will be encrypted.
 
- 
+ 
 
 MBAM can collect information on both the make and model of client computers if you deploy the “Allow Hardware Compatibility Checking” Group Policy. If you configure this policy, the MBAM agent reports the computer make and model information to the MBAM Server when the MBAM Client is deployed on a client computer.
 
@@ -61,9 +61,9 @@ If enabled through a Group Policy Objects (GPO), a custom MBAM control panel tha
 
 [Operations for MBAM 1.0](operations-for-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md b/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md
index 7830935da3..55c227b364 100644
--- a/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md
+++ b/mdop/mbam-v1/deploying-the-mbam-10-server-infrastructure.md
@@ -27,7 +27,7 @@ In this configuration, all MBAM features are installed on a single server. This
 **Important**  
 This configuration is supported, but we recommend it for testing only.
 
- 
+ 
 
 The procedures in this section describe the full installation of the MBAM features on a single server.
 
@@ -93,9 +93,9 @@ In this configuration, MBAM features are installed in the following configuratio
 
 [Deploying MBAM 1.0](deploying-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md
index 64bf6488dd..a610d18cea 100644
--- a/mdop/mbam-v1/evaluating-mbam-10.md
+++ b/mdop/mbam-v1/evaluating-mbam-10.md
@@ -47,63 +47,62 @@ Even when you set up a non-production instance of MBAM to evaluate in a lab envi
 
 Checklist box
 
        Review the Getting Started information about MBAM to gain a basic understanding of the product before you begin your deployment planning.
        
-
        [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
        
+
        Getting Started with MBAM 1.0
        
 
        
 
 
 Checklist box
 
        
-
        Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.
        
+
        Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.
        
 
        
-Note  
-
        You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup\. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.
        
+Note
        You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.
        
 
        
 
        
- 
+
 
        
 
        USE master;
 GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@55w0rd';
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd';
 GO
 CREATE CERTIFICATE tdeCert WITH SUBJECT = 'TDE Certificate';
 GO
 BACKUP CERTIFICATE tdeCert TO FILE = 'C:\Backup\TDECertificate.cer'
    WITH PRIVATE KEY (
          FILE = 'C:\Backup\TDECertificateKey.pvk',
-         ENCRYPTION BY PASSWORD = 'P@55w0rd');
+         ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd');
 GO
        
-
        [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)
        
-
        [Database Encryption in SQL Server 2008 Enterprise Edition](https://go.microsoft.com/fwlink/?LinkId=269703)
        
+
        MBAM 1.0 Deployment Prerequisites
        
+
        Database Encryption in SQL Server 2008 Enterprise Edition
        
 
        
 
 
 Checklist box
 
        Plan for and configure MBAM Group Policy requirements.
        
-
        [Planning for MBAM 1.0 Group Policy Requirements](planning-for-mbam-10-group-policy-requirements.md)
        
+
        Planning for MBAM 1.0 Group Policy Requirements
        
 
        
 
 
 Checklist box
-
        Plan for and create the necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.
        
-
        [Planning for MBAM 1.0 Administrator Roles](planning-for-mbam-10-administrator-roles.md)
        
+
        Plan for and create the necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.
        
+
        Planning for MBAM 1.0 Administrator Roles
        
 
        
 
 
 Checklist box
 
        Plan for MBAM Server feature deployment.
        
-
        [Planning for MBAM 1.0 Server Deployment](planning-for-mbam-10-server-deployment.md)
        
+
        Planning for MBAM 1.0 Server Deployment
        
 
        
 
 
 Checklist box
 
        Plan for MBAM Client deployment.
        
-
        [Planning for MBAM 1.0 Client Deployment](planning-for-mbam-10-client-deployment.md)
        
+
        Planning for MBAM 1.0 Client Deployment
        
 
        
 
 
 
 
- 
+
 
 ### Perform an MBAM Evaluation Deployment
 
@@ -120,47 +119,47 @@ After you complete the necessary planning and software prerequisite installation
 
 Checklist box
 
        Review the MBAM supported configurations information to make sure that the selected client and server computers are supported for the MBAM feature installation.
        
-
        [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)
        
+
        MBAM 1.0 Supported Configurations
        
 
        
 
 
 Checklist box
 
        Run MBAM Setup to deploy MBAM Server features on a single server for evaluation purposes.
        
-
        [How to Install and Configure MBAM on a Single Server](how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md)
        
+
        How to Install and Configure MBAM on a Single Server
        
 
        
 
 
 Checklist box
-
        Add the Active Directory Domain Services security groups that you created during the planning phase to the appropriate local MBAM Server feature local groups on the new MBAM server.
        
-
        [Planning for MBAM 1.0 Administrator Roles](planning-for-mbam-10-administrator-roles.md) and [How to Manage MBAM Administrator Roles](how-to-manage-mbam-administrator-roles-mbam-1.md)
        
+
        Add the Active Directory Domain Services security groups that you created during the planning phase to the appropriate local MBAM Server feature local groups on the new MBAM server.
        
+
        Planning for MBAM 1.0 Administrator Roles and How to Manage MBAM Administrator Roles
        
 
        
 
 
 Checklist box
 
        Create and deploy the required MBAM Group Policy Objects.
        
-
        [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)
        
+
        Deploying MBAM 1.0 Group Policy Objects
        
 
        
 
 
 Checklist box
 
        Deploy the MBAM Client software.
        
-
        [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)
        
+
        Deploying the MBAM 1.0 Client
        
 
        
 
 
 
 
- 
+
 
 ## Configure Lab Computers for MBAM Evaluation
 
 
 You can change the frequency settings on the MBAM Client status reporting by using Registry Editor. However, these modifications should be used for testing purposes only.
 
-**Warning**  
+**Warning**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+
 
 ### Modify the Frequency Settings on MBAM Client Status Reporting
 
@@ -175,9 +174,9 @@ In addition to the MBAM Client wakeup and status reporting frequencies, there is
 
 [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/getting-started-with-mbam-10.md b/mdop/mbam-v1/getting-started-with-mbam-10.md
index a1e8b7128c..b54f281bf6 100644
--- a/mdop/mbam-v1/getting-started-with-mbam-10.md
+++ b/mdop/mbam-v1/getting-started-with-mbam-10.md
@@ -24,7 +24,7 @@ If you are new to this product, we recommend that you read the documentation tho
 **Note**  
 You can find a downloadable version of this documentation and the MBAM Evaluation Guide at .
 
- 
+ 
 
 This section of the MBAM Administrator’s Guide includes high-level information about MBAM to provide you with a basic understanding of the product before you begin the deployment planning. Additional MBAM documentation can be found on the MBAM Documentation Resources Download page at .
 
@@ -60,9 +60,9 @@ This section of the MBAM Administrator’s Guide includes high-level information
 
 -   [Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/high-level-architecture-for-mbam-10.md b/mdop/mbam-v1/high-level-architecture-for-mbam-10.md
index c732bb2e7d..73dfbdd35b 100644
--- a/mdop/mbam-v1/high-level-architecture-for-mbam-10.md
+++ b/mdop/mbam-v1/high-level-architecture-for-mbam-10.md
@@ -29,7 +29,7 @@ The following diagram displays the MBAM architecture. The single-server MBAM dep
 **Note**  
 At least a three-computer MBAM deployment topology is recommended for a production deployment. For more information about MBAM deployment topologies, see [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md).
 
- 
+ 
 
 ![mbam single server deployment topology](images/mbam-1-server.jpg)
 
@@ -58,9 +58,9 @@ At least a three-computer MBAM deployment topology is recommended for a producti
 
 [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md b/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md
index 932d92dac4..a8ca4fbd5c 100644
--- a/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md
+++ b/mdop/mbam-v1/how-to-configure-network-load-balancing-for-mbam.md
@@ -24,7 +24,7 @@ To obtain the setup log files, you must install Microsoft BitLocker Administrati
 
 Additional setup log files are created in the %temp% folder of the user who installs MBAM.
 
- 
+ 
 
 The Network Load Balancing (NLB) clusters for the Administration and Monitoring Server feature provides scalability in MBAM and it should support more than 55,000 MBAM client computers.
 
@@ -41,7 +41,7 @@ All computers that will be part of a NLB cluster have the following requirements
 
 -   The NLB cluster requires a static IP address, and a host record must be manually created in the domain name system (DNS).
 
- 
+ 
 
 ## Configuring Network Load Balancing for MBAM Administration and Monitoring Servers
 
@@ -53,7 +53,7 @@ Before you begin the procedures described in this topic, you must have the MBAM
 **Note**  
 This topic describes the basic process of using Network Load Balancing Manager to create an NLB Cluster. The exact steps to configure a Windows Server as part of an NLB cluster depend on the Windows Server version in use.. For more information about how to create NLBs on Windows Server 2008, see [Creating Network Load Balancing Clusters](https://go.microsoft.com/fwlink/?LinkId=197176) in the Windows Server 2008 TechNet library.
 
- 
+ 
 
 **To configure an NLB Cluster Virtual Name and IP address for two MBAM Administration and Monitoring Servers**
 
@@ -62,7 +62,7 @@ This topic describes the basic process of using Network Load Balancing Manager t
     **Note**  
     If the NLB Manager is not present, you can install it as a Windows Server feature. You must install this feature on both MBAM Administration and Monitoring servers if you want to configure it into the NLB cluster.
 
-     
+     
 
 2.  On the menu bar, click **Cluster**, and then click **New** to open the **Cluster Parameters** dialog box.
 
@@ -83,7 +83,7 @@ This topic describes the basic process of using Network Load Balancing Manager t
     **Note**  
     Ensure that **Affinity** is set to **Single**.
 
-     
+     
 
 7.  On the **Connect** page, enter an MBAM Administration and Monitoring server instance host name that will be part of the NLB cluster in **Host**, and then click **Connect**.
 
@@ -94,7 +94,7 @@ This topic describes the basic process of using Network Load Balancing Manager t
     **Note**  
     The **Host Parameters** page also displays the NLB cluster host priority, which is 1 through 32. As new hosts are added to the NLB cluster, the host priority must differ from the previously added hosts. The priority is automatically incremented when you use the Network Load Balancing Manager.
 
-     
+     
 
 10. Click **<NLB cluster name>** and ensure that the NLB host interface **Status** displays **Converged** before you continue. This step might require that you refresh the NLB cluster display as the host TCP/IP configuration that is being modified by the NLB Manager.
 
@@ -109,9 +109,9 @@ This topic describes the basic process of using Network Load Balancing Manager t
 
 [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md b/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md
index a878fd4c67..d76d6481b6 100644
--- a/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md
+++ b/mdop/mbam-v1/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-1.md
@@ -19,17 +19,17 @@ ms.date: 06/16/2016
 
 The Microsoft BitLocker Administration and Monitoring (MBAM) Client enables administrators to enforce and monitor BitLocker drive encryption on computers in the enterprise. The BitLocker Client can be integrated into an organization by enabling BitLocker management and encryption on client computers during the computer imaging and Windows deployment process.
 
-**Note**  
+**Note**  
 To review the MBAM Client system requirements, see [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
- 
+
 
 Encryption of client computers with BitLocker during the initial imaging stage of a Windows deployment can lower the administrative overhead for MBAM implementation. This approach also ensures that every computer that is deployed already has BitLocker running and is configured correctly.
 
-**Warning**  
+**Warning**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+
 
 **To encrypt a computer as part of Windows deployment**
 
@@ -83,24 +83,26 @@ This topic describes how to change the Windows registry by using Registry Editor
 
     Example: http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc.
 
-     
 
-    **Note**  
-    MBAM policy or registry values can be set here to override the previously set values.
 
-     
+~~~
+**Note**  
+MBAM policy or registry values can be set here to override the previously set values.
+~~~
 
-7.  The MBAM agent restarts the system during MBAM client deployment. When you are ready for this reboot, run the following command at a command prompt as an administrator:
 
-    **net start mbamagent**
 
-8.  When the computers restarts and the BIOS prompts you to accept a TPM change, accept the change.
+7. The MBAM agent restarts the system during MBAM client deployment. When you are ready for this reboot, run the following command at a command prompt as an administrator:
 
-9.  During the Windows client operating system imaging process, when you are ready to start encryption, restart the MBAM agent service. Then, to set start to **automatic**, open a command prompt as an administrator and run the following commands:
+   **net start mbamagent**
 
-    **sc config mbamagent start= auto**
+8. When the computers restarts and the BIOS prompts you to accept a TPM change, accept the change.
 
-    **net start mbamagent**
+9. During the Windows client operating system imaging process, when you are ready to start encryption, restart the MBAM agent service. Then, to set start to **automatic**, open a command prompt as an administrator and run the following commands:
+
+   **sc config mbamagent start= auto**
+
+   **net start mbamagent**
 
 10. Remove the bypass registry values. To do this, run regedit, browse to the HKLM\\SOFTWARE\\Microsoft registry entry, right-click the **MBAM** node, and then click **Delete**.
 
@@ -109,9 +111,9 @@ This topic describes how to change the Windows registry by using Registry Editor
 
 [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md b/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md
index 1e8169a07f..ec94256a72 100644
--- a/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-1.md
@@ -22,7 +22,7 @@ The Microsoft BitLocker Administration and Monitoring (MBAM) Client enables admi
 **Note**  
 To review the MBAM Client system requirements, see [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
- 
+ 
 
 **To deploy the MBAM Client to desktop or laptop computers**
 
@@ -33,23 +33,23 @@ To review the MBAM Client system requirements, see [MBAM 1.0 Supported Configura
     **Note**  
     You should not use Group Policy to deploy the Windows Installer package.
 
-     
+     
 
 3.  Configure the distribution settings or Group Policy to run the MBAM Client installation file. After successful installation, the MBAM Client applies the Group Policy settings that are received from a domain controller to begin BitLocker encryption and management functions. For more information about MBAM Group Policy settings, see [Planning for MBAM 1.0 Group Policy Requirements](planning-for-mbam-10-group-policy-requirements.md).
 
     **Important**  
     The MBAM Client will not start BitLocker encryption actions if a remote desktop protocol connection is active. All remote console connections must be closed before BitLocker encryption will begin.
 
-     
+     
 
 ## Related topics
 
 
 [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md b/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md
index f10adf6909..1951352a23 100644
--- a/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-determine-the-bitlocker-encryption-state-of-a-lost-computers-mbam-1.md
@@ -26,7 +26,7 @@ Microsoft BitLocker Administration and Monitoring (MBAM) enables you to determin
     **Note**  
     The default address for the MBAM website is http://*<computername>*. Use the fully qualified server name for faster browsing results.
 
-     
+     
 
 2.  Select the **Report** node from the navigation pane, and then select the **Computer Compliance Report**.
 
@@ -37,16 +37,16 @@ Microsoft BitLocker Administration and Monitoring (MBAM) enables you to determin
     **Note**  
     Device compliance is determined by the deployed BitLocker policies. You should verify these deployed policies when you are trying to determine the BitLocker encryption state of a device.
 
-     
+     
 
 ## Related topics
 
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md b/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md
index fafe158678..f7b3f615a5 100644
--- a/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md
+++ b/mdop/mbam-v1/how-to-edit-mbam-10-gpo-settings.md
@@ -67,21 +67,23 @@ The following steps describe how to configure the basic, recommended Group Polic
 
     Set **Choose how BitLocker-protected drives can be recovered** and **Allow data recovery agent**.
 
-     
 
-    **Important**  
-    Depending on the policies that your organization decides to deploy, you may have to configure additional policies. See [Planning for MBAM 1.0 Group Policy Requirements](planning-for-mbam-10-group-policy-requirements.md) for Group Policy configuration details for all of the available MBAM GPO policy options.
 
-     
+~~~
+**Important**  
+Depending on the policies that your organization decides to deploy, you may have to configure additional policies. See [Planning for MBAM 1.0 Group Policy Requirements](planning-for-mbam-10-group-policy-requirements.md) for Group Policy configuration details for all of the available MBAM GPO policy options.
+~~~
+
+
 
 ## Related topics
 
 
 [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md b/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md
index c948d1afbb..62464e8014 100644
--- a/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md
+++ b/mdop/mbam-v1/how-to-generate-mbam-reports-mbam-1.md
@@ -22,7 +22,7 @@ Microsoft BitLocker Administration and Monitoring (MBAM) generates various repor
 **Note**  
 To run the reports, you must be a member of the **Report Users** role on the computers where you have installed the Administration and Monitoring Server features, Compliance and Audit Database, and Compliance and Audit Reports.
 
- 
+ 
 
 **To open the MBAM Administration website**
 
@@ -31,14 +31,14 @@ To run the reports, you must be a member of the **Report Users** role on the com
     **Note**  
     If the MBAM administration website was installed on a port other than port 80, you must specify that port number in the URL. For example, *http://<computername>:<port>*. If you specified a Host Name for the MBAM administration website during the installation, the URL would be *http://<hostname>*.
 
-     
+     
 
 2.  In the navigation pane, click **Reports**. In the main pane, click the tab for your report type: **Enterprise Compliance Report**, **Computer Compliance Report**, **Hardware Audit Report**, or **Recovery Audit Report**.
 
     **Note**  
     Historical MBAM Client data is retained in the compliance database. This retained data may be needed in case a computer is lost or stolen. When running enterprise reports, you should use appropriate start and end dates to scope the time frames for the reports from one to two weeks to increase the reporting data accuracy.
 
-     
+     
 
 **To generate an enterprise Compliance Report**
 
@@ -55,7 +55,7 @@ To run the reports, you must be a member of the **Report Users** role on the com
     **Note**  
     The Enterprise Compliance report is generated by a SQL job that runs every six hours. Therefore, the first time you try to view the report you may find that some data is missing.
 
-     
+     
 
 3.  To view information about a computer in the Computer Compliance Report, select the computer name.
 
@@ -76,7 +76,7 @@ To run the reports, you must be a member of the **Report Users** role on the com
     **Note**  
     An MBAM Client computer is considered compliant if the computer matches the requirements of the MBAM policy settings or the computer’s hardware model is set to incompatible. Therefore, when you are viewing detailed information about the disk volumes associated with the computer, computers that are exempt from BitLocker encryption due to hardware compatibility can be displayed as compliant even though their drive volume encryption status is displayed as noncompliant.
 
-     
+     
 
 **To generate the Hardware Compatibility Audit Report**
 
@@ -119,9 +119,9 @@ To run the reports, you must be a member of the **Report Users** role on the com
 
 [Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md
index b2143d0187..7761a0065c 100644
--- a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-a-single-server-mbam-1.md
@@ -26,7 +26,7 @@ To obtain the setup log files, you must install MBAM by using the **msiexec** pa
 
 Additional setup log files are created in the %temp% folder of the user who is installing MBAM.
 
- 
+ 
 
 ## To install MBAM Server features on a single server
 
@@ -36,7 +36,7 @@ The following steps describe how to install general MBAM features.
 **Note**  
 Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup on 64-bit servers.
 
- 
+ 
 
 **To start MBAM Server features installation**
 
@@ -59,7 +59,7 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
     **Note**  
     The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all the prerequisites are met, the installation continues. If a missing prerequisite is detected, you must resolve the missing prerequisites, and then click **Check prerequisites again**. After all prerequisites are met, the installation resumes.
 
-     
+     
 
 4.  You are prompted to configure the network communication security. MBAM can encrypt the communication between the Recovery and Hardware Database, the Administration and Monitoring Server, and the clients. If you decide to encrypt the communication, you are asked to select the authority-provisioned certificate that will be used for encryption.
 
@@ -86,7 +86,7 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
     **Warning**  
     The port number that you specify must be an unused port number on the Administration and Monitoring server, unless a unique host header name is specified.
 
-     
+     
 
 8.  Click **Next** to continue.
 
@@ -117,7 +117,7 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
 
     To maintain identical memberships on all computers, you should create a domain security group and add that domain group to each local MBAM Report Users group. When you do this, you can manage the group memberships by using the domain group.
 
-     
+     
 
 ## Validating the MBAM Server feature installation
 
@@ -126,57 +126,57 @@ When the MBAM installation is complete, validate that the installation has succe
 
 **To validate MBAM Server feature installation**
 
-1.  On each server where an MBAM feature is deployed, open **Control Panel**. Click **Programs**, and then click **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
+1. On each server where an MBAM feature is deployed, open **Control Panel**. Click **Programs**, and then click **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
 
-    **Note**  
-    To validate the installation, you must use a Domain Account that has local computer administrative credentials on each server.
+   **Note**  
+   To validate the installation, you must use a Domain Account that has local computer administrative credentials on each server.
 
-     
+     
 
-2.  On the server where the Recovery and Hardware Database is installed, open SQL Server Management Studio and verify that the **MBAM Recovery and Hardware** database is installed.
+2. On the server where the Recovery and Hardware Database is installed, open SQL Server Management Studio and verify that the **MBAM Recovery and Hardware** database is installed.
 
-3.  On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio and verify that the **MBAM Compliance and Audit Database** is installed.
+3. On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio and verify that the **MBAM Compliance and Audit Database** is installed.
 
-4.  On the server where the Compliance and Audit Reports are installed, open a web browser with administrative privileges and browse to the “Home” of the SQL Server Reporting Services site.
+4. On the server where the Compliance and Audit Reports are installed, open a web browser with administrative privileges and browse to the “Home” of the SQL Server Reporting Services site.
 
-    The default Home location of a SQL Server Reporting Services site instance is at http://*<NameofMBAMReportsServer>*/Reports. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances specified during setup.
+   The default Home location of a SQL Server Reporting Services site instance is at http://<NameofMBAMReportsServer>/Reports. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances specified during setup.
 
-    Confirm that a folder named **Malta Compliance Reports** is listed and that it contains five reports and one data source.
+   Confirm that a folder named **Malta Compliance Reports** is listed and that it contains five reports and one data source.
 
-    **Note**  
-    If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
+   **Note**  
+   If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
 
-     
+     
 
-5.  On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**, select **Web Server (IIS)**, and click **Internet Information Services (IIS) Manager**
+5. On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**, select **Web Server (IIS)**, and click **Internet Information Services (IIS) Manager**
 
-6.  In **Connections**, browse to *<computername>*, select **Sites**, and select **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
+6. In **Connections**, browse to *<computername>*, select **Sites**, and select **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
 
-7.  On the server where the Administration and Monitoring feature is installed, open a web browser with administrative privileges, and then browse to the following locations in the MBAM website to verify that they load successfully:
+7. On the server where the Administration and Monitoring feature is installed, open a web browser with administrative privileges, and then browse to the following locations in the MBAM website to verify that they load successfully:
 
-    -   *http://<computername>/default.aspx* and confirm each of the links for navigation and reports
+   -   *http://<computername>/default.aspx* and confirm each of the links for navigation and reports
 
-    -   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
+   -   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
 
-    -   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
+   -   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
 
-    -   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
+   -   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
 
-    **Note**  
-    Typically, the services are installed on the default port 80 without network encryption. If the services are installed on a different port, change the URLs to include the appropriate port. For example, http://*<computername>:<port>*/default.aspx or http://*<hostheadername>/*default.aspx.
+   **Note**  
+   Typically, the services are installed on the default port 80 without network encryption. If the services are installed on a different port, change the URLs to include the appropriate port. For example, http://*<computername>:<port>*/default.aspx or http://<hostheadername>/default.aspx.
 
-    If the services are installed with network encryption, change http:// to https://.
+   If the services are installed with network encryption, change http:// to https://.
 
-     
+     
 
 ## Related topics
 
 
 [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md
index d59a2f9928..668966c147 100644
--- a/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-and-configure-mbam-on-distributed-servers-mbam-1.md
@@ -21,22 +21,22 @@ The procedures in this topic describe the full installation of the Microsoft Bit
 
 Each server feature has certain prerequisites. To verify that you have met the prerequisites and hardware and software requirements, see [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md) and [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md). In addition, some features require that you provide certain information during the installation process to successfully deploy the feature.
 
-**Note**  
+**Note**  
 To obtain the setup log files, you have to install MBAM by using the **msiexec** package and the **/l <location>** option. Log files are created in the location that you specify.
 
 Additional setup log files are created in the %temp% folder of the user that runs the MBAM installation.
 
- 
+
 
 ## Deploy the MBAM Server features
 
 
 The following steps describe how to install the general MBAM features.
 
-**Note**  
+**Note**  
 Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup on 64-bit servers.
 
- 
+
 
 **To Deploy MBAM Server features**
 
@@ -56,107 +56,109 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
 
     -   MBAM Group Policy Template
 
-    **Note**  
+    **Note**  
     The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click **Check prerequisites again**. If all prerequisites are met this time, the installation will resume.
 
-     
+
 
 4.  The MBAM Setup wizard will display the installation pages for the selected features. The following sections describe the installation procedures for each feature.
 
-    **Note**  
+    **Note**  
     Typically, each feature is installed on a separate server. If you want to install multiple features on a single server, you may change or eliminate some of the following steps.
 
-     
 
-    **To install the Recovery and Hardware Database**
 
-    1.  Choose an option for MBAM communication encryption. MBAM can encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the authority-provisioned certificate that is used for encryption.
+~~~
+**To install the Recovery and Hardware Database**
 
-    2.  Click **Next** to continue.
+1.  Choose an option for MBAM communication encryption. MBAM can encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the authority-provisioned certificate that is used for encryption.
 
-    3.  Specify the names of the computers that will be running the Administration and Monitoring Server feature, to configure access to the Recovery and Hardware Database.. Once the Administration and Monitoring Server feature is deployed, it connects to the database by using its domain account.
+2.  Click **Next** to continue.
 
-    4.  Click **Next** to continue.
+3.  Specify the names of the computers that will be running the Administration and Monitoring Server feature, to configure access to the Recovery and Hardware Database.. Once the Administration and Monitoring Server feature is deployed, it connects to the database by using its domain account.
 
-    5.  Specify the **Database Configuration** for the SQL Server instance that stores the recovery and hardware data. You must also specify where the database will be located and where the log information will be located.
+4.  Click **Next** to continue.
 
-    6.  Click **Next** to continue with the MBAM Setup wizard.
+5.  Specify the **Database Configuration** for the SQL Server instance that stores the recovery and hardware data. You must also specify where the database will be located and where the log information will be located.
 
-    **To install the Compliance and Audit Database**
+6.  Click **Next** to continue with the MBAM Setup wizard.
 
-    1.  Choose an option for the MBAM communication encryption. MBAM can encrypt the communication between the Compliance and Audit Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the authority-provisioned certificate that will be used for encryption.
+**To install the Compliance and Audit Database**
 
-    2.  Click **Next** to continue.
+1.  Choose an option for the MBAM communication encryption. MBAM can encrypt the communication between the Compliance and Audit Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the authority-provisioned certificate that will be used for encryption.
 
-    3.  Specify the user account that will be used to access the database for reports.
+2.  Click **Next** to continue.
 
-    4.  Click **Next** to continue.
+3.  Specify the user account that will be used to access the database for reports.
 
-    5.  Specify the computer names of the computers that you want to run the Administration and Monitoring Server and the Compliance and Audit Reports, to configure the access to the Compliance and Audit Database.. After the Administration and Monitoring and the Compliance and Audit Reports Server are deployed, they will connect to the databases by using their domain accounts.
+4.  Click **Next** to continue.
 
-    6.  Specify the **Database Configuration** for the SQL Server instance that will store the compliance and audit data. You must also specify where the database will be located and where the log information will be located.
+5.  Specify the computer names of the computers that you want to run the Administration and Monitoring Server and the Compliance and Audit Reports, to configure the access to the Compliance and Audit Database.. After the Administration and Monitoring and the Compliance and Audit Reports Server are deployed, they will connect to the databases by using their domain accounts.
 
-    7.  Click **Next** to continue with the MBAM Setup wizard.
+6.  Specify the **Database Configuration** for the SQL Server instance that will store the compliance and audit data. You must also specify where the database will be located and where the log information will be located.
 
-    **To install the Compliance and Audit Reports**
+7.  Click **Next** to continue with the MBAM Setup wizard.
 
-    1.  Specify the remote SQL Server instance. For example, *<ServerName>*,where the Compliance and Audit Database are installed.
+**To install the Compliance and Audit Reports**
 
-    2.  Specify the name of the Compliance and Audit Database. By default, the database name is “MBAM Compliance Status”, but you can change the name when you install the Compliance and Audit Database.
+1.  Specify the remote SQL Server instance. For example, *<ServerName>*,where the Compliance and Audit Database are installed.
 
-    3.  Click **Next** to continue.
+2.  Specify the name of the Compliance and Audit Database. By default, the database name is “MBAM Compliance Status”, but you can change the name when you install the Compliance and Audit Database.
 
-    4.  Select the SQL Server Reporting Services instance where the Compliance and Audit Reports will be installed. Provide the username and password used to access the compliance database.
+3.  Click **Next** to continue.
 
-    5.  Click **Next** to continue with the MBAM Setup wizard.
+4.  Select the SQL Server Reporting Services instance where the Compliance and Audit Reports will be installed. Provide the username and password used to access the compliance database.
 
-    **To install the Administration and Monitoring Server feature**
+5.  Click **Next** to continue with the MBAM Setup wizard.
 
-    1.  Choose an option for the MBAM communication encryption. MBAM can encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the authority-provisioned certificate that is used for encryption.
+**To install the Administration and Monitoring Server feature**
 
-    2.  Click **Next** to continue.
+1.  Choose an option for the MBAM communication encryption. MBAM can encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose the option to encrypt communication, you are asked to select the authority-provisioned certificate that is used for encryption.
 
-    3.  Specify the remote SQL Server instance, For example, *<ServerName>*, where the Compliance and Audit Database are installed.
+2.  Click **Next** to continue.
 
-    4.  Specify the name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status, but, you can change the name when you install the Compliance and Audit Database.
+3.  Specify the remote SQL Server instance, For example, *<ServerName>*, where the Compliance and Audit Database are installed.
 
-    5.  Click **Next** to continue.
+4.  Specify the name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status, but, you can change the name when you install the Compliance and Audit Database.
 
-    6.  Specify the remote SQL Server instance. For example, *<ServerName>*,where the Recovery and Hardware Database are installed.
+5.  Click **Next** to continue.
 
-    7.  Specify the name of the Recovery and Hardware Database. By default, the database name is **MBAM Recovery and Hardware**, but you can change the name when you install the Recovery and Hardware Database feature.
+6.  Specify the remote SQL Server instance. For example, *<ServerName>*,where the Recovery and Hardware Database are installed.
 
-    8.  Click **Next** to continue.
+7.  Specify the name of the Recovery and Hardware Database. By default, the database name is **MBAM Recovery and Hardware**, but you can change the name when you install the Recovery and Hardware Database feature.
 
-    9.  Specify the URL for the “Home” of the SQL Server Reporting Services (SRS) site. The default Home location of a SQL Server Reporting Services site instance is at:
+8.  Click **Next** to continue.
 
-        http://*<NameofMBAMReportsServer>/*ReportServer
+9.  Specify the URL for the “Home” of the SQL Server Reporting Services (SRS) site. The default Home location of a SQL Server Reporting Services site instance is at:
 
-        **Note**  
-        If you configured the SQL Server Reporting Services as a named instance, the URL resembles the following:http://*<NameofMBAMReportsServer>*/ReportServer\_*<SRSInstanceName>*
+    http://*<NameofMBAMReportsServer>/*ReportServer
 
-         
+    **Note**  
+    If you configured the SQL Server Reporting Services as a named instance, the URL resembles the following:http://*<NameofMBAMReportsServer>*/ReportServer\_*<SRSInstanceName>*
 
-    10. Click **Next** to continue.
 
-    11. Enter the **Port Number**, the **Host Name** (optional), and the **Installation Path** for the MBAM Administration and Monitoring server
 
-        **Warning**  
-        The port number that you specify must be an unused port number on the Administration and Monitoring server, unless you specify a unique host header name.
+10. Click **Next** to continue.
 
-         
+11. Enter the **Port Number**, the **Host Name** (optional), and the **Installation Path** for the MBAM Administration and Monitoring server
 
-    12. Click **Next** to continue with the MBAM Setup wizard.
+    **Warning**  
+    The port number that you specify must be an unused port number on the Administration and Monitoring server, unless you specify a unique host header name.
 
-5.  
 
-    Specify whether to use Microsoft Updates to help keep your computer secure, and then click **Next**.
 
-6.  When the selected MBAM feature information is complete, you are ready to start the MBAM installation by using the Setup wizard. Click **Back** to move through the wizard if you have to review or change your installation settings. Click **Install** to begin the installation. Click **Cancel** to exit the Wizard. Setup installs the MBAM features that you selected and notifies you that the installation is finished.
+12. Click **Next** to continue with the MBAM Setup wizard.
+~~~
 
-7.  Click **Finish** to exit the wizard.
+5. 
 
-8.  Add users to appropriate MBAM roles, after the MBAM server features are installed.. For more information, see [Planning for MBAM 1.0 Administrator Roles](planning-for-mbam-10-administrator-roles.md).
+   Specify whether to use Microsoft Updates to help keep your computer secure, and then click **Next**.
+
+6. When the selected MBAM feature information is complete, you are ready to start the MBAM installation by using the Setup wizard. Click **Back** to move through the wizard if you have to review or change your installation settings. Click **Install** to begin the installation. Click **Cancel** to exit the Wizard. Setup installs the MBAM features that you selected and notifies you that the installation is finished.
+
+7. Click **Finish** to exit the wizard.
+
+8. Add users to appropriate MBAM roles, after the MBAM server features are installed.. For more information, see [Planning for MBAM 1.0 Administrator Roles](planning-for-mbam-10-administrator-roles.md).
 
 **Post-installation configuration**
 
@@ -172,10 +174,10 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
 
     -   **MBAM Report Users**: Members of this local group can access the Reports in the MBAM administration website.
 
-    **Note**  
+    **Note**  
     Identical user or group membership of the **MBAM Report Users** local group must be maintained on all computers where the MBAM Administration and Monitoring Server features, Compliance and Audit Database, and the Compliance and Audit Reports are installed.
 
-     
+
 
 ## Validate the MBAM Server feature installation
 
@@ -184,57 +186,59 @@ When the MBAM Server feature installation is complete, you should validate that
 
 **To validate an MBAM installation**
 
-1.  On each server, where an MBAM feature is deployed, open **Control Panel**, click **Programs**, and then click **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
+1. On each server, where an MBAM feature is deployed, open **Control Panel**, click **Programs**, and then click **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
 
-    **Note**  
-    To validate the MBAM installation, you must use a Domain Account that has local computer administrative credentials on each server.
+   **Note**  
+   To validate the MBAM installation, you must use a Domain Account that has local computer administrative credentials on each server.
 
-     
 
-2.  On the server where the Recovery and Hardware Database is installed, open SQL Server Management Studio and verify that the **MBAM Recovery and Hardware** database is installed.
 
-3.  On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio and verify that the **MBAM Compliance Status** database is installed.
+2. On the server where the Recovery and Hardware Database is installed, open SQL Server Management Studio and verify that the **MBAM Recovery and Hardware** database is installed.
 
-4.  On the server where the Compliance and Audit Reports are installed, open a web browser with administrative privileges and browse to the “Home” of the SQL Server Reporting Services site.
+3. On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio and verify that the **MBAM Compliance Status** database is installed.
 
-    The default Home location of a SQL Server Reporting Services site instance can be found at http://*<NameofMBAMReportsServer>*/Reports.aspx. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances specified during setup.
+4. On the server where the Compliance and Audit Reports are installed, open a web browser with administrative privileges and browse to the “Home” of the SQL Server Reporting Services site.
 
-    Confirm that a folder named **Malta Compliance Reports** is listed and that it contains five reports and one data source.
+   The default Home location of a SQL Server Reporting Services site instance can be found at http://<NameofMBAMReportsServer>/Reports.aspx. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances specified during setup.
 
-    **Note**  
-    If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
+   Confirm that a folder named **Malta Compliance Reports** is listed and that it contains five reports and one data source.
 
-     
+   **Note**  
+   If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
 
-5.  On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**, select **Web Server (IIS)**, and then click **Internet Information Services (IIS) Manager**. In **Connections** browse to *<computername>*, click **Sites**, and click **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
 
-6.  On the server where the Administration and Monitoring feature is installed, open a web browser with administrative privileges and browse to the following locations in the MBAM web site, to verify that they load successfully:
 
-    -   *http://<computername>/default.aspx* and confirm each of the links for navigation and reports
+5. On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**, select **Web Server (IIS)**, and then click **Internet Information Services (IIS) Manager**. In **Connections** browse to *<computername>*, click **Sites**, and click **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
 
-    -   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
+6. On the server where the Administration and Monitoring feature is installed, open a web browser with administrative privileges and browse to the following locations in the MBAM web site, to verify that they load successfully:
 
-    -   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
+   -   *http://<computername>/default.aspx* and confirm each of the links for navigation and reports
 
-    -   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
+   -   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
 
-    **Note**  
-    Typically, services are installed on the default port 80 without network encryption. If the services are installed on a different port, change the URLs to include the appropriate port. For example, http://*<computername>:<port>*/default.aspx or http://*<hostheadername>/*default.aspx
+   -   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
 
-    If the services were installed with network encryption, change http:// to https://.
+   -   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
 
-     
+   **Note**  
+   Typically, services are installed on the default port 80 without network encryption. If the services are installed on a different port, change the URLs to include the appropriate port. For example, http://*<computername>:<port>*/default.aspx or http://<hostheadername>/default.aspx
 
-    Verify that each web page loads successfully.
+   If the services were installed with network encryption, change http:// to https://.
+
+
+
+~~~
+Verify that each web page loads successfully.
+~~~
 
 ## Related topics
 
 
 [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md b/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md
index a6f01a39c6..ca6defb7b6 100644
--- a/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md
+++ b/mdop/mbam-v1/how-to-install-the-mbam-10-group-policy-template.md
@@ -24,7 +24,7 @@ The following steps describe how to install the MBAM Group Policy template.
 **Note**  
 Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup on 64-bit servers.
 
- 
+ 
 
 **To install the MBAM Group Policy template**
 
@@ -37,7 +37,7 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
     **Note**  
     The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all the prerequisites are met, the installation continues. If a missing prerequisite is detected, you must resolve the missing prerequisite and then click **Check prerequisites again**. Once all prerequisites are met, the installation will resume.
 
-     
+     
 
 4.  After the MBAM Setup wizard displays installation pages for the selected features, click **Finish** to close MBAM Setup.
 
@@ -46,9 +46,9 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
 
 [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md
index f55b9943b4..978349f4d2 100644
--- a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-a-single-server-mbam-1.md
@@ -36,7 +36,7 @@ Microsoft BitLocker Administration and Monitoring (MBAM) includes four server ro
     **Important**  
     The MBAM server features must be updated in the following order: Compliance and Audit Reports first, then Administration and Monitoring Server. The Group Policy templates can be updated at any time without concern for sequence.
 
-     
+     
 
 4.  After you upgrade the server database, open the IIS Management Console and review the bindings of the Microsoft BitLocker Administration and Monitoring website.
 
@@ -53,16 +53,16 @@ Microsoft BitLocker Administration and Monitoring (MBAM) includes four server ro
         **Note**  
         The MBAM client opens only if it can communicate with the Recovery and Hardware database.
 
-         
+         
 
 ## Related topics
 
 
 [Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md
index 4824d200ff..ec68e9b91a 100644
--- a/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md
+++ b/mdop/mbam-v1/how-to-install-the-mbam-language-update-on-distributed-servers-mbam-1.md
@@ -26,7 +26,7 @@ Microsoft BitLocker Administration and Monitoring (MBAM) includes four server ro
 **Important**  
 The MBAM server features must be updated in this order: Compliance and Audit Reports first, and then the Administration and Monitoring Server. The MBAM Group Policy templates can be updated at any time without concern for sequence.
 
- 
+ 
 
 **To install the MBAM Language Update on the MBAM Compliance and Audit Report Server feature**
 
@@ -57,16 +57,16 @@ The MBAM server features must be updated in this order: Compliance and Audit Rep
         **Note**  
         The MBAM client opens only if it can communicate with the Recovery and Hardware database.
 
-         
+         
 
 ## Related topics
 
 
 [Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md b/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md
index bf49bb7bb8..8dcdf2d88f 100644
--- a/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md
+++ b/mdop/mbam-v1/how-to-manage-computer-bitlocker-encryption-exemptions.md
@@ -24,7 +24,7 @@ To exempt a computer from BitLocker encryption, you must add the computer to a s
 **Note**  
 If the computer is already BitLocker-protected, the computer exemption policy has no effect.
 
- 
+ 
 
 **To exempt a computer from BitLocker encryption**
 
@@ -39,9 +39,9 @@ If the computer is already BitLocker-protected, the computer exemption policy ha
 
 [Administering MBAM 1.0 Features](administering-mbam-10-features.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md b/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md
index a8b155d8c9..f8a0500186 100644
--- a/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md
+++ b/mdop/mbam-v1/how-to-manage-hardware-compatibility-mbam-1.md
@@ -24,7 +24,7 @@ The Hardware Compatibility feature is helpful when your organization has older c
 **Note**  
 By default, MBAM Hardware Compatibility feature is not enabled. To enable it, select the **Hardware Compatibility** feature under the **Administration and Monitoring Server** feature during setup. For more information about how to set up and configure Hardware Compatibility, see [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md).
 
- 
+ 
 
 The Hardware Compatibility feature works in the following way.
 
@@ -47,7 +47,7 @@ The Hardware Compatibility feature works in the following way.
 **Warning**  
 If the MBAM client agent tries to encrypt a computer that does not support BitLocker drive encryption, there is a possibility that the computer will become corrupted. Ensure that the hardware compatibility feature is correctly configured when your organization has older hardware that does not support BitLocker.
 
- 
+ 
 
 **To manage hardware compatibility**
 
@@ -62,7 +62,7 @@ If the MBAM client agent tries to encrypt a computer that does not support BitLo
     **Note**  
     After you set a computer model as compatible, it can take more than twenty-four hours for the MBAM Client to begin BitLocker encryption on the computers matching that hardware model.
 
-     
+     
 
 5.  Administrators should regularly monitor the hardware compatibility list to review new models that are discovered by the MBAM agent, and then update their compatibility setting to **Compatible** or **Incompatible** as appropriate.
 
@@ -71,9 +71,9 @@ If the MBAM client agent tries to encrypt a computer that does not support BitLo
 
 [Administering MBAM 1.0 Features](administering-mbam-10-features.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md b/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md
index 4467137c5d..02e890969a 100644
--- a/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md
+++ b/mdop/mbam-v1/how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-1.md
@@ -22,7 +22,7 @@ A Microsoft BitLocker Administration and Monitoring (MBAM) control panel applica
 **Note**  
 For the BitLocker client, the Admin and Operational log files are located in Event Viewer, under **Application and Services Logs** / **Microsoft** / **Windows** / **BitLockerManagement**.
 
- 
+ 
 
 **To use the MBAM Client Control Panel**
 
@@ -41,9 +41,9 @@ For the BitLocker client, the Admin and Operational log files are located in Eve
 
 [Administering MBAM 1.0 Features](administering-mbam-10-features.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md b/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md
index f72bf099e5..3116ec7a92 100644
--- a/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md
+++ b/mdop/mbam-v1/how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md
@@ -24,7 +24,7 @@ To exempt users from BitLocker protection, an organization must first create an
 **Note**  
 If the computer is already BitLocker-protected, the user exemption policy has no effect.
 
- 
+ 
 
 The following table shows how BitLocker protection is applied based on how exemptions are set.
 
@@ -55,7 +55,7 @@ The following table shows how BitLocker protection is applied based on how exemp
 
 
 
- 
+ 
 
 **To exempt a user from BitLocker Encryption**
 
@@ -68,7 +68,7 @@ The following table shows how BitLocker protection is applied based on how exemp
     **Note**  
     Shared computer scenarios require special consideration regarding user exemption. If a non-exempt user logs on to a computer shared with an exempt user, the computer may be encrypted.
 
-     
+     
 
 **To enable users to request exemption from BitLocker Encryption**
 
@@ -79,7 +79,7 @@ The following table shows how BitLocker protection is applied based on how exemp
     **Note**  
     Selecting **Request Exemption** will postpone the BitLocker protection until the maximum time set in the User Exemption Policy.
 
-     
+     
 
 3.  When a user selects **Request Exemption**, the user is notified to contact the organization's BitLocker administration group. Depending on how the Configure User Exemption Policy is configured, users are provided with one or more of the following contact methods:
 
@@ -94,16 +94,16 @@ The following table shows how BitLocker protection is applied based on how exemp
     **Note**  
     Once the postpone time limit from the User Exemption Policy has expired, users will not see the option to request exemption to the encryption policy. At this point, users must contact the MBAM administrator directly in order to receive exemption from BitLocker Protection.
 
-     
+     
 
 ## Related topics
 
 
 [Administering MBAM 1.0 Features](administering-mbam-10-features.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md
index 3a0dddc50b..b300c0341b 100644
--- a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md
+++ b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md
@@ -58,10 +58,10 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab
 
     `PS C:\> Stop-Website “Microsoft BitLocker Administration and Monitoring”`
 
-    **Note**  
+    **Note**  
     To run this PowerShell command prompt, you must add the IIS Module for PowerShell to the current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable the execution of scripts.
 
-     
+
 
 **To run MBAM setup on Server B**
 
@@ -71,14 +71,14 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=KeyDatabase ADMINANDMON_MACHINENAMES=$DOMAIN$\$SERVERNAME$$ RECOVERYANDHWDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the name of the server and instance to which the Recovery and Hardware database will be moved.
 
     -   $DOMAIN$\\$SERVERNAME$ - Enter the domain and server names of each MBAM Application and Monitoring Server that will contact the Recovery and Hardware database. If there are multiple domain and server names, use a semicolon to separate each one of them in the list. For example, $DOMAIN\\SERVERNAME$;$DOMAIN\\$SERVERNAME$$. Additionally, each server name must be followed by a **$**. For example, MyDomain\\MyServerName1$, MyDomain\\MyServerName2$.
 
-     
+
 
 **To back up the Database on Server A**
 
@@ -132,23 +132,23 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab
 
     `GO`
 
-    **Note**  
+    **Note**  
     Replace the values from the preceding example with those that match your environment:
 
     -   $PASSWORD$ - Enter a password that you will use to encrypt the Private Key file.
 
-     
+
 
 3.  Execute the SQL file by using SQL Server PowerShell and a command that is similar to the following:
 
     `PS C:\> Invoke-Sqlcmd -InputFile 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the value in the previous example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the name of the server and the instance from which you back up the Recovery and Hardware database.
 
-     
+
 
 **To move the Database and Certificate from Server A to B**
 
@@ -162,14 +162,14 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab
 
     `PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” \\$SERVERNAME$\$DESTINATIONSHARE$`
 
-    **Note**  
+    **Note**  
     Replace the value from the preceding example with those that match your environment:
 
     -   $SERVERNAME$ - Enter the name of the server to which the files will be copied.
 
     -   $DESTINATIONSHARE$ - Enter the name of the share and path to which the files will be copied.
 
-     
+
 
 **To restore the Database on Server B**
 
@@ -219,23 +219,23 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab
 
     `   WITH REPLACE`
 
-    **Note**  
+    **Note**  
     Replace the values from the preceding example with those that match your environment:
 
     -   $PASSWORD$ - Enter the password that you used to encrypt the Private Key file.
 
-     
+
 
 5.  Use Windows PowerShell to enter a command line that is similar to the following:
 
     `PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the value from the receding example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the name of the server and the instance to which the Recovery and Hardware Database will be restored.
 
-     
+
 
 **Configure the access to the Database on Server B**
 
@@ -245,45 +245,47 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab
 
     `PS C:\> net localgroup "MBAM Recovery and Hardware DB Access" $DOMAIN$\$SERVERNAME$$  /add`
 
-    **Note**  
+    **Note**  
     Replace the values from the preceding example with the applicable values for your environment:
 
     -   $DOMAIN$\\$SERVERNAME$$ - Enter the domain name and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a **$**, for example, MyDomain\\MyServerName1$.
 
-     
 
-    You must run the command for each Administration and Monitoring Server that will be accessing the database in your environment.
+
+~~~
+You must run the command for each Administration and Monitoring Server that will be accessing the database in your environment.
+~~~
 
 **To update the Database Connection data on MBAM Administration and Monitoring Servers**
 
-1.  On each of the servers that run the MBAM Administration and Monitoring feature, use the Internet Information Services (IIS) Manager console to update the Connection String information for the following applications, which are hosted in the Microsoft BitLocker Administration and Monitoring website:
+1. On each of the servers that run the MBAM Administration and Monitoring feature, use the Internet Information Services (IIS) Manager console to update the Connection String information for the following applications, which are hosted in the Microsoft BitLocker Administration and Monitoring website:
 
-    -   MBAM Administration Service
+   -   MBAM Administration Service
 
-    -   MBAM Recovery And Hardware Service
+   -   MBAM Recovery And Hardware Service
 
-2.  Select each application and use the **Configuration Editor** feature, which is located under the **Management** section of the **Feature View**.
+2. Select each application and use the **Configuration Editor** feature, which is located under the **Management** section of the **Feature View**.
 
-3.  Select the **configurationStrings** option from the Section list control.
+3. Select the **configurationStrings** option from the Section list control.
 
-4.  Choose the row named **(Collection)**, and open the **Collection Editor** by selecting the button on the right side of the row.
+4. Choose the row named **(Collection)**, and open the **Collection Editor** by selecting the button on the right side of the row.
 
-5.  In the **Collection Editor**, choose the row named **KeyRecoveryConnectionString** when you updated the configuration for the ‘MBAMAdministrationService’ application, or choose the row named **Microsoft.Mbam.RecoveryAndHardwareDataStore.**ConnectionString, when updating the configuration for the ‘MBAMRecoveryAndHardwareService’.
+5. In the **Collection Editor**, choose the row named **KeyRecoveryConnectionString** when you updated the configuration for the ‘MBAMAdministrationService’ application, or choose the row named Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString, when updating the configuration for the ‘MBAMRecoveryAndHardwareService’.
 
-6.  Update the **Data Source=** value for the **configurationStrings** property to list the server name and the instance where the Recovery and Hardware Database was moved to. For example, $SERVERNAME$\\$SQLINSTANCENAME$.
+6. Update the **Data Source=** value for the **configurationStrings** property to list the server name and the instance where the Recovery and Hardware Database was moved to. For example, $SERVERNAME$\\$SQLINSTANCENAME$.
 
-7.  To automate this procedure, you can use a command that is similar to the following one, by using Windows PowerShell on each Administration and Monitoring Server:
+7. To automate this procedure, you can use a command that is similar to the following one, by using Windows PowerShell on each Administration and Monitoring Server:
 
-    `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft BitLocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”`
+   `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft BitLocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”`
 
-    `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft BitLocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;"`
+   `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft BitLocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;"`
 
-    **Note**  
-    Replace the value from the preceding example with those that match your environment:
+   **Note**  
+   Replace the value from the preceding example with those that match your environment:
+
+   -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Recovery and Hardware database is.
 
-    -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Recovery and Hardware database is.
 
-     
 
 **To resume all instances of the MBAM Administration and Monitoring website**
 
@@ -322,10 +324,10 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     `PS C:\> Stop-Website “Microsoft BitLocker Administration and Monitoring”`
 
-    **Note**  
+    **Note**  
     To execute this command, you must add the IIS Module for PowerShell to current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable the execution of scripts.
 
-     
+
 
 **To run MBAM Setup on Server B**
 
@@ -335,7 +337,7 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal= ReportsDatabase ADMINANDMON_MACHINENAMES=$DOMAIN$\$SERVERNAME$ COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ REPORTS_USERACCOUNT=$DOMAIN$\$USERNAME$`
 
-    **Note**  
+    **Note**  
     Replace the values from the preceding example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Compliance Status Database will be moved to.
@@ -344,7 +346,7 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     -   $DOMAIN$\\$USERNAME$ - Enter the domain and user name that will be used by the Compliance and Audit reports feature to connect to the Compliance Status Database.
 
-     
+
 
 **To back up the Compliance Database on Server A**
 
@@ -386,12 +388,12 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     `PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the value from the preceding example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and the instance from where the Compliance Status database will be backed up.
 
-     
+
 
 **To move the Database from Server A to B**
 
@@ -403,14 +405,14 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     `PS C:\> Copy-Item “Z:\MBAM Compliance Status Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$`
 
-    **Note**  
+    **Note**  
     Replace the value from the preceding example with those that match your environment:
 
     -   $SERVERNAME$ - Enter the server name where the files will be copied to.
 
     -   $DESTINATIONSHARE$ - Enter the name of share and path where the files will be copied to.
 
-     
+
 
 **To restore the Database on Server B**
 
@@ -438,12 +440,12 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     `PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the value from the preceding example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Compliance Status Database will be restored to.
 
-     
+
 
 **To configure the Access to the Database on Server B**
 
@@ -455,16 +457,18 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     `PS C:\> net localgroup "MBAM Compliance Auditing DB Access" $DOMAIN$\$REPORTSUSERNAME$  /add`
 
-    **Note**  
+    **Note**  
     Replace the value from the preceding example with the applicable values for your environment:
 
     -   $DOMAIN$\\$SERVERNAME$$ - Enter the domain and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a **$**.For example, MyDomain\\MyServerName1$.
 
     -   $DOMAIN$\\$REPORTSUSERNAME$ - Enter the user account name that was used to configure the data source for the Compliance and Audit reports
 
-     
 
-    For each Administration and Monitoring Server that will access the database of your environment, you must run the command that will add the servers to the MBAM Compliance Auditing DB Access local group.
+
+~~~
+For each Administration and Monitoring Server that will access the database of your environment, you must run the command that will add the servers to the MBAM Compliance Auditing DB Access local group.
+~~~
 
 **To update the database connection data on MBAM Administration and Monitoring servers**
 
@@ -490,12 +494,12 @@ If you choose to move the MBAM Compliance Status Database feature from one compu
 
     `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Windows.Mdop.BitLockerManagement.StatusReportDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft BitLocker Administration and Monitoring\MBAMComplianceStatusService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME;Initial Catalog=MBAM Compliance Status;Integrated Security=SSPI;"`
 
-    **Note**  
+    **Note**  
     Replace the value from the preceding example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance name where the Recovery and Hardware Database is located.
 
-     
+
 
 **To resume all instances of the MBAM Administration and Monitoring website**
 
@@ -528,7 +532,7 @@ If you choose to move the MBAM Compliance and Audit Reports from one computer to
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=Reports COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ REPORTS_USERACCOUNTPW=$PASSWORD$`
 
-    **Note**  
+    **Note**  
     Replace the values from the preceding example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Compliance Status Database is located.
@@ -537,7 +541,7 @@ If you choose to move the MBAM Compliance and Audit Reports from one computer to
 
     -   $PASSWORD$ - Enter the password of the user account that will be used to connect to the Compliance Status Database.
 
-     
+
 
 **To configure the access to the Compliance and Audit Reports on Server B**
 
@@ -547,14 +551,16 @@ If you choose to move the MBAM Compliance and Audit Reports from one computer to
 
     `PS C:\> net localgroup "MBAM Report Users" $DOMAIN$\$REPORTSUSERNAME$  /add`
 
-    **Note**  
+    **Note**  
     Replace the following value from the preceding example with the applicable values for your environment:
 
     -   $DOMAIN$\\$REPORTSUSERNAME$ - Enter the user account name that was used to configure the data source for the Compliance and Audit reports
 
-     
 
-    The command to add the users to the MBAM Report Users local group must be run for each user that will be accessing the reports in your environment.
+
+~~~
+The command to add the users to the MBAM Report Users local group must be run for each user that will be accessing the reports in your environment.
+~~~
 
 **To stop all instances of the MBAM Administration and Monitoring website**
 
@@ -566,30 +572,30 @@ If you choose to move the MBAM Compliance and Audit Reports from one computer to
 
 **To update the Database Connection Data on MBAM Administration and Monitoring Servers**
 
-1.  On each of the servers that run the MBAM Administration and Monitoring Feature, use the Internet Information Services (IIS) Manager console to update the Compliance Reports URL.
+1. On each of the servers that run the MBAM Administration and Monitoring Feature, use the Internet Information Services (IIS) Manager console to update the Compliance Reports URL.
 
-2.  Select the **Microsoft BitLocker Administration and Monitoring** website and use the **Configuration Editor** feature which can be found under the **Management** section of the **Feature View**.
+2. Select the **Microsoft BitLocker Administration and Monitoring** website and use the **Configuration Editor** feature which can be found under the **Management** section of the **Feature View**.
 
-3.  Select the **appSettings** option from the Section list control.
+3. Select the **appSettings** option from the Section list control.
 
-4.  From here, select the row named **(Collection)**, and open the **Collection Editor** by selecting the button on the right side of the row.
+4. From here, select the row named **(Collection)**, and open the **Collection Editor** by selecting the button on the right side of the row.
 
-5.  In the **Collection Editor**, select the row named “Microsoft.Mbam.Reports.Url”.
+5. In the **Collection Editor**, select the row named “Microsoft.Mbam.Reports.Url”.
 
-6.  Update the value for Microsoft.Mbam.Reports.Url to reflect the server name for Server B. If the Compliance and Audit reports feature was installed on a named SQL Reporting Services instance, make sure that you add or update the name of the instance to the URL. For example, http://$SERVERNAME$/ReportServer\_$SQLSRSINSTANCENAME$/Pages....
+6. Update the value for Microsoft.Mbam.Reports.Url to reflect the server name for Server B. If the Compliance and Audit reports feature was installed on a named SQL Reporting Services instance, make sure that you add or update the name of the instance to the URL. For example, http://$SERVERNAME$/ReportServer\_$SQLSRSINSTANCENAME$/Pages....
 
-7.  To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following one on each Administration and Monitoring Server:
+7. To automate this procedure, you can use Windows PowerShell to enter a command that is similar to the following one on each Administration and Monitoring Server:
 
-    `PS C:\> Set-WebConfigurationProperty '/appSettings/add[@key="Microsoft.Mbam.Reports.Url"]' -PSPath "IIS:\sites\Microsoft BitLocker Administration and Monitoring" -Name "Value" -Value “http://$SERVERNAME$/ReportServer_$SRSINSTANCENAME$/Pages/ReportViewer.aspx?/Malta+Compliance+Reports/”`
+   `PS C:\> Set-WebConfigurationProperty '/appSettings/add[@key="Microsoft.Mbam.Reports.Url"]' -PSPath "IIS:\sites\Microsoft BitLocker Administration and Monitoring" -Name "Value" -Value “http://$SERVERNAME$/ReportServer_$SRSINSTANCENAME$/Pages/ReportViewer.aspx?/Malta+Compliance+Reports/”`
 
-    **Note**  
-    Replace the value from the preceding example with those that match your environment:
+   **Note**  
+   Replace the value from the preceding example with those that match your environment:
 
-    -   $SERVERNAME$ - Enter the name of the server to which the Compliance and Audit Reports were installed.
+   -   $SERVERNAME$ - Enter the name of the server to which the Compliance and Audit Reports were installed.
+
+   -   $SRSINSTANCENAME$ - Enter the name of the SQL Reporting Services instance to which the Compliance and Audit Reports were installed.
 
-    -   $SRSINSTANCENAME$ - Enter the name of the SQL Reporting Services instance to which the Compliance and Audit Reports were installed.
 
-     
 
 **To resume all instances of the MBAM Administration and Monitoring website**
 
@@ -599,10 +605,10 @@ If you choose to move the MBAM Compliance and Audit Reports from one computer to
 
     `PS C:\> Start-Website “Microsoft BitLocker Administration and Monitoring”`
 
-    **Note**  
+    **Note**  
     To execute this command, the IIS Module for PowerShell must be added to the current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable execution of scripts.
 
-     
+
 
 ## To move the Administration and Monitoring feature
 
@@ -621,7 +627,7 @@ If you choose to move the MBAM Administration and Monitoring Reports feature fro
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=AdministrationMonitoringServer,HardwareCompatibility COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ RECOVERYANDHWDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ SRS_REPORTSITEURL=$REPORTSSERVERURL$`
 
-    **Note**  
+    **Note**  
     Replace the values from the preceding example with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - For the COMPLIDB\_SQLINSTANCE parameter, input the server name and instance where the Compliance Status Database is located. For the RECOVERYANDHWDB\_SQLINSTANCE parameter, input the server name and instance where the Recovery and Hardware Database is located.
@@ -630,7 +636,7 @@ If you choose to move the MBAM Administration and Monitoring Reports feature fro
 
     -   $ REPORTSSERVERURL$ - Enter the URL for the Home location of the SQL Reporting Service website. If the reports were installed to a default SRS instance the URL format will formatted “http:// $SERVERNAME$/ReportServer”. If the reports were installed to a default SRS instance, the URL format will be formatted to “http://$SERVERNAME$/ReportServer\_$SQLINSTANCENAME$”.
 
-     
+
 
 **To configure the Access to the Databases**
 
@@ -646,25 +652,27 @@ If you choose to move the MBAM Administration and Monitoring Reports feature fro
 
     `PS C:\> net localgroup "MBAM Recovery and Hardware DB Access" $DOMAIN$\$SERVERNAME$$  /add`
 
-    **Note**  
+    **Note**  
     Replace the value from the preceding example with the applicable values for your environment:
 
     -   $DOMAIN$\\$SERVERNAME$$ - Enter the domain and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a **$**. For example, MyDomain\\MyServerName1$)
 
     -   $DOMAIN$\\$REPORTSUSERNAME$ - Enter the user account name that was used to configure the data source for the Compliance and Audit reports.
 
-     
 
-    The commands listed for adding the server computer accounts to the MBAM local groups must be run for each Administration and Monitoring Server that will be accessing the databases in your environment.
+
+~~~
+The commands listed for adding the server computer accounts to the MBAM local groups must be run for each Administration and Monitoring Server that will be accessing the databases in your environment.
+~~~
 
 ## Related topics
 
 
 [Administering MBAM 1.0 Features](administering-mbam-10-features.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md
index c69a287ce2..4cface3663 100644
--- a/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md
+++ b/mdop/mbam-v1/how-to-recover-a-corrupted-drive-mbam-1.md
@@ -28,7 +28,7 @@ To recover a corrupted drive that has been protected by BitLocker, a Microsoft B
     **Note**  
     If you are a member of the Help Desk Administrators role, you do not have to enter the user’s domain name or user name.
 
-     
+     
 
 3.  Click **Submit**. The recovery key will be displayed.
 
@@ -45,16 +45,16 @@ To recover a corrupted drive that has been protected by BitLocker, a Microsoft B
     **Note**  
     For the <fixed drive> in the command, specify an available storage device that has free space equal to or larger than the data on the corrupted drive. Data on the corrupted drive is recovered and moved to the specified fixed drive.
 
-     
+     
 
 ## Related topics
 
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md
index 980a509614..b1d3a350ea 100644
--- a/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md
+++ b/mdop/mbam-v1/how-to-recover-a-drive-in-recovery-mode-mbam-1.md
@@ -24,7 +24,7 @@ Use this procedure to access the centralized Key Recovery data system that can p
 **Important**  
 MBAM generates single-use recovery keys. Under this limitation, a recovery key can be used only once and then it is no longer valid. The single use of a recovery password is automatically applied to operating system drives and fixed drives. On removable drives, the single use is applied when the drive is removed and then re-inserted and unlocked on a computer that has the group policy settings activated to manage removable drives.
 
- 
+ 
 
 **To recover a drive in Recovery Mode**
 
@@ -37,7 +37,7 @@ MBAM generates single-use recovery keys. Under this limitation, a recovery key c
     **Note**  
     If you are an MBAM Advanced Helpdesk User, the user domain and user ID entries are not required.
 
-     
+     
 
 4.  MBAM returns the following:
 
@@ -50,7 +50,7 @@ MBAM generates single-use recovery keys. Under this limitation, a recovery key c
         **Note**  
         If you are recovering a damaged drive, the recovery package option provides BitLocker with the critical information necessary to attempt the recovery.
 
-         
+         
 
 5.  After the recovery password and recovery package are retrieved, the recovery password is displayed. To copy the password, click **Copy Key**, and then paste the recovery password into an email or other text file for temporary storage. Or, to save the recovery password to a file, click **Save**.
 
@@ -61,9 +61,9 @@ MBAM generates single-use recovery keys. Under this limitation, a recovery key c
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md b/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md
index 41119e8869..094d762b26 100644
--- a/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md
+++ b/mdop/mbam-v1/how-to-recover-a-moved-drive-mbam-1.md
@@ -28,7 +28,7 @@ When you move an operating system drive that has been previously encrypted by us
     **Note**  
     In some cases, you might be able to click **I forget the PIN** during the startup process to enter the recovery mode. This also displays the recovery key ID.
 
-     
+     
 
 3.  On the MBAM administration website, use the recovery key ID to retrieve the recovery password and unlock the drive.
 
@@ -41,9 +41,9 @@ When you move an operating system drive that has been previously encrypted by us
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md b/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md
index 4196fe0fc4..bb5ddfe3f6 100644
--- a/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md
+++ b/mdop/mbam-v1/how-to-reset-a-tpm-lockout-mbam-1.md
@@ -38,7 +38,7 @@ A TPM lockout can occur if a user enters an incorrect PIN too many times. The nu
     **Note**  
     If you are an Advanced Helpdesk User, the user domain and user ID fields are not required.
 
-     
+     
 
 5.  Upon retrieval, the owner password is displayed. To save this password to a .tpm file, click the **Save** button.
 
@@ -49,9 +49,9 @@ A TPM lockout can occur if a user enters an incorrect PIN too many times. The nu
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/mbam-10-deployment-checklist.md b/mdop/mbam-v1/mbam-10-deployment-checklist.md
index a50fdd733a..24865d56ec 100644
--- a/mdop/mbam-v1/mbam-10-deployment-checklist.md
+++ b/mdop/mbam-v1/mbam-10-deployment-checklist.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 This checklist is designed to facilitate your deployment of Microsoft BitLocker Administration and Monitoring (MBAM).
 
-**Note**  
+**Note**  
 This checklist outlines the recommended steps and provides a high-level list of items to consider when you deploy the MBAM features. We recommend that you copy this checklist into a spreadsheet program and customize it for your specific needs.
 
- 
+
 
 @@ -43,13 +43,13 @@ This checklist outlines the recommended steps and provides a high-level list of
 
-
+
-
+
@@ -63,46 +63,45 @@ This checklist outlines the recommended steps and provides a high-level list of
 
      • MBAM Group Policy Template
        • 
-Note  
-
        Keep track of the names of the servers each feature is installed on. You will use this information throughout the installation process.
        
+Note
        Keep track of the names of the servers each feature is installed on. You will use this information throughout the installation process.
        
 
        
- 
+
 
        
-
+
-
-
+
+
-
+
-
+
        
 

        
 Checklist box
 
        Complete the planning phase to prepare the computing environment for MBAM deployment.
        [MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md)
        MBAM 1.0 Planning Checklist
        		
 
        		
 
        
 
        
 Checklist box
 
        Review the information on MBAM supported configurations to make sure that your selected client and server computers are supported for MBAM feature installation.
        [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)
        MBAM 1.0 Supported Configurations
        		
 
        		
 
        
 
        
 
 
 
        [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)
        Deploying the MBAM 1.0 Server Infrastructure
        		
 
        		
 
        
 
        
 Checklist box
        Add Active Directory Domain Services security groups created during the planning phase to the appropriate local MBAM Server feature administrators groups on the appropriate servers.
        [Planning for MBAM 1.0 Administrator Roles](planning-for-mbam-10-administrator-roles.md) and [How to Manage MBAM Administrator Roles](how-to-manage-mbam-administrator-roles-mbam-1.md)
        Add Active Directory Domain Services security groups created during the planning phase to the appropriate local MBAM Server feature administrators groups on the appropriate servers.
        Planning for MBAM 1.0 Administrator Roles and How to Manage MBAM Administrator Roles
        		
 
        		
 
        
 
        
 Checklist box
 
        Create and deploy the required MBAM Group Policy Objects.
        [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)
        Deploying MBAM 1.0 Group Policy Objects
        		
 
        		
 
        
 
        
 Checklist box
 
        Deploy the MBAM Client software.
        [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)
        Deploying the MBAM 1.0 Client
        		
 
        		
 
        
         
 
        
 
- 
+
 
 ## Related topics
 
 
 [Deploying MBAM 1.0](deploying-mbam-10.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/mbam-10-deployment-prerequisites.md b/mdop/mbam-v1/mbam-10-deployment-prerequisites.md
index e1ab53ad55..700410a63d 100644
--- a/mdop/mbam-v1/mbam-10-deployment-prerequisites.md
+++ b/mdop/mbam-v1/mbam-10-deployment-prerequisites.md
@@ -89,12 +89,12 @@ The following table contains the installation prerequisites for the MBAM Adminis
 
 
 
- 
+ 
 
 **Note**  
 For a list of supported operating systems, see [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
- 
+ 
 
 ### Installation prerequisites for the Compliance and Audit Reports
 
@@ -105,7 +105,7 @@ SSRS must be installed and running during MBAM server installation. SSRS should
 **Note**  
 For a list of supported operating systems and SQL Server versions, see [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
- 
+ 
 
 ### Installation prerequisites for the Recovery and Hardware Database
 
@@ -116,14 +116,14 @@ SQL Server must have Database Engine Services installed and running during the M
 **Note**  
 For a list of supported operating systems and SQL Server versions, see [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
- 
+ 
 
 The TDE SQL Server feature performs real-time input/output (I/O) encryption and decryption of the data and log files. TDE protects data that is "at rest,” which include the data and the log files. It provides the ability to comply with many laws, regulations, and guidelines that are established in various industries.
 
 **Note**  
 Because TDE performs real-time decryption of database information, the recovery key information will be visible if the account under which you are logged in has permissions to the database when you view the recovery key information SQL tables.
 
- 
+ 
 
 ### Installation prerequisites for the Compliance and Audit Database
 
@@ -134,7 +134,7 @@ SQL Server must have Database Engine Services installed and running during MBAM
 **Note**  
 For a list of supported operating systems and SQL Server versions, see [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
- 
+ 
 
 ## Installation prerequisites for MBAM Clients
 
@@ -148,7 +148,7 @@ The necessary prerequisites that you must meet before you begin the MBAM Client
 **Warning**  
 Ensure that the keyboard, mouse, and video are directly connected to the computer, instead of to a keyboard, video, mouse (KVM) switch. A KVM switch can interfere with the ability of the computer to detect the physical presence of hardware.
 
- 
+ 
 
 ## Related topics
 
@@ -157,9 +157,9 @@ Ensure that the keyboard, mouse, and video are directly connected to the compute
 
 [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/mbam-10-planning-checklist.md b/mdop/mbam-v1/mbam-10-planning-checklist.md
index ebf09e2c21..97e5d82a85 100644
--- a/mdop/mbam-v1/mbam-10-planning-checklist.md
+++ b/mdop/mbam-v1/mbam-10-planning-checklist.md
@@ -22,7 +22,7 @@ You can use this checklist to plan and prepare your computing environment for Mi
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when you plan for an MBAM deployment. We recommend that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -43,64 +43,64 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
        
 

        
 Checklist box
 
        Review the “getting started” information about MBAM to gain a basic understanding of the product before you begin the deployment planning.
        [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md)
        Getting Started with MBAM 1.0
        		
 
        		
 
        
 
        
 Checklist box
 
        Plan for MBAM 1.0 Deployment Prerequisites and prepare your computing environment.
        [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)
        MBAM 1.0 Deployment Prerequisites
        		
 
        		
 
        
 
        
 Checklist box
 
        Plan for and configure MBAM Group Policy requirements.
        [Planning for MBAM 1.0 Group Policy Requirements](planning-for-mbam-10-group-policy-requirements.md)
        Planning for MBAM 1.0 Group Policy Requirements
        		
 
        		
 
        
 
        
 Checklist box
 
        Plan for and create necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.
        [Planning for MBAM 1.0 Administrator Roles](planning-for-mbam-10-administrator-roles.md)
        Planning for MBAM 1.0 Administrator Roles
        		
 
        		
 
        
 
        
 Checklist box
 
        Review the MBAM 1.0 Supported Configurations documentation to ensure hardware that meets MBAM installation system requirements is available.
        [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)
        MBAM 1.0 Supported Configurations
        		
 
        		
 
        
 
        
 Checklist box
 
        Plan for MBAM Server feature deployment.
        [Planning for MBAM 1.0 Server Deployment](planning-for-mbam-10-server-deployment.md)
        Planning for MBAM 1.0 Server Deployment
        		
 
        		
 
        
 
        
 Checklist box
 
        Plan for MBAM Client deployment.
        [Planning for MBAM 1.0 Client Deployment](planning-for-mbam-10-client-deployment.md)
        Planning for MBAM 1.0 Client Deployment
        		
 
        		
 
        
 
        
 Checklist box
 
        Validate your deployment plan in a lab environment.
        [Evaluating MBAM 1.0](evaluating-mbam-10.md)
        Evaluating MBAM 1.0
        		
 
        		
 
        
         
 
        
 
- 
+ 
 
 ## Related topics
 
 
 [Planning for MBAM 1.0](planning-for-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/mbam-10-supported-configurations.md b/mdop/mbam-v1/mbam-10-supported-configurations.md
index c04296f7db..b15e8336ad 100644
--- a/mdop/mbam-v1/mbam-10-supported-configurations.md
+++ b/mdop/mbam-v1/mbam-10-supported-configurations.md
@@ -26,10 +26,10 @@ This topic specifies the necessary requirements to install and run Microsoft Bit
 
 The following table lists the operating systems that are supported for the Microsoft BitLocker Administration and Monitoring Server installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 @@ -48,13 +48,13 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
@@ -62,20 +62,20 @@ Microsoft provides support for the current service pack and, in some cases, the
 
        
 

 
 
        Windows Server 2008
        Windows Server 2008
        		
 
        Standard, Enterprise, Datacenter, or Web Server
        		
 
        SP2 only
        		
 
        32-bit or 64-bit
        		
 
        
 
        Windows Server 2008 R2
        Windows Server 2008 R2
        		
 
        Standard, Enterprise, Datacenter, or Web Server
        		
 
 
        64-bit
        
 
        
 
- 
 
-**Warning**  
+
+**Warning**  
 There is no support for installing MBAM services, reports, or databases on a domain controller computer.
 
- 
+
 
 ### Server random access memory (RAM) requirements
 
 There are no RAM requirements that are specific to MBAM Server installation.
 
-### SQL Server Database requirements
+### SQL Server Database requirements
 
-The following table lists the SQL Server versions that are supported for the MBAM Server feature installation.
+The following table lists the SQL Server versions that are supported for the MBAM Server feature installation.
 
 @@ -97,28 +97,27 @@ The following table lists the SQL Server versions that are supported for the MB
 
-
+
-
+
-
+
@@ -126,7 +125,7 @@ The following table lists the SQL Server versions that are supported for the MB
 
        
 

 
        
 
        Compliance and Audit Reports
        Microsoft SQL Server 2008 
        Microsoft SQL Server 2008 
        		
 
        R2, Standard, Enterprise, Datacenter, or Developer Edition
        		
 
        SP2
        		
 
        32-bit or 64-bit
        		
 
        
 
        
 
        Recovery and Hardware Database
        Microsoft SQL Server 2008 
        Microsoft SQL Server 2008 
        		
 
        R2, Enterprise, Datacenter, or Developer Edition
        
 
        
-Important  
-
        SQL Server Standard Editions are not supported for MBAM Recovery and Hardware Database Server feature installation.
        
+Important
        SQL Server Standard Editions are not supported for MBAM Recovery and Hardware Database Server feature installation.
        
 
        
 
        
- 
+
 
        		
 
        SP2
        		
 
        32-bit or 64-bit
        		
 
        
 
        
 
        Compliance and Audit Database
        Microsoft SQL Server 2008 
        Microsoft SQL Server 2008 
        		
 
        R2, Standard, Enterprise, Datacenter, or Developer Edition
        		
 
        SP2
        		
 
        32-bit or 64-bit
        
 
        
 
- 
+
 
 ##  MBAM Client system requirements
 
@@ -135,10 +134,10 @@ The following table lists the SQL Server versions that are supported for the MB
 
 The following table lists the operating systems that are supported for MBAM Client installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 @@ -157,13 +156,13 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
@@ -171,7 +170,7 @@ Microsoft provides support for the current service pack and, in some cases, the
 
        
 

 
 
        Windows 7
        Windows 7
        		
 
        Enterprise Edition
        		
 
        None, SP1
        		
 
        32-bit or 64-bit
        		
 
        
 
        Windows 7
        Windows 7
        		
 
        Ultimate Edition
        		
 
        None, SP1
        		
 
        32-bit or 64-bit
        
 
        
 
- 
+
 
 ### Client RAM requirements
 
@@ -184,9 +183,9 @@ There are no RAM requirements that are specific to the MBAM Client installation.
 
 [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
index 8926326e63..cd65628a24 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md
@@ -40,16 +40,16 @@ Administrators in this role have increased access to the Helpdesk features from
 **Important**  
 To view the reports, an administrative user must be a member of the **MBAM Report Users** security group on the Administration and Monitoring Server, Compliance and Audit Database, and on the server that hosts the Compliance and Reports feature. As a best practice, create a security group in Active Directory with rights on the local **MBAM Report Users** security group on both the Administration and Monitoring Server and on the server that hosts the Compliance and Reports.
 
- 
+ 
 
 ## Related topics
 
 
 [Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md b/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md
index cf32db4175..c493b0b251 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-client-deployment.md
@@ -24,7 +24,7 @@ You can use one or both methods in your organization. If you use both methods, y
 **Note**  
 To review the MBAM Client system requirements, see [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
- 
+ 
 
 ## Deploying the MBAM Client to enable BitLocker encryption after computer distribution to end users
 
@@ -36,7 +36,7 @@ When you deploy the MBAM Client, after you distribute the computers to end users
 **Note**  
 In this approach, users are prompted to activate and initialize the Trusted Platform Module (TPM) chip, if it has not been previously activated.
 
- 
+ 
 
 ## Using the MBAM Client to enable BitLocker encryption before computer distribution to end users
 
@@ -48,7 +48,7 @@ If your organization wants to use (TPM) to encrypt computers, the administrator
 **Note**  
 The TPM protector option requires for the administrator to accept the BIOS prompt to activate and initialize the TPM before delivering the computer to the user.
 
- 
+ 
 
 ## Related topics
 
@@ -57,9 +57,9 @@ The TPM protector option requires for the administrator to accept the BIOS promp
 
 [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
index c2d8718452..eb5ac48c44 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md
@@ -19,19 +19,19 @@ ms.date: 06/16/2016
 
 Microsoft BitLocker Administration and Monitoring (MBAM) Client management requires custom Group Policy settings to be applied. This topic describes the available policy options for Group Policy Object (GPO) when you use MBAM to manage BitLocker Drive Encryption in the enterprise.
 
-**Important**  
+**Important**  
 MBAM does not use the default GPO settings for Windows BitLocker drive encryption. If the default settings are enabled, they can cause conflicting behavior. To enable MBAM to manage BitLocker, you must define the GPO policy settings after you install the MBAM Group Policy Template.
 
- 
+
 
 After you install the MBAM Group Policy template, you can view and modify the available custom MBAM GPO policy settings that enable MBAM to manage the enterprise BitLocker encryption. The MBAM Group Policy template must be installed on a computer that is capable of running the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) MDOP technology. Next, to edit the applicable GPO, open the GPMC or AGPM, and then navigate to the following GPO node: **Computer Configuration**\\**Administrative Templates**\\**Windows Components**\\**MDOP MBAM (BitLocker Management)**.
 
 The MDOP MBAM (BitLocker Management) GPO node contains four global policy settings and four child GPO setting nodes, respectively. The four GPO global policy settings are: Client Management, Fixed Drive, Operating System Drive, and Removable Drive. The following sections provide policy definitions and suggested policy settings to help you plan for the MBAM GPO policy setting requirements.
 
-**Note**  
+**Note**  
 For more information about configuring the minimum suggested GPO settings to enable MBAM to manage BitLocker encryption, see [How to Edit MBAM 1.0 GPO Settings](how-to-edit-mbam-10-gpo-settings.md).
 
- 
+
 
 ## Global policy definitions
 
@@ -78,7 +78,7 @@ This section describes the MBAM Global policy definitions, which can be found at
 
 
 
- 
+
 
 ## Client Management policy definitions
 
@@ -116,11 +116,10 @@ This section describes the Client Management policy definitions for MBAM, found
 
        You should enable this policy option if your enterprise has older computer hardware or computers that do not support Trusted Platform Module (TPM). If either of these criteria is true, enable the hardware compatibility verification to make sure that MBAM is applied only to computer models that support BitLocker. If all computers in your organization support BitLocker, you do not have to deploy the Hardware Compatibility, and you can set this policy to Not Configured.
        
 
        If you enable this policy setting, the model of the computer is validated against the hardware compatibility list once every 24 hours, before the policy enables BitLocker protection on a computer drive.
        
 
        
-Note  
-
        Before enabling this policy setting, make sure that you have configured the MBAM Recovery and Hardware service endpoint setting in the Configure MBAM Services policy options.
        
+Note
        Before enabling this policy setting, make sure that you have configured the MBAM Recovery and Hardware service endpoint setting in the Configure MBAM Services policy options.
        
 
        
 
        
- 
+
 
        
 
        If you either disable or do not configure this policy setting, the computer model is not validated against the hardware compatibility list.
        
 
@@ -128,20 +127,19 @@ This section describes the Client Management policy definitions for MBAM, found
 
        Configure user exemption policy
        
 
        Suggested Configuration: Not Configured
        
 
        This policy setting lets you configure a web site address, email address, or phone number that will instruct a user to request an exemption from BitLocker encryption.
        
-
        If you enable this policy setting and provide a web site address, email address, or phone number, users will see a dialog with instructions on how to apply for an exemption from BitLocker protection. For more information about how to enable BitLocker encryption exemptions for users, see [How to Manage User BitLocker Encryption Exemptions](how-to-manage-user-bitlocker-encryption-exemptions-mbam-1.md).
        
+
        If you enable this policy setting and provide a web site address, email address, or phone number, users will see a dialog with instructions on how to apply for an exemption from BitLocker protection. For more information about how to enable BitLocker encryption exemptions for users, see How to Manage User BitLocker Encryption Exemptions.
        
 
        If you either disable or do not configure this policy setting, the instructions about how to apply for an exemption request will not be presented to users.
        
 
        
-Note  
-
        User exemption is managed per user, not per computer. If multiple users log on to the same computer and one user is not exempt, the computer will be encrypted.
        
+Note
        User exemption is managed per user, not per computer. If multiple users log on to the same computer and one user is not exempt, the computer will be encrypted.
        
 
        
 
        
- 
+
 
        
 
 
 
 
- 
+
 
 ##  Fixed Drive policy definitions
 
@@ -200,7 +198,7 @@ This section describes the Fixed Drive policy definitions for MBAM, which can be
 
 
 
- 
+
 
 ## Operating System Drive policy definitions
 
@@ -256,7 +254,7 @@ This section describes the Operating System Drive policy definitions for MBAM, f
 
 
 
- 
+
 
 ## Removable Drive policy definitions
 
@@ -313,16 +311,16 @@ This section describes the Removable Drive Policy definitions for MBAM, found at
 
 
 
- 
+
 
 ## Related topics
 
 
 [Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md b/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md
index 6af40cd77b..f8a81e0385 100644
--- a/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md
+++ b/mdop/mbam-v1/planning-for-mbam-10-server-deployment.md
@@ -37,7 +37,7 @@ MBAM server databases and features can be installed in different configurations,
 **Note**  
 For more information about performance scalability of MBAM and recommended deployment topologies, see the MBAM Scalability and High-Availability Guide white paper at .
 
- 
+ 
 
 Each MBAM feature has specific prerequisites. For a full list of server feature prerequisites and hardware and software requirements, see [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md) and [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md).
 
@@ -61,7 +61,7 @@ When you deploy the MBAM Server features, install the features in the following
 **Note**  
 Keep track of the names of the computers on which you install each feature. You will use this information throughout the installation process. You can print and use a deployment checklist to assist you in the installation process. For more information about the MBAM deployment checklist, see [MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md).
 
- 
+ 
 
 ## Related topics
 
@@ -70,9 +70,9 @@ Keep track of the names of the computers on which you install each feature. You
 
 [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md b/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md
index c14a29f009..c1751b7247 100644
--- a/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md
+++ b/mdop/mbam-v1/preparing-your-environment-for-mbam-10.md
@@ -29,7 +29,7 @@ To ensure successful installation of MBAM Clients and MBAM Server features, you
 **Note**  
 MBAM Setup verifies if all prerequisites are met before installation starts. If they are not met, Setup will fail.
 
- 
+ 
 
 [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)
 
@@ -41,7 +41,7 @@ Before MBAM can manage clients in the enterprise, you must define the Group Poli
 **Important**  
 MBAM will not work with policies for stand-alone BitLocker drive encryption. Group Policy must be defined for MBAM; otherwise, the BitLocker encryption and enforcement will fail.
 
- 
+ 
 
 [Planning for MBAM 1.0 Group Policy Requirements](planning-for-mbam-10-group-policy-requirements.md)
 
@@ -59,9 +59,9 @@ The membership of MBAM roles can be managed more effectively if you create secur
 
 [Planning for MBAM 1.0](planning-for-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/release-notes-for-mbam-10.md b/mdop/mbam-v1/release-notes-for-mbam-10.md
index b6de4a5e6a..aec1c1dab8 100644
--- a/mdop/mbam-v1/release-notes-for-mbam-10.md
+++ b/mdop/mbam-v1/release-notes-for-mbam-10.md
@@ -38,7 +38,7 @@ We are interested in your feedback on MBAM. You can send your feedback to ' to group 'MBAM Report Users'
 Locating group 'MBAM Recovery and Hardware DB Access'
 Adding 'S-1-5-20' to group 'MBAM Recovery and Hardware DB Access'
 Exception: A new member could not be added to a local group because the member has the wrong account type.
- 
-  StackTrace:    at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
-   at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
-   at System.DirectoryServices.AccountManagement.SAMStoreCtx.Update(Principal p)
-   at Microsoft.Windows.Mdop.BitlockerManagement.Setup.Groups.CreateGroupsDeferred(Session session)
-  InnerException:Exception: A new member could not be added to a local group because the member has the wrong account type.
- 
-    InnerException:StackTrace:    at System.DirectoryServices.AccountManagement.UnsafeNativeMethods.IADsGroup.Add(String bstrNewItem)
-   at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
+ 
+  StackTrace:    at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
+   at System.DirectoryServices.AccountManagement.SDSUtils.ApplyChangesToDirectory(Principal p, StoreCtx storeCtx, GroupMembershipUpdater updateGroupMembership, NetCred credentials, AuthenticationTypes authTypes)
+   at System.DirectoryServices.AccountManagement.SAMStoreCtx.Update(Principal p)
+   at Microsoft.Windows.Mdop.BitlockerManagement.Setup.Groups.CreateGroupsDeferred(Session session)
+  InnerException:Exception: A new member could not be added to a local group because the member has the wrong account type.
+ 
+    InnerException:StackTrace:    at System.DirectoryServices.AccountManagement.UnsafeNativeMethods.IADsGroup.Add(String bstrNewItem)
+   at System.DirectoryServices.AccountManagement.SAMStoreCtx.UpdateGroupMembership(Principal group, DirectoryEntry de, NetCred credentials, AuthenticationTypes authTypes)
 CustomAction MbamCreateGroupsDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
 Action ended 11:41:29: InstallExecute. Return value 3.
 ```
@@ -150,9 +150,9 @@ Microsoft, Active Directory, ActiveX, Bing, Excel, Silverlight, SQL Server, Win
 
 [About MBAM 1.0](about-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/security-considerations-for-mbam-10.md b/mdop/mbam-v1/security-considerations-for-mbam-10.md
index a76bf92569..60d75c4b33 100644
--- a/mdop/mbam-v1/security-considerations-for-mbam-10.md
+++ b/mdop/mbam-v1/security-considerations-for-mbam-10.md
@@ -86,7 +86,7 @@ No groups are created automatically during MBAM Setup. However, you should creat
 
 
 
- 
+ 
 
 ### MBAM Server Local Groups
 
@@ -135,7 +135,7 @@ MBAM Setup creates local groups to support MBAM operations. You should add the A
 
 
 
- 
+ 
 
 ### SSRS Reports Access Account
 
@@ -148,7 +148,7 @@ During MBAM Setup, the following MBAM Setup log files are created in the %temp%
 
 **MBAM Server Setup log files**
 
-MSI*<five random characters>*.log  
+MSI<five random characters>.log  
 Logs the actions taken during MBAM Setup and MBAM Server Feature installation.
 
 InstallComplianceDatabase.log  
@@ -172,11 +172,11 @@ Logs the actions taken to authorize web services to MBAM Recovery and Hardware d
 **Note**  
 In order to obtain additional MBAM Setup log files, you must install Microsoft BitLocker Administration and Monitoring by using the **msiexec** package and the **/l** <location> option. Log files are created in the location specified.
 
- 
+ 
 
 **MBAM Client Setup log files**
 
-MSI*<five random characters>*.log  
+MSI<five random characters>.log  
 Logs the actions taken during MBAM Client installation.
 
 ## MBAM Database TDE considerations
@@ -197,9 +197,9 @@ For more information about TDE in SQL Server 2008, see [Database Encryption in
 
 [Security and Privacy for MBAM 1.0](security-and-privacy-for-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md b/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md
index a86d60a380..069c0097c2 100644
--- a/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md
+++ b/mdop/mbam-v1/understanding-mbam-reports-mbam-1.md
@@ -73,7 +73,7 @@ An Enterprise Compliance Report provides information on overall BitLocker compli
 
 
 
- 
+ 
 
 **Enterprise Compliance Report Compliance states**
 
@@ -120,7 +120,7 @@ An Enterprise Compliance Report provides information on overall BitLocker compli
 
 
 
- 
+ 
 
 ### Computer Compliance Report
 
@@ -131,7 +131,7 @@ The Computer Compliance Report provides detailed encryption information and appl
 **Note**  
 This report does not provide encryption status for Removable Data Volumes.
 
- 
+ 
 
 **Computer Compliance Report fields**
 
@@ -210,7 +210,7 @@ This report does not provide encryption status for Removable Data Volumes.
 
 
 
- 
+ 
 
 **Computer Compliance Report Drive fields**
 
@@ -261,7 +261,7 @@ This report does not provide encryption status for Removable Data Volumes.
 
 
 
- 
+ 
 
 ### Hardware Audit Report
 
@@ -304,7 +304,7 @@ This report can help you audit changes to the Hardware Compatibility status of s
 
 
 
- 
+ 
 
 ### Recovery Audit Report
 
@@ -367,21 +367,21 @@ The Recovery Audit Report can help you audit users who have requested access to
 
 
 
- 
+ 
 
 **Note**  
 To save report results to a file, click the **Export** button on the reports menu bar.
 
- 
+ 
 
 ## Related topics
 
 
 [Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/about-mbam-20-mbam-2.md b/mdop/mbam-v2/about-mbam-20-mbam-2.md
index fcfa066515..403d43870d 100644
--- a/mdop/mbam-v2/about-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/about-mbam-20-mbam-2.md
@@ -27,7 +27,7 @@ BitLocker Administration and Monitoring 2.0 enforces the BitLocker encryption
 **Note**  
 BitLocker is not covered in detail in this guide. For an overview of BitLocker, see [BitLocker Drive Encryption Overview](https://go.microsoft.com/fwlink/p/?LinkId=225013).
 
- 
+ 
 
 The following groups might be interested in using MBAM to manage BitLocker:
 
@@ -105,9 +105,9 @@ This technology is a part of the Microsoft Desktop Optimization Pack (MDOP). Ent
 
 [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/about-mbam-20-sp1.md b/mdop/mbam-v2/about-mbam-20-sp1.md
index 23208c2917..8b27fe1388 100644
--- a/mdop/mbam-v2/about-mbam-20-sp1.md
+++ b/mdop/mbam-v2/about-mbam-20-sp1.md
@@ -28,13 +28,13 @@ This version of MBAM provides the following new features and functionality.
 
 Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1) adds support for Windows 8.1, Windows Server 2012 R2, and System Center 2012 R2 Configuration Manager.
 
-### Support for Microsoft SQL Server 2008 R2 SP2
+### Support for Microsoft SQL Server 2008 R2 SP2
 
-Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1) adds support for Microsoft SQL Server 2008 R2 SP2. You must use Microsoft SQL Server 2008 R2 or higher if you are running Microsoft System Center Configuration Manager 2007 R2.
+Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1) adds support for Microsoft SQL Server 2008 R2 SP2. You must use Microsoft SQL Server 2008 R2 or higher if you are running Microsoft System Center Configuration Manager 2007 R2.
 
 ### Customer feedback rollup
 
-MBAM 2.0 SP1 includes a rollup of fixes to address issues that were found since the Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 release. As part of these changes, the Computer Name field now appears in the BitLocker Computer Compliance and BitLocker Enterprise Compliance Details reports when you run MBAM with Microsoft System Center Configuration Manager 2007.
+MBAM 2.0 SP1 includes a rollup of fixes to address issues that were found since the Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 release. As part of these changes, the Computer Name field now appears in the BitLocker Computer Compliance and BitLocker Enterprise Compliance Details reports when you run MBAM with Microsoft System Center Configuration Manager 2007.
 
 ### Firewall exception must be set on ports for the Self-Service Portal and the Administration and Monitoring website
 
@@ -48,16 +48,16 @@ MBAM reports for the Configuration Manager integrated topology are now available
 
 You can install MBAM on a primary site server or a central administration site server when you install MBAM with the Configuration Manager integrated topology. Previously, you were required to install MBAM on a central administration site server.
 
-**Important**  
+**Important**  
 The server on which you install MBAM must be the top-tier server in your hierarchy.
 
- 
 
-The MBAM installation works differently for Microsoft System Center Configuration Manager 2007 and Microsoft System Center 2012 Configuration Manager as follows:
+
+The MBAM installation works differently for Microsoft System Center Configuration Manager 2007 and Microsoft System Center 2012 Configuration Manager as follows:
 
 -   **Configuration Manager 2007** : If you install MBAM on a primary site server that is part of a larger Configuration Manager hierarchy and has a central site parent server, MBAM resolves the central site parent server and performs all of the installation actions on that parent server. The installation actions include checking prerequisites and installing the Configuration Manager objects and reports. For example, if you install MBAM on a primary site server that is a child of a central site parent server, MBAM installs all of the Configuration Manager objects and reports on the parent server. If you install MBAM on the parent server, MBAM performs all of the installation actions on that parent server.
 
--   **System Center 2012 Configuration Manager** : If you install MBAM on a primary site server or on a central administration server, MBAM performs all of the installation actions on that site server.
+-   **System Center 2012 Configuration Manager** : If you install MBAM on a primary site server or on a central administration server, MBAM performs all of the installation actions on that site server.
 
 ###  Configuration Manager Console must be installed on the computer on which you install the MBAM Server
 
@@ -88,11 +88,10 @@ When you install MBAM with the Configuration Manager integrated topology, you mu
 
        CM_REPORTS_ONLY
        
 
        Enables you to install only the Configuration Manager reports, without other Configuration Manager objects, such as the baseline, collection, and configuration items.
        
 
        
-Note  
-
        You must combine this parameter with the CM_REPORTS_COLLECTION_ID parameter.
        
+Note
        You must combine this parameter with the CM_REPORTS_COLLECTION_ID parameter.
        
 
        
 
        
- 
+
 
        
 
        Valid parameter values:
        
 
          
@@ -113,7 +112,7 @@ When you install MBAM with the Configuration Manager integrated topology, you mu
 
 
 
- 
+
 
 ### Ability to turn Self-Service Portal notice text on or off
 
@@ -171,12 +170,12 @@ MBAM displays the notice text, based on the following rules:
 
 -   If MBAM does not find a default notice.txt file, it displays the default text in the Self-Service Portal.
 
-**Note**  
+**Note**  
 If an end user’s browser is set to a language that does not have a corresponding language subfolder or notice.txt, the text that is in the notice.txt file in the following root directory is displayed:
 
 <*MBAM Self-Service Install Directory*>\\Self Service Website\\
 
- 
+
 
 **To create a localized notice.txt file**
 
@@ -184,10 +183,10 @@ If an end user’s browser is set to a language that does not have a correspondi
 
     <*MBAM Self-Service Install Directory*>\\Self Service Website\\
 
-    **Note**  
+    **Note**  
     Some language folders already exist, so you may not have to create one. If you do need to create a language folder, see [National Language Support (NLS) API Reference](https://go.microsoft.com/fwlink/?LinkId=317947) for a list of the valid names that you can use for the <*language*> folder.
 
-     
+
 
 2.  Create a notice.txt file that contains the localized notice text.
 
@@ -258,8 +257,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
     // Microsoft BitLocker Administration and Monitoring 
     //===================================================
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
+# pragma namespace ("\\\\.\\root\\cimv2")
+# pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL) 
     [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class Win32_BitLockerEncryptionDetails
     {
@@ -291,19 +290,19 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
         Boolean     IsAutoUnlockEnabled;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
+# pragma namespace ("\\\\.\\root\\cimv2")
+# pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
      [DYNPROPS]
     Class Win32Reg_MBAMPolicy
     {
         [key]
         string KeyName;
-        
+
         //General encryption requirements
         UInt32    OsDriveEncryption;
         UInt32    FixedDataDriveEncryption;
         UInt32    EncryptionMethod;
-        
+
         //Required protectors properties
         UInt32    OsDriveProtector;
         UInt32    FixedDataDriveAutoUnlock;
@@ -323,7 +322,7 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
     Instance of Win32Reg_MBAMPolicy
     {
         KeyName="BitLocker policy";
-        
+
         //General encryption requirements
         [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|ShouldEncryptOsDrive"),Dynamic,Provider("RegPropProv")]
         OsDriveEncryption;
@@ -331,7 +330,7 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
         FixedDataDriveEncryption;
         [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE|EncryptionMethod"),Dynamic,Provider("RegPropProv")]
         EncryptionMethod;
-        
+
         //Required protectors properties
         [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|OSVolumeProtectorPolicy"),Dynamic,Provider("RegPropProv")]
         OsDriveProtector;
@@ -353,19 +352,19 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
+# pragma namespace ("\\\\.\\root\\cimv2")
+# pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
     [DYNPROPS]
     Class Win32Reg_MBAMPolicy_64
     {
         [key]
         string KeyName;
-        
+
         //General encryption requirements
         UInt32    OsDriveEncryption;
         UInt32    FixedDataDriveEncryption;
         UInt32    EncryptionMethod;
-        
+
         //Required protectors properties
         UInt32    OsDriveProtector;
         UInt32    FixedDataDriveAutoUnlock;
@@ -385,7 +384,7 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
     Instance of Win32Reg_MBAMPolicy_64
     {
         KeyName="BitLocker policy 64";
-        
+
         //General encryption requirements
         [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|ShouldEncryptOsDrive"),Dynamic,Provider("RegPropProv")]
         OsDriveEncryption;
@@ -393,7 +392,7 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
         FixedDataDriveEncryption;
         [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE|EncryptionMethod"),Dynamic,Provider("RegPropProv")]
         EncryptionMethod;
-        
+
         //Required protectors properties
         [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|OSVolumeProtectorPolicy"),Dynamic,Provider("RegPropProv")]
         OsDriveProtector;
@@ -415,8 +414,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
         EncodedComputerName;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
+# pragma namespace ("\\\\.\\root\\cimv2")
+# pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_OperatingSystemExtended
@@ -427,8 +426,8 @@ If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration M
         uint32     SKU;
     };
 
-#pragma namespace ("\\\\.\\root\\cimv2")
-#pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
+# pragma namespace ("\\\\.\\root\\cimv2")
+# pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
     [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
     dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
     class CCM_ComputerSystemExtended
@@ -481,9 +480,9 @@ MBAM 2.0 SP1 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP i
 
 [Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/about-the-computer-tpm-chip.md b/mdop/mbam-v2/about-the-computer-tpm-chip.md
index 81cfa2c860..8fc5a07b1c 100644
--- a/mdop/mbam-v2/about-the-computer-tpm-chip.md
+++ b/mdop/mbam-v2/about-the-computer-tpm-chip.md
@@ -29,7 +29,7 @@ After BitLocker is configured, you can access additional information about the T
 **Note**  
 You must have administrative credentials on your computer to access this tool.
 
- 
+ 
 
 In a TPM failure, a change in the BIOS, or certain Windows Updates, BitLocker will lock your computer and require you to contact your Help Desk to unlock it. You have to provide the name of your computer as well as your computer’s domain. Help Desk can give you a password file that can be used to unlock your computer.
 
@@ -45,9 +45,9 @@ If a TPM failure, change in the BIOS, or certain Windows Updates occur, BitLocke
 
 [Using Your PIN or Password](using-your-pin-or-password.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md b/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md
index 0ca6ac6e61..62803ce9fd 100644
--- a/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/accessibility-for-mbam-20-mbam-2.md
@@ -33,7 +33,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Documentation in Alternative Formats
 
@@ -67,13 +67,13 @@ For information about the availability of Microsoft product documentation and bo
 
          (609) 987-8116
          
 
 
-
          [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
          
+
          http://www.learningally.org/
          
 
          Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
          
 
 
 
 
- 
+ 
 
 ## Customer Service for People with Hearing Impairments
 
@@ -96,9 +96,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md b/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md
index fbaf87c838..87e053a66b 100644
--- a/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md
+++ b/mdop/mbam-v2/administering-mbam-20-features-mbam-2.md
@@ -41,7 +41,7 @@ MBAM provides a custom control panel, called BitLocker Encryption Options, that
 **Note**  
 This customized control panel does not replace the default Windows BitLocker control panel.
 
- 
+ 
 
 [How to Manage MBAM Client BitLocker Encryption Options by Using the Control Panel](how-to-manage-mbam-client-bitlocker-encryption-options-by-using-the-control-panel-mbam-2.md)
 
@@ -50,9 +50,9 @@ This customized control panel does not replace the default Windows BitLocker con
 
 [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/edit-the-configurationmof-file.md b/mdop/mbam-v2/edit-the-configurationmof-file.md
index c6e10fe82a..e06a21728b 100644
--- a/mdop/mbam-v2/edit-the-configurationmof-file.md
+++ b/mdop/mbam-v2/edit-the-configurationmof-file.md
@@ -26,7 +26,7 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
 
 -   For an upgrade to MBAM 2.0 SP1, see **Update the configuration.mof file if you upgrade to MBAM 2.0 SP1 and you are using MBAM with Configuration Manager 2007**.
 
- 
+ 
 
 **To create the configuration.mof file if you are using MBAM 2.0 SP1 with Configuration Manager**
 
@@ -379,9 +379,9 @@ If you are installing Microsoft BitLocker Administration and Monitoring (MBAM) 2
 
 [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md b/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md
index 93fe769b89..4c52ea62b8 100644
--- a/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/evaluating-mbam-20-mbam-2.md
@@ -47,43 +47,43 @@ Even though you are setting up a non-production instance of MBAM to evaluate in
 
 Checklist box
 
          Review the Getting Started information about MBAM to gain a basic understanding of the product before beginning deployment planning.
          
-
          [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
          
+
          Getting Started with MBAM 2.0
          
 
          
 
 
 Checklist box
 
          Plan for MBAM 2.0 Deployment Prerequisites and prepare your computing environment.
          
-
          [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)
          
+
          MBAM 2.0 Deployment Prerequisites
          
 
          
 
 
 Checklist box
 
          Plan for and configure MBAM Group Policy requirements.
          
-
          [Planning for MBAM 2.0 Group Policy Requirements](planning-for-mbam-20-group-policy-requirements-mbam-2.md)
          
+
          Planning for MBAM 2.0 Group Policy Requirements
          
 
          
 
 
 Checklist box
 
          Plan for and create necessary Active Directory Domain Services security groups, and plan for MBAM local security group membership requirements.
          
-
          [Planning for MBAM 2.0 Administrator Roles](planning-for-mbam-20-administrator-roles-mbam-2.md)
          
+
          Planning for MBAM 2.0 Administrator Roles
          
 
          
 
 
 Checklist box
 
          Plan for deploying MBAM Server feature deployment.
          
-
          [Planning for MBAM 2.0 Server Deployment](planning-for-mbam-20-server-deployment-mbam-2.md)
          
+
          Planning for MBAM 2.0 Server Deployment
          
 
          
 
 
 Checklist box
 
          Plan for deploying MBAM Client deployment.
          
-
          [Planning for MBAM 2.0 Client Deployment](planning-for-mbam-20-client-deployment-mbam-2.md)
          
+
          Planning for MBAM 2.0 Client Deployment
          
 
          
 
 
 
 
- 
+ 
 
 ### Perform an MBAM Evaluation Deployment
 
@@ -100,37 +100,37 @@ After completing the necessary planning and software prerequisite installations
 
 Checklist box
 
          Review the MBAM supported configurations information to make sure that selected client and server computers are supported for MBAM feature installation.
          
-
          [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)
          
+
          MBAM 2.0 Supported Configurations
          
 
          
 
 
 Checklist box
 
          Run MBAM Setup to deploy MBAM Server features on a single server for evaluation purposes.
          
-
          [How to Install and Configure MBAM on a Single Server](how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md)
          
+
          How to Install and Configure MBAM on a Single Server
          
 
          
 
 
 Checklist box
 
          Add Active Directory Domain Services security groups, that you created during the planning phase, to the appropriate local MBAM Server feature local groups on the new MBAM Server.
          
-
          [Planning for MBAM 2.0 Administrator Roles](planning-for-mbam-20-administrator-roles-mbam-2.md) and [How to Manage MBAM Administrator Roles](how-to-manage-mbam-administrator-roles-mbam-2.md)
          
+
          Planning for MBAM 2.0 Administrator Roles and How to Manage MBAM Administrator Roles
          
 
          
 
 
 Checklist box
 
          Create and deploy required MBAM Group Policy Objects.
          
-
          [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)
          
+
          Deploying MBAM 2.0 Group Policy Objects
          
 
          
 
 
 Checklist box
 
          Deploy the MBAM Client software.
          
-
          [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)
          
+
          Deploying the MBAM 2.0 Client
          
 
          
 
 
 
 
- 
+ 
 
 ## Configure Lab Computers for MBAM Evaluation
 
@@ -140,7 +140,7 @@ This section contains information that can be used to speed up the MBAM Client s
 **Note**  
 The information in following section describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
 
- 
+ 
 
 ### Modify MBAM Client Status Reporting Frequency Settings
 
@@ -157,7 +157,7 @@ To modify the MBAM Client status reporting frequency settings:
 **Note**  
 To set values that are this low, you must set them in the registry manually.
 
- 
+ 
 
 ### Modify MBAM Client Service Startup Delay
 
@@ -168,9 +168,9 @@ In addition to the MBAM Client wakeup and status reporting frequencies, there is
 
 [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md b/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md
index 0c1d7770a0..c05335448c 100644
--- a/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md
+++ b/mdop/mbam-v2/getting-started---using-mbam-with-configuration-manager.md
@@ -22,7 +22,7 @@ When you install Microsoft BitLocker Administration and Monitoring (MBAM), you c
 **Important**  
 Windows To Go is not supported when you install the integrated topology of MBAM with Configuration Manager 2007.
 
- 
+ 
 
 ## Using MBAM with Configuration Manager
 
@@ -97,9 +97,9 @@ A description of the servers, databases, and features of this architecture follo
 
 [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/helping-end-users-manage-bitlocker.md b/mdop/mbam-v2/helping-end-users-manage-bitlocker.md
index 224e9c56c2..351f43c2ea 100644
--- a/mdop/mbam-v2/helping-end-users-manage-bitlocker.md
+++ b/mdop/mbam-v2/helping-end-users-manage-bitlocker.md
@@ -39,7 +39,7 @@ You can turn off BitLocker, either temporarily, by suspending it, or permanently
 **Note**  
 Because BitLocker encrypts the whole drive and not just the individual files themselves, be careful when you move sensitive data between drives. If you move a file from a BitLocker-protected drive to a nonencrypted drive, the file will no longer be encrypted.
 
- 
+ 
 
 ## About the BitLocker Encryption Options Application
 
@@ -81,9 +81,9 @@ In this section, you can view information about external drives (such as a USB t
 
 -   **Disk Management** -open the Disk Management tool. From here you can view the information for all hard drives connected to the computer and configure partitions and drive options. You must have administrative rights on your computer to access this tool.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md b/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md
index 809f586de3..8e213175cb 100644
--- a/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/high-level-architecture-for-mbam-20-mbam-2.md
@@ -26,7 +26,7 @@ The following diagram shows the MBAM recommended architecture for a production e
 **Note**  
 A single-server architecture should be used only in test environments.
 
- 
+ 
 
 ![mbam 2 two-server deployment topology](images/mbam2-3-servers.gif)
 
@@ -73,9 +73,9 @@ The MBAM Client is installed on a Windows computer and has the following charact
 
 [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-brand-the-self-service-portal.md b/mdop/mbam-v2/how-to-brand-the-self-service-portal.md
index 36056e912b..d50446e82d 100644
--- a/mdop/mbam-v2/how-to-brand-the-self-service-portal.md
+++ b/mdop/mbam-v2/how-to-brand-the-self-service-portal.md
@@ -31,71 +31,73 @@ After you install the Microsoft BitLocker Administration and Monitoring (MBAM) S
 
 5.  From the **Name** column, select the item that you want to change, and change the default value to reflect the name that you want to use. The following table lists the values that you can set.
 
-    **Caution**  
+    **Caution**  
     Do not change the value in the Name column (CompanyName\*), as it will cause the Self-Service Portal to stop working.
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
          



          NameDefault Value
          CompanyName*
          Contoso IT
          HelpdeskText*
          Contact Help Desk or IT Department
          HelpdeskUrl*
          Http://www.microsoft.com
          jQueryPath
          //ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js
          MicrosoftAjaxPath
          //ajax.aspnetcdn.com/ajax/3.5/MicrosoftAjax.js
          MicrosoftMvcAjaxPath
          //ajax.aspnetcdn.com/ajax/mvc/2.0/MicrosoftMvcValidation.js
          NoticeTextPath
          Notice.txt
          
-    
          
-    Note  
-    
          You can edit the Notice text either by using the IIS Manager or by opening and changing the Notice.txt file in the installation directory.
          
-    
          
-    
          
-     
-    
          
 
-     
+~~~
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
          



          NameDefault Value
          CompanyName*
          Contoso IT
          HelpdeskText*
          Contact Help Desk or IT Department
          HelpdeskUrl*
          Http://www.microsoft.com
          jQueryPath
          //ajax.aspnetcdn.com/ajax/jQuery/jquery-1.7.2.min.js
          MicrosoftAjaxPath
          //ajax.aspnetcdn.com/ajax/3.5/MicrosoftAjax.js
          MicrosoftMvcAjaxPath
          //ajax.aspnetcdn.com/ajax/mvc/2.0/MicrosoftMvcValidation.js
          NoticeTextPath
          Notice.txt
          
+
          
+Note  
+
          You can edit the Notice text either by using the IIS Manager or by opening and changing the Notice.txt file in the installation directory.
          
+
          
+
          
+
+
          
+~~~
+
+
 
 ## Related topics
 
 
 [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md b/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md
index daaac08c25..26ec642679 100644
--- a/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md
+++ b/mdop/mbam-v2/how-to-deploy-the-mbam-client-as-part-of-a-windows-deployment-mbam-2.md
@@ -19,26 +19,26 @@ ms.date: 06/16/2016
 
 The Microsoft BitLocker Administration and Monitoring (MBAM) Client enables administrators to enforce and monitor BitLocker drive encryption on computers in the enterprise. If computers that have a Trusted Platform Module (TPM) chip, the BitLocker client can be integrated into an organization by enabling BitLocker management and encryption on client computers as part of the imaging and Windows deployment process.
 
-**Note**  
+**Note**  
 To review the Microsoft BitLocker Administration and Monitoring Client system requirements, see [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md).
 
- 
+
 
 Encrypting client computers with BitLocker during the initial imaging stage of a Windows deployment can lower the administrative overhead necessary for implementing MBAM in an organization. It also ensures that every computer that is deployed already has BitLocker running and is configured correctly.
 
-**Note**  
+**Note**  
 The procedure in this topic describes modifying the Windows registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
 
- 
+
 
 **To encrypt a computer as part of Windows deployment**
 
 1.  If your organization is planning to use the Trusted Platform Module (TPM) protector or the TPM + PIN protector options in BitLocker, you must activate the TPM chip before the initial deployment of MBAM. When you activate the TPM chip, you avoid a reboot later in the process, and you ensure that the TPM chips are correctly configured according to the requirements of your organization. You must activate the TPM chip manually in the BIOS of the computer.
 
-    **Note**  
+    **Note**  
     Some vendors provide tools to turn on and activate the TPM chip in the BIOS from within the operating system. Refer to the manufacturer documentation for more details about how to configure the TPM chip.
 
-     
+
 
 2.  Install the Microsoft BitLocker Administration and Monitoring client agent.
 
@@ -86,24 +86,26 @@ The procedure in this topic describes modifying the Windows registry. Using Regi
 
     Set this value to the URL for the Key Recovery web server, for example, http://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc.
 
-     
 
-    **Note**  
-    MBAM policy or registry values can be set here to override previously set values.
 
-     
+~~~
+**Note**  
+MBAM policy or registry values can be set here to override previously set values.
+~~~
 
-7.  The MBAM agent restarts the system during MBAM client deployment. When you are ready for this reboot, run the following command at a command prompt as an administrator:
 
-    **net start mbamagent**
 
-8.  When the computers restarts, and the BIOS prompts you to accept a TPM change, accept the change.
+7. The MBAM agent restarts the system during MBAM client deployment. When you are ready for this reboot, run the following command at a command prompt as an administrator:
 
-9.  During the Windows client operating system imaging process, when you are ready to start encryption, restart the MBAM agent service, and set start to **automatic** by running a command prompt as an administrator and typing the following commands:
+   **net start mbamagent**
 
-    **sc config mbamagent start= auto**
+8. When the computers restarts, and the BIOS prompts you to accept a TPM change, accept the change.
 
-    **net start mbamagent**
+9. During the Windows client operating system imaging process, when you are ready to start encryption, restart the MBAM agent service, and set start to **automatic** by running a command prompt as an administrator and typing the following commands:
+
+   **sc config mbamagent start= auto**
+
+   **net start mbamagent**
 
 10. Remove the bypass registry values by running Regedit and going to the HKLM\\SOFTWARE\\Microsoft registry entry. To delete the **MBAM** node, right-click the node and click **Delete**.
 
@@ -112,9 +114,9 @@ The procedure in this topic describes modifying the Windows registry. Using Regi
 
 [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md b/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md
index e3c8b6fefc..cd58d1213c 100644
--- a/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md
+++ b/mdop/mbam-v2/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-2.md
@@ -22,7 +22,7 @@ The Microsoft BitLocker Administration and Monitoring (MBAM) client enables admi
 **Note**  
 To review the Microsoft BitLocker Administration and Monitoring Client system requirements, see [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md).
 
- 
+ 
 
 **To deploy the MBAM Client to desktop or laptop computers**
 
@@ -35,16 +35,16 @@ To review the Microsoft BitLocker Administration and Monitoring Client system re
     **Important**  
     The MBAM Client will not start BitLocker encryption actions if a remote desktop protocol connection is active. All remote console connections must be closed before BitLocker encryption will begin.
 
-     
+     
 
 ## Related topics
 
 
 [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md b/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md
index 40fe98a3bb..be34c7735b 100644
--- a/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md
+++ b/mdop/mbam-v2/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md
@@ -26,7 +26,7 @@ You can use Microsoft BitLocker Administration and Monitoring (MBAM) to determin
     **Note**  
     Note: The default address for the Administration and Monitoring website is http://*<computername>*. Using the fully qualified server name will yield faster browsing results.
 
-     
+     
 
 2.  Selects the **Report** node from the navigation pane, and select the **Computer Compliance Report**.
 
@@ -37,16 +37,16 @@ You can use Microsoft BitLocker Administration and Monitoring (MBAM) to determin
     **Note**  
     Device compliance is determined by the BitLocker policies that your enterprise has deployed. You may want to verify your deployed policies before you try to determine the BitLocker encryption state of a device.
 
-     
+     
 
 ## Related topics
 
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md b/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md
index 44e50e75a6..1c4aec51cd 100644
--- a/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md
+++ b/mdop/mbam-v2/how-to-edit-mbam-20-gpo-settings-mbam-2.md
@@ -67,21 +67,23 @@ You can use the following steps to configure the basic, recommended GPO settings
     
     
 
-     
 
-    **Important**  
-    Depending on the policies that your organization decides to deploy, you may have to configure additional policies. See [Planning for MBAM 2.0 Group Policy Requirements](planning-for-mbam-20-group-policy-requirements-mbam-2.md) for Group Policy configuration details for all of the available MBAM GPO policy options.
 
-     
+~~~
+**Important**  
+Depending on the policies that your organization decides to deploy, you may have to configure additional policies. See [Planning for MBAM 2.0 Group Policy Requirements](planning-for-mbam-20-group-policy-requirements-mbam-2.md) for Group Policy configuration details for all of the available MBAM GPO policy options.
+~~~
+
+
 
 ## Related topics
 
 
 [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md b/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md
index eb631ef64b..7e100cc0b6 100644
--- a/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md
+++ b/mdop/mbam-v2/how-to-generate-mbam-reports-mbam-2.md
@@ -22,7 +22,7 @@ When you install Microsoft BitLocker Administration and Monitoring (MBAM) with t
 **Note**  
 To run the reports, you must be a member of the **Report Users Role** on the computers where the Administration and Monitoring Server features, Compliance and Audit Database, and Compliance and Audit Reports are installed.
 
- 
+ 
 
 **To open the Administration and Monitoring website**
 
@@ -31,7 +31,7 @@ To run the reports, you must be a member of the **Report Users Role** on the com
     **Note**  
     If the Administration and Monitoring website was installed on a port other than 80, you have to specify the port in the URL (for example, *http://<computername>:<port>*. If you specified a host name for the Administration and Monitoring website during the installation, the URL is *http://<hostname>*.
 
-     
+     
 
 2.  In the left pane, click **Reports** and then select the report you want to run from the top menu bar.
 
@@ -40,7 +40,7 @@ To run the reports, you must be a member of the **Report Users Role** on the com
     **Note**  
     If SSRS was not configured to use Secure Socket Layer, the URL for the reports will be set to HTTP instead of to HTTPS when you install the MBAM Server. If you then go to the Help Desk portal and select a report, the following message displays: “Only Secure Content is Displayed.” To show the report, click **Show All Content**.
 
-     
+     
 
 **To generate an Enterprise Compliance Report**
 
@@ -57,7 +57,7 @@ To run the reports, you must be a member of the **Report Users Role** on the com
     **Note**  
     The Enterprise Compliance report is generated by a SQL job that runs every six hours. Therefore, the first time you view the report, you may find that some data is missing. You can generate updated report data manually by using SQL Management Studio. From the **Object Explorer** window, expand **SQL Server Agent**, expand **Jobs**, right-click the **CreateCache** job, and select **Start Job at Step….**
 
-     
+     
 
 3.  Select a computer name to view information about the computer in the Computer Compliance Report.
 
@@ -78,7 +78,7 @@ To run the reports, you must be a member of the **Report Users Role** on the com
     **Note**  
     An MBAM client computer is considered compliant if the computer matches the requirements of the MBAM policy settings.
 
-     
+     
 
 **To generate the Recovery Key Audit Report**
 
@@ -105,9 +105,9 @@ To run the reports, you must be a member of the **Report Users Role** on the com
 
 [Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md
index 961892e3aa..db6508b8b3 100644
--- a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md
+++ b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-a-single-server-mbam-2.md
@@ -25,12 +25,12 @@ The following diagram shows an example of a single-server architecture. For a de
 
 Each server feature has certain prerequisites. To verify that you have met the prerequisites and hardware and software requirements, see [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md) and [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md). In addition, some features also have information that must be provided during the installation process to successfully deploy the feature. You should also review [Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md) before you start MBAM deployment.
 
-**Note**  
+**Note**  
 To obtain the setup log files, you have use the Msiexec package and the **/L** <location> option to install MBAM. Log files are created in the location that you specify.
 
 Additional setup log files are created in the %temp% folder on the server of the user who is installing MBAM.
 
- 
+
 
 ## To install MBAM Server features on a single server
 
@@ -61,17 +61,17 @@ The following steps describe how to install general MBAM features.
 
     -   MBAM Group Policy template
 
-    **Note**  
+    **Note**  
     The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all of the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click **Check prerequisites again**. If all prerequisites are met this time, the installation resumes.
 
-     
+
 
 6.  On the **Configure network communication security** page, choose whether to encrypt the communication between the Web Services on the Administration and Monitoring Server and the clients. If you decide to encrypt the communication, select the certification authority-provisioned certificate to use for encryption. The certificate must be created prior to this step to enable you to select it on this page.
 
-    **Note**  
+    **Note**  
     This page appears only if you selected the Self-Service Portal or the Administration and Monitoring Server feature on the **Select features to install** page.
 
-     
+
 
 7.  Click **Next**, and then continue to the next set of steps to configure the MBAM Server features.
 
@@ -91,10 +91,10 @@ The following steps describe how to install general MBAM features.
 
 7.  On the **Configure the Self-Service Portal** page, enter the port number, host name, virtual directory name, and installation path for the Self-Service Portal.
 
-    **Note**  
+    **Note**  
     The port number that you specify must be an unused port number on the Administration and Monitoring Server unless you specify a unique host header name. If you are using Windows Firewall, the port will be opened automatically.
 
-     
+
 
 8.  Click **Next** to continue.
 
@@ -102,10 +102,10 @@ The following steps describe how to install general MBAM features.
 
 10. On the **Configure the Administration and Monitoring Server** page, enter the port number, host name, virtual directory name, and installation path for the Help Desk website.
 
-    **Note**  
+    **Note**  
     The port number that you specify must be an unused port number on the Administration and Monitoring Server unless you specify a unique host header name. If you are using Windows Firewall, the port will be opened automatically.
 
-     
+
 
 11. On the **Installation Summary** page, review the list of features that will be installed, and click **Install** to start installing the MBAM features. Click **Back** to move back through the wizard if you have to review or change your installation settings, or click **Cancel** to exit Setup. Setup installs the MBAM features and notifies you that the installation is complete.
 
@@ -125,10 +125,10 @@ The following steps describe how to install general MBAM features.
 
     -   Brand the Self-Service Portal with your company name, notice text, and other company-specific information. For instructions, see [How to Brand the Self-Service Portal](how-to-brand-the-self-service-portal.md).
 
-    **Note**  
+    **Note**  
     Identical user or group membership of the **MBAM Report Users** local group must be maintained on all computers where the MBAM Administration and Monitoring Server features, Compliance and Audit Database, and Compliance and Audit Reports are installed. The recommended way to do this is to create a domain security group and add that domain group to each local MBAM Report Users group. When you use this process, manage the group memberships by way of the domain group.
 
-     
+
 
 ## Validating the MBAM Server feature installation
 
@@ -137,66 +137,68 @@ When the Microsoft BitLocker Administration and Monitoring installation is compl
 
 **To validate the MBAM Server feature installation**
 
-1.  On each server where a MBAM feature is deployed, open **Control Panel**. Select **Programs**, and then select **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
+1. On each server where a MBAM feature is deployed, open **Control Panel**. Select **Programs**, and then select **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
 
-    **Note**  
-    To validate the installation, you must use a domain account that has local computer administrative credentials on each server.
+   **Note**  
+   To validate the installation, you must use a domain account that has local computer administrative credentials on each server.
 
-     
 
-2.  On the server where the Recovery Database is installed, open SQL Server Management Studio, and verify that the **MBAM Recovery and Hardware** database is installed.
 
-3.  On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio, and verify that the **MBAM Compliance Status Database** is installed.
+2. On the server where the Recovery Database is installed, open SQL Server Management Studio, and verify that the **MBAM Recovery and Hardware** database is installed.
 
-4.  On the server where the Compliance and Audit Reports are installed, open a web browser with administrative credentials and browse to the “Home” of the SQL Server Reporting Services site.
+3. On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio, and verify that the **MBAM Compliance Status Database** is installed.
 
-    The default Home location of a SQL Server Reporting Services site instance is at http://*<NameofMBAMReportsServer>*/Reports. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances that are specified during setup.
+4. On the server where the Compliance and Audit Reports are installed, open a web browser with administrative credentials and browse to the “Home” of the SQL Server Reporting Services site.
 
-    Confirm that a Reports folder named Microsoft BitLocker Administration and Monitoring contains a data source called **MaltaDataSource** and that an **en-us** folder contains four reports.
+   The default Home location of a SQL Server Reporting Services site instance is at http://<NameofMBAMReportsServer>/Reports. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances that are specified during setup.
 
-    **Note**  
-    If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following: http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
+   Confirm that a Reports folder named Microsoft BitLocker Administration and Monitoring contains a data source called **MaltaDataSource** and that an **en-us** folder contains four reports.
 
-     
+   **Note**  
+   If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following: http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
 
-    **Note**  
-    If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then go to the Administration and Monitoring website and select a report, the following message appears: “Only Secure Content is Displayed.” To show the report, click **Show All Content**.
 
-     
 
-5.  On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**. Select **Web Server (IIS)**, and then click **Internet Information Services (IIS) Manager.**
+~~~
+**Note**  
+If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then go to the Administration and Monitoring website and select a report, the following message appears: “Only Secure Content is Displayed.” To show the report, click **Show All Content**.
+~~~
 
-6.  In **Connections,** browse to *<computername>*, select **Sites**, and then select **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMUserSupportService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
 
-7.  On the server where the Administration and Monitoring features and Self-Service Portal are installed, open a web browser with administrative credentials and browse to the following locations to verify that they load successfully:
 
-    -   *http://<hostname>/HelpDesk/default.aspx* and confirm each of the links for navigation and reports
+5. On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**. Select **Web Server (IIS)**, and then click **Internet Information Services (IIS) Manager.**
 
-    -   *http://<hostname>/SelfService>/*
+6. In **Connections,** browse to *<computername>*, select **Sites**, and then select **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMUserSupportService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
 
-    -   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
+7. On the server where the Administration and Monitoring features and Self-Service Portal are installed, open a web browser with administrative credentials and browse to the following locations to verify that they load successfully:
 
-    -   *http://<hostname>/MBAMUserSupportService/UserSupportService.svc*
+   -   *http://<hostname>/HelpDesk/default.aspx* and confirm each of the links for navigation and reports
 
-    -   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
+   -   *http://<hostname>/SelfService>/*
 
-    -   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
+   -   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
 
-    **Note**  
-    It is assumed that the server features were installed on the default port without network encryption. If you installed the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example, *http://<hostname>:<port>/HelpDesk/default.asp*x or*http://<hostname>:<port>/<virtualdirectory>/default.aspx*
+   -   *http://<hostname>/MBAMUserSupportService/UserSupportService.svc*
+
+   -   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
+
+   -   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
+
+   **Note**  
+   It is assumed that the server features were installed on the default port without network encryption. If you installed the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example, *http://<hostname>:<port>/HelpDesk/default.asp*x or*http://<hostname>:<port>/<virtualdirectory>/default.aspx*
+
+   If the server features were installed with network encryption, change http:// to https://.
 
-    If the server features were installed with network encryption, change http:// to https://.
 
-     
 
 ## Related topics
 
 
 [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md
index 02dd4e43c1..f7c562da25 100644
--- a/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md
+++ b/mdop/mbam-v2/how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md
@@ -21,12 +21,12 @@ The procedures in this topic describe how to install Microsoft BitLocker Adminis
 
 Each server feature has certain prerequisites. To verify that you have met the prerequisites and hardware and software requirements, see [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md) and [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md). In addition, some features require that you provide certain information during the installation process to successfully deploy the feature. You should also review [Planning for MBAM 2.0 Server Deployment](planning-for-mbam-20-server-deployment-mbam-2.md) before you start the MBAM deployment.
 
-**Note**  
+**Note**  
 To obtain the setup log files, you have to use the Msiexec package and the **/L** <location> option to install MBAM. Log files are created in the location that you specify.
 
 Additional setup log files are created in the %temp% folder on the server of the user who is installing MBAM.
 
- 
+
 
 ## Deploying MBAM Server Features
 
@@ -43,10 +43,10 @@ The following steps describe how to install general MBAM features.
 
 4.  On the **Topology Selection** page, select the **Stand-alone** topology, and then click **Next**.
 
-    **Note**  
+    **Note**  
     If you want to install MBAM with the Configuration Manager integrated topology, see [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md).
 
-     
+
 
 5.  Select the features that you want to install. By default, all MBAM features are selected for installation. Clear the features that you want to install elsewhere. Features that will be installed on the same computer must be installed together at the same time. You must install MBAM features in the following order:
 
@@ -62,17 +62,19 @@ The following steps describe how to install general MBAM features.
 
     -   MBAM Group Policy template
 
-    **Note**  
+    **Note**  
     The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all of the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click **Check prerequisites again**. If all prerequisites are met this time, the installation resumes.
 
-     
 
-    The MBAM Setup wizard displays installation pages for the features that you select. The following sections describe the installation procedures for each feature.
 
-    **Note**  
-    For the following instructions, it is assumed that each feature is to be installed on a separate server. If you install multiple features on a single server, you can change or eliminate some steps.
+~~~
+The MBAM Setup wizard displays installation pages for the features that you select. The following sections describe the installation procedures for each feature.
+
+**Note**  
+For the following instructions, it is assumed that each feature is to be installed on a separate server. If you install multiple features on a single server, you can change or eliminate some steps.
+~~~
+
 
-     
 
 **To install the Recovery Database**
 
@@ -90,10 +92,10 @@ The following steps describe how to install general MBAM features.
 
 2.  Specify the computer names of the computers that will be running the Administration and Monitoring Server and the Compliance and Audit Reports. After the Administration and Monitoring and the Compliance and Audit Reports Server are deployed, they use their domain accounts to connect to the databases.
 
-    **Note**  
+    **Note**  
     If you are installing the Compliance and Audit Database without the Compliance and Audit Reports feature, you must add an exception on the Compliance and Audit Database computer to enable inbound traffic on the Microsoft SQL Server port. The default port number is 1433.
 
-     
+
 
 3.  Specify the SQL Server instance name and the name of the database that will store the compliance and audit data. You must also specify where the database and log information will be located.
 
@@ -103,10 +105,10 @@ The following steps describe how to install general MBAM features.
 
 1.  On the **Configure the Compliance and Audit Reports** page, specify the remote SQL Server instance name (for example, <ServerName>) where the Compliance and Audit Database was installed.
 
-    **Note**  
+    **Note**  
     If you are installing the Compliance and Audit Reports without the Administration and Monitoring Server, you must add an exception on the Compliance and Audit Report computer to enable inbound traffic on the Reporting Server port (the default port is 80).
 
-     
+
 
 2.  Specify the name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status, although you can change the name when you install the Compliance and Audit Database.
 
@@ -136,10 +138,10 @@ The following steps describe how to install general MBAM features.
 
 9.  Enter the **Port Number**, the **Host Name** (optional), and the **Installation Path** for the MBAM Administration and Monitoring Server.
 
-    **Note**  
+    **Note**  
     The port number that you specify must be an unused port number on the Administration and Monitoring server unless you specify a unique host header name. If you are using Windows Firewall, the port will be opened automatically.
 
-     
+
 
 10. To optionally register a Service Principal Name (SPN) for the Self-Service Portal, select **Register this machine’s Service Principal Names (SPN) with Active Directory (Required for Windows Authentication)**. If you select this check box, MBAM Setup will not try to register the existing SPNs, and you can manually register the SPN before or after the MBAM installation. For instructions on registering the SPN manually, see [Manual SPN Registration](https://go.microsoft.com/fwlink/?LinkId=286758).
 
@@ -151,85 +153,85 @@ The following steps describe how to install general MBAM features.
 
 14. Click **Finish** to exit the wizard.
 
-    **Note**  
+    **Note**  
     To configure the Self-Service Portal after you installed it, brand the Self-Service Portal with your company name and other company-specific information, see [How to Brand the Self-Service Portal](how-to-brand-the-self-service-portal.md) for instructions.
 
-     
+
 
 15. If the client computers have access to the Microsoft Content Delivery Network (CDN), which gives the Self-Service Portal the required access to certain JavaScript files, you are finished with the Self-Service Portal installation. If the client computers does not have access to the Microsoft CDN, complete the steps in the next section to configure the Self-Service Portal to reference the JavaScript files from an accessible source.
 
 **To configure the Self-Service Portal when end users cannot access the Microsoft Content Delivery Network**
 
-1.  If the client computers have access to the Microsoft Content Delivery Network (CDN), which gives the Self-Service Portal the required access to certain JavaScript files, the Self-Service Portal installation is completed. If the client computers do not have access to the Microsoft CDN, complete the remaining steps in this section to configure the Self-Service Portal to reference the JavaScript files from an accessible source.
+1. If the client computers have access to the Microsoft Content Delivery Network (CDN), which gives the Self-Service Portal the required access to certain JavaScript files, the Self-Service Portal installation is completed. If the client computers do not have access to the Microsoft CDN, complete the remaining steps in this section to configure the Self-Service Portal to reference the JavaScript files from an accessible source.
 
-2.  Download the four JavaScript files from the Microsoft CDN:
+2. Download the four JavaScript files from the Microsoft CDN:
 
-    -   jQuery-1.7.2.min.js - [https://go.microsoft.com/p/fwlink/?LinkID=271736](https://go.microsoft.com/fwlink/p/?LinkID=271736)
+   -   jQuery-1.7.2.min.js - [https://go.microsoft.com/p/fwlink/?LinkID=271736](https://go.microsoft.com/fwlink/p/?LinkID=271736)
 
-    -   MicrosoftAjax.js –[https://go.microsoft.com/p/fwlink/?LinkId=272283](https://go.microsoft.com/fwlink/p/?LinkId=272283)
+   -   MicrosoftAjax.js –[https://go.microsoft.com/p/fwlink/?LinkId=272283](https://go.microsoft.com/fwlink/p/?LinkId=272283)
 
-    -   MicrosoftMvcAjax.js - [https://go.microsoft.com/p/fwlink/?LinkId=272284](https://go.microsoft.com/fwlink/p/?LinkId=272284)
+   -   MicrosoftMvcAjax.js - [https://go.microsoft.com/p/fwlink/?LinkId=272284](https://go.microsoft.com/fwlink/p/?LinkId=272284)
 
-    -   MicrosoftMvcValidation.js - 
+   -   MicrosoftMvcValidation.js - 
 
-3.  Copy the JavaScript files to the **Scripts** directory of the Self-Service Portal. This directory is located in *<MBAM Self-Service Install Directory>\\*Self Service Website\\Scripts.
+3. Copy the JavaScript files to the **Scripts** directory of the Self-Service Portal. This directory is located in <MBAM Self-Service Install Directory>\\Self Service Website\\Scripts.
 
-4.  Open **Internet Information Services (IIS) Manager**.
+4. Open **Internet Information Services (IIS) Manager**.
 
-5.  Expand **Sites** > **Microsoft BitLocker Administration and Monitoring**, and highlight **SelfService**.
+5. Expand **Sites** > **Microsoft BitLocker Administration and Monitoring**, and highlight **SelfService**.
 
-    **Note**  
-    *SelfService* is the default virtual directory name. If you chose a different name for this directory during installation, remember to replace *SelfService* in the rest of these instructions with the name you chose.
+   **Note**  
+   *SelfService* is the default virtual directory name. If you chose a different name for this directory during installation, remember to replace *SelfService* in the rest of these instructions with the name you chose.
 
-     
 
-6.  In the middle pane, double-click **Application Settings**.
 
-7.  For each item in the following list, edit the application settings to reference the new location by replacing <virtual directory> with /SelfService/ (or the name you chose during installation). For example, the virtual directory path will be similar to /selfservice/scripts/jquery-1.7.2.min.js.
+6. In the middle pane, double-click **Application Settings**.
 
-    -   jQueryPath: /<virtual directory>/Scripts/ jQuery-1.7.2.min.js
+7. For each item in the following list, edit the application settings to reference the new location by replacing <virtual directory> with /SelfService/ (or the name you chose during installation). For example, the virtual directory path will be similar to /selfservice/scripts/jquery-1.7.2.min.js.
 
-    -   MicrosoftAjaxPath: /<virtual directory>/Scripts/ MicrosoftAjax.js
+   -   jQueryPath: /<virtual directory>/Scripts/ jQuery-1.7.2.min.js
 
-    -   MicrosoftMvcAjaxPath: /<virtual directory>/Scripts/ MicrosoftMvcAjax.js
+   -   MicrosoftAjaxPath: /<virtual directory>/Scripts/ MicrosoftAjax.js
 
-    -   MicrosoftMvcValidationPath: /<virtual directory>/Scripts/ MicrosoftMvcValidation.js
+   -   MicrosoftMvcAjaxPath: /<virtual directory>/Scripts/ MicrosoftMvcAjax.js
+
+   -   MicrosoftMvcValidationPath: /<virtual directory>/Scripts/ MicrosoftMvcValidation.js
 
 **To install the Administration and Monitoring Server feature**
 
-1.  MBAM can encrypt the communication between the Web Services and the Administration and Monitoring servers. If you choose the option to encrypt the communication, you are prompted to select the certification authority-provisioned certificate to use for encryption.
+1. MBAM can encrypt the communication between the Web Services and the Administration and Monitoring servers. If you choose the option to encrypt the communication, you are prompted to select the certification authority-provisioned certificate to use for encryption.
 
-2.  Click **Next** to continue.
+2. Click **Next** to continue.
 
-3.  Specify the remote instance of SQL Server (for example: *<ServerName>*) where the Compliance and Audit Database was installed.
+3. Specify the remote instance of SQL Server (for example: *<ServerName>*) where the Compliance and Audit Database was installed.
 
-4.  Specify the name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status. However, you can change the name when you install the Compliance and Audit Database.
+4. Specify the name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status. However, you can change the name when you install the Compliance and Audit Database.
 
-5.  Click **Next** to continue.
+5. Click **Next** to continue.
 
-6.  Specify the remote instance of SQL Server (for example: *<ServerName>*) where the Recovery Database was installed.
+6. Specify the remote instance of SQL Server (for example: *<ServerName>*) where the Recovery Database was installed.
 
-7.  Specify the name of the Recovery Database. By default, the database name is **MBAM Recovery and Hardware**. However, you can change the name when you install the Recovery Database feature.
+7. Specify the name of the Recovery Database. By default, the database name is **MBAM Recovery and Hardware**. However, you can change the name when you install the Recovery Database feature.
 
-8.  Click **Next** to continue.
+8. Click **Next** to continue.
 
-9.  Specify the URL for the “Home” of the SQL Server Reporting Services (SRS) site. The default Home location of a SQL Server Reporting Services site instance is at:
+9. Specify the URL for the “Home” of the SQL Server Reporting Services (SRS) site. The default Home location of a SQL Server Reporting Services site instance is at:
 
-    http://*<NameofMBAMReportsServer>/*ReportServer
+   http://<NameofMBAMReportsServer>/ReportServer
+
+   **Note**  
+   If SQL Server Reporting Services was configured as a named instance, the URL resembles the following: http://*<NameofMBAMReportsServer>*/ReportServer\_*<SRSInstanceName>*.
 
-    **Note**  
-    If SQL Server Reporting Services was configured as a named instance, the URL resembles the following: http://*<NameofMBAMReportsServer>*/ReportServer\_*<SRSInstanceName>*.
 
-     
 
 10. Click **Next** to continue.
 
 11. Enter the **Port Number**, the **Host Name** (optional), and the **Installation Path** for the MBAM Administration and Monitoring Server.
 
-    **Note**  
+    **Note**  
     The port number that you specify must be an unused port number on the Administration and Monitoring server unless you specify a unique host header name. If you are using Windows Firewall, the port will be opened automatically.
 
-     
+
 
 12. To optionally register a Service Principal Name (SPN) for the Self-Service Portal, select **Register this machine’s Service Principal Names (SPN) with Active Directory (Required for Windows Authentication)**. If you select this check box, MBAM Setup will not try to register the existing SPNs, and you can manually register the SPN before or after the MBAM installation. For instructions on registering the SPN manually, see [Manual SPN Registration](https://go.microsoft.com/fwlink/?LinkId=286758).
 
@@ -253,10 +255,10 @@ The following steps describe how to install general MBAM features.
 
     -   **MBAM Report Users**: Members of this local group can access the reports on the MBAM Administration and Monitoring website.
 
-    **Note**  
+    **Note**  
     Identical user or group membership of the **MBAM Report Users** local group must be maintained on all computers where the MBAM Administration and Monitoring Server features, Compliance and Audit Database, and the Compliance and Audit Reports are installed.
 
-     
+
 
 ## Validating the MBAM Server Feature Installation
 
@@ -265,73 +267,77 @@ When Microsoft BitLocker Administration and Monitoring Server feature installati
 
 **To validate an MBAM Server installation**
 
-1.  On each server where an MBAM feature is deployed, open **Control Panel**, select **Programs**, and then select **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
+1. On each server where an MBAM feature is deployed, open **Control Panel**, select **Programs**, and then select **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
 
-    **Note**  
-    To validate the MBAM installation, you must use a domain account that has local computer administrative credentials on each server.
+   **Note**  
+   To validate the MBAM installation, you must use a domain account that has local computer administrative credentials on each server.
 
-     
 
-2.  On the server where the Recovery Database is installed, open SQL Server Management Studio and verify that the **MBAM Recovery and Hardware** database is installed.
 
-3.  On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio and verify that the **MBAM Compliance Status Database** is installed.
+2. On the server where the Recovery Database is installed, open SQL Server Management Studio and verify that the **MBAM Recovery and Hardware** database is installed.
 
-4.  On the server where the Compliance and Audit Reports are installed, open a web browser with administrative credentials and browse to the “Home” of the SQL Server Reporting Services site.
+3. On the server where the Compliance and Audit Database is installed, open SQL Server Management Studio and verify that the **MBAM Compliance Status Database** is installed.
 
-    The default Home location of a SQL Server Reporting Services site instance can be found is at http://*<NameofMBAMReportsServer>*/Reports.aspx. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances that were specified during setup.
+4. On the server where the Compliance and Audit Reports are installed, open a web browser with administrative credentials and browse to the “Home” of the SQL Server Reporting Services site.
 
-    Confirm that a reports folder named **Microsoft BitLocker Administration and Monitoring** contains a data source called **MaltaDataSource** and that an **en-us** folder contains four reports.
+   The default Home location of a SQL Server Reporting Services site instance can be found is at http://<NameofMBAMReportsServer>/Reports.aspx. To find the actual URL, use the Reporting Services Configuration Manager tool and select the instances that were specified during setup.
 
-    **Note**  
-    If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
+   Confirm that a reports folder named **Microsoft BitLocker Administration and Monitoring** contains a data source called **MaltaDataSource** and that an **en-us** folder contains four reports.
 
-     
+   **Note**  
+   If SQL Server Reporting Services was configured as a named instance, the URL should resemble the following:http://*<NameofMBAMReportsServer>*/Reports\_*<SRSInstanceName>*
 
-    **Note**  
-    If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then go to the Administration and Monitoring website and select a report, the following message appears: “Only Secure Content is Displayed.” To show the report, click **Show All Content**.
 
-     
 
-5.  On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**. Select **Web Server (IIS)**, and then click **Internet Information Services (IIS) Manager**.
+~~~
+**Note**  
+If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then go to the Administration and Monitoring website and select a report, the following message appears: “Only Secure Content is Displayed.” To show the report, click **Show All Content**.
+~~~
 
-6.  In **Connections**, browse to *<computername>*, select **Sites**, and select **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
 
-7.  On the server where the Administration and Monitoring features and Self-Service Portal are installed, open a web browser with administrative credentials and browse to the following locations to verify that they load successfully.
 
-    **Note**  
-    The URLs ending in “.svc” do not display a website. Success is indicated by the message “Metadata publishing for this service is currently disabled” or by information resembling code. If you see some other error message or if the page cannot be found, the page has not loaded successfully.
+5. On the server where the Administration and Monitoring feature is installed, run **Server Manager** and browse to **Roles**. Select **Web Server (IIS)**, and then click **Internet Information Services (IIS) Manager**.
 
-     
+6. In **Connections**, browse to *<computername>*, select **Sites**, and select **Microsoft BitLocker Administration and Monitoring**. Verify that **MBAMAdministrationService**, **MBAMComplianceStatusService**, and **MBAMRecoveryAndHardwareService** are listed.
 
-    -   *http://<hostname>/HelpDesk/default.aspx* and confirm each of the links for navigation and reports
+7. On the server where the Administration and Monitoring features and Self-Service Portal are installed, open a web browser with administrative credentials and browse to the following locations to verify that they load successfully.
 
-    -   *http://<hostname>/SelfService>/*
+   **Note**  
+   The URLs ending in “.svc” do not display a website. Success is indicated by the message “Metadata publishing for this service is currently disabled” or by information resembling code. If you see some other error message or if the page cannot be found, the page has not loaded successfully.
 
-    -   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
 
-    -   *http://<hostname>/MBAMUserSupportService/UserSupportService.svc*
 
-    -   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
+~~~
+-   *http://<hostname>/HelpDesk/default.aspx* and confirm each of the links for navigation and reports
 
-    -   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
+-   *http://<hostname>/SelfService>/*
 
-    **Note**  
-    It is assumed that the server features were installed on the default port without network encryption. If you installed the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example, *http://<hostname>:<port>/HelpDesk/default.aspx* or*http://<hostname>:<port>/<virtualdirectory>/default.aspx*
+-   *http://<computername>/MBAMAdministrationService/AdministrationService.svc*
 
-    If the server features were installed with network encryption, change http:// to https://.
+-   *http://<hostname>/MBAMUserSupportService/UserSupportService.svc*
 
-     
+-   *http://<computername>/MBAMComplianceStatusService/StatusReportingService.svc*
 
-8.  Verify that each webpage loads successfully.
+-   *http://<computername>/MBAMRecoveryAndHardwareService/CoreService.svc*
+
+**Note**  
+It is assumed that the server features were installed on the default port without network encryption. If you installed the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example, *http://<hostname>:<port>/HelpDesk/default.aspx* or*http://<hostname>:<port>/<virtualdirectory>/default.aspx*
+
+If the server features were installed with network encryption, change http:// to https://.
+~~~
+
+
+
+8. Verify that each webpage loads successfully.
 
 ## Related topics
 
 
 [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md b/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md
index 2d0709c2eb..a01c49e93e 100644
--- a/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md
+++ b/mdop/mbam-v2/how-to-install-mbam-with-configuration-manager.md
@@ -32,7 +32,7 @@ If you are using a non-default SQL Server Reporting Services (SSRS) instance, yo
 
 `MbamSetup.exe CM_SSRS_INSTANCE_NAME=`
 
- 
+ 
 
 **To install MBAM on the Configuration Manager Server**
 
@@ -43,7 +43,7 @@ If you are using a non-default SQL Server Reporting Services (SSRS) instance, yo
 
     Additional setup log files are created in the %temp% folder on the computer of the user who is installing Configuration Manager.
 
-     
+     
 
 2.  On the **Welcome** page, optionally select the **Customer Experience Improvement Program**, and then click **Start**.
 
@@ -56,7 +56,7 @@ If you are using a non-default SQL Server Reporting Services (SSRS) instance, yo
     **Note**  
     On the **Checking Prerequisites** page, click **Next** after the installation wizard checks the prerequisites for your installation and confirms that none are missing. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click **Check prerequisites again.**
 
-     
+     
 
 6.  Specify whether to use Microsoft Updates to help keep your computer secure, and then click **Next**. Using Microsoft Updates does not turn on Automatic Updates in Windows.
 
@@ -81,7 +81,7 @@ If you are using a non-default SQL Server Reporting Services (SSRS) instance, yo
     **Note**  
     The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all of the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click **Check prerequisites again**. If all prerequisites are met this time, the installation resumes.
 
-     
+     
 
 6.  On the **Configure the Recovery Database** page, specify the names of the computers that will be running the Administration and Monitoring Server feature. After the Administration and Monitoring Server feature is deployed, it uses its domain account to connect to the database.
 
@@ -98,7 +98,7 @@ If you are using a non-default SQL Server Reporting Services (SSRS) instance, yo
     **Note**  
     If you are installing the Audit Database without the Audit Reports feature, you must add an exception on the Audit Database computer to enable inbound traffic on the Microsoft SQL Server port. The default port number is 1433.
 
-     
+     
 
 12. Specify the SQL Server instance name and the name of the database that will store the audit data. You must also specify where the database and log information will be located.
 
@@ -119,14 +119,14 @@ If you are using a non-default SQL Server Reporting Services (SSRS) instance, yo
     **Note**  
     The installation wizard checks the prerequisites for your installation and displays the prerequisites that are missing. If all of the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click **Check prerequisites again**. If all prerequisites are met this time, the installation resumes.
 
-     
+     
 
 6.  Install the Self-Service Portal by following the steps in the **To install the Self-Service Portal** section in [How to Install and Configure MBAM on Distributed Servers](how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md).
 
     **Note**  
     If the client computers will not have access to the Microsoft Content Delivery Network (CDN), which gives the Self-Service Portal the required access to certain JavaScript files, complete the steps in the **To configure the Self-Service Portal when end users cannot access the Microsoft Content Delivery Network** section [How to Install and Configure MBAM on Distributed Servers](how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md) to configure the Self-Service Portal to reference the JavaScript files from an accessible source.
 
-     
+     
 
 7.  Install the Administration and Monitoring Server features by following the steps in the **To install the Administration and Monitoring Server feature** section in [How to Install and Configure MBAM on Distributed Servers](how-to-install-and-configure-mbam-on-distributed-servers-mbam-2.md).
 
@@ -139,9 +139,9 @@ If you are using a non-default SQL Server Reporting Services (SSRS) instance, yo
 
 [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md
index 9203d81460..44d57820c6 100644
--- a/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md
+++ b/mdop/mbam-v2/how-to-install-the-mbam-20-group-policy-template-mbam-2.md
@@ -24,7 +24,7 @@ The following steps describe how to install the MBAM Group Policy template.
 **Note**  
 Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup on 64-bit servers.
 
- 
+ 
 
 **To install the MBAM Group Policy template**
 
@@ -39,7 +39,7 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
     **Note**  
     The installation wizard checks the prerequisites for your installation and displays prerequisites that are missing. If all the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click **Check prerequisites again**. Once all prerequisites are met, the installation will resume.
 
-     
+     
 
 5.  For specific steps about how and where to install the templates, see [How to Download and Deploy MDOP Group Policy (.admx) Templates](https://technet.microsoft.com/library/dn659707.aspx).
 
@@ -50,9 +50,9 @@ Make sure that you use the 32-bit setup on 32-bit servers and the 64-bit setup o
 
 [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md b/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md
index a38d2c459c..f338e9a016 100644
--- a/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md
+++ b/mdop/mbam-v2/how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md
@@ -24,7 +24,7 @@ To exempt users from BitLocker protection, an organization will have to create a
 **Note**  
 If the computer is already BitLocker-protected, the user exemption policy has no effect.
 
- 
+ 
 
 The following table shows how BitLocker protection is applied based on how exemptions are set.
 
@@ -55,7 +55,7 @@ The following table shows how BitLocker protection is applied based on how exemp
 
 
 
- 
+ 
 
 **To exempt a user from BitLocker encryption**
 
@@ -68,7 +68,7 @@ The following table shows how BitLocker protection is applied based on how exemp
     **Important**  
     Shared computer scenarios require special consideration when using user exemptions. If a non-exempt user logs on to a computer shared with an exempt user, the computer may be encrypted.
 
-     
+     
 
 **To enable users to request an exemption from BitLocker encryption**
 
@@ -79,7 +79,7 @@ The following table shows how BitLocker protection is applied based on how exemp
     **Note**  
     Selecting **Request Exemption** postpones the BitLocker protection until the maximum time that is set in the User Exemption Policy.
 
-     
+     
 
 3.  If users select **Request Exemption**, they receive a notification telling them to contact your organization’s BitLocker administration group. Depending on how the Configure User Exemption Policy is configured, users are provided with one or more of the following contact methods:
 
@@ -94,16 +94,16 @@ The following table shows how BitLocker protection is applied based on how exemp
     **Note**  
     Once a user submits an exemption request, the MBAM agent reports the user as “temporarily exempt” and then waits a configurable number of days before it checks the computer’s compliance again. If the MBAM administrator rejects the exemption request, the exemption request option is deactivated, which prevents the user from being able to request the exemption again.
 
-     
+     
 
 ## Related topics
 
 
 [Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md
index fd175b7f06..46aeb38af7 100644
--- a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md
+++ b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md
@@ -56,10 +56,10 @@ To move the Recovery Database from one computer to another (for example, from Se
 
     `PS C:\> Stop-Website “Microsoft BitLocker Administration and Monitoring”`
 
-    **Note**  
+    **Note**  
     To run this PowerShell command line, the IIS Module for PowerShell must be added to current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable execution of scripts.
 
-     
+
 
 **Run MBAM Setup on Server B**
 
@@ -69,7 +69,7 @@ To move the Recovery Database from one computer to another (for example, from Se
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=KeyDatabase ADMINANDMON_MACHINENAMES=$DOMAIN$\$SERVERNAME$$ RECOVERYANDHWDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ TOPOLOGY=$X$`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the name of the server and instance to which the Recovery Database will be moved.
@@ -78,7 +78,7 @@ To move the Recovery Database from one computer to another (for example, from Se
 
     -   $X$ - Enter **0** if you are installing the MBAM Stand-alone topology, or **1** if you are installing the MBAM Configuration Manager topology.
 
-     
+
 
 **Back Up the Recovery Database on Server A**
 
@@ -132,23 +132,23 @@ To move the Recovery Database from one computer to another (for example, from Se
 
     `GO`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $PASSWORD$ - Enter a password that you will use to encrypt the Private Key file.
 
-     
+
 
 3.  Run the SQL File by using SQL Server PowerShell and a command line that is similar to the following:
 
     `PS C:\> Invoke-Sqlcmd -InputFile 'Z:\BackupMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the name of the server and instance from which the Recovery Database will be backed up.
 
-     
+
 
 **Move the Recovery Database and Certificate from Server A to Server B**
 
@@ -164,14 +164,14 @@ To move the Recovery Database from one computer to another (for example, from Se
 
     `PS C:\> Copy-Item “Z:\SQLServerInstanceCertificateFilePrivateKey” \\$SERVERNAME$\$DESTINATIONSHARE$`
 
-    **Note**  
+    **Note**  
     Replace the following value in the example above with those that match your environment:
 
     -   $SERVERNAME$ - Enter the name of the server to which the files will be copied.
 
     -   $DESTINATIONSHARE$ - Enter the name of the share and path to which the files will be copied.
 
-     
+
 
 **Restore the Recovery Database on Server B**
 
@@ -221,23 +221,23 @@ To move the Recovery Database from one computer to another (for example, from Se
 
     `   WITH REPLACE`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $PASSWORD$ - Enter a password that you used to encrypt the Private Key file.
 
-     
+
 
 5.  You can use Windows PowerShell to enter a command line that is similar to the following:
 
     `PS C:\> Invoke-Sqlcmd -InputFile 'Z:\RestoreMBAMRecoveryandHardwarDatabaseScript.sql' -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the following value in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the name of the server and instance to which the Recovery Database will be restored.
 
-     
+
 
 **Configure Access to the Recovery Database on Server B**
 
@@ -249,45 +249,47 @@ To move the Recovery Database from one computer to another (for example, from Se
 
     `PS C:\> net localgroup "MBAM Recovery and Hardware DB Access" $DOMAIN$\$SERVERNAME$$  /add`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with the applicable values for your environment:
 
     -   $DOMAIN$\\$SERVERNAME$$ - Enter the domain and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a $, as shown in the example (for example, MyDomain\\MyServerName1$).
 
-     
 
-    This command line must be run for each Administration and Monitoring Server that will be accessing the database in your environment.
+
+~~~
+This command line must be run for each Administration and Monitoring Server that will be accessing the database in your environment.
+~~~
 
 **Update the Recovery Database Connection Data on the MBAM Administration and Monitoring Servers**
 
-1.  On each of the servers running the MBAM Administration and Monitoring feature, use the Internet Information Services (IIS) Manager console to update the Connection String information for the following applications, which are hosted in the Administration and Monitoring website:
+1. On each of the servers running the MBAM Administration and Monitoring feature, use the Internet Information Services (IIS) Manager console to update the Connection String information for the following applications, which are hosted in the Administration and Monitoring website:
 
-    -   MBAMAdministrationService
+   -   MBAMAdministrationService
 
-    -   MBAMRecoveryAndHardwareService
+   -   MBAMRecoveryAndHardwareService
 
-2.  Select each application and use the **Configuration Editor** feature, which is located under the **Management** section of the **Feature View**.
+2. Select each application and use the **Configuration Editor** feature, which is located under the **Management** section of the **Feature View**.
 
-3.  Select the **configurationStrings** option from the **Section list** control.
+3. Select the **configurationStrings** option from the **Section list** control.
 
-4.  Select the row named **(Collection)** and open the **Collection Editor** by selecting the button on the right side of the row.
+4. Select the row named **(Collection)** and open the **Collection Editor** by selecting the button on the right side of the row.
 
-5.  In the **Collection Editor**, select the row named **KeyRecoveryConnectionString** when updating the configuration for the MBAMAdministrationService application or the row named **Microsoft.Mbam.RecoveryAndHardwareDataStore.**ConnectionString when updating the configuration for the MBAMRecoveryAndHardwareService.
+5. In the **Collection Editor**, select the row named **KeyRecoveryConnectionString** when updating the configuration for the MBAMAdministrationService application or the row named Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString when updating the configuration for the MBAMRecoveryAndHardwareService.
 
-6.  Update the **Data Source=** value for the **configurationStrings** property to list the server name and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME$) where the Recovery Database was moved to.
+6. Update the **Data Source=** value for the **configurationStrings** property to list the server name and instance (for example, $SERVERNAME$\\$SQLINSTANCENAME$) where the Recovery Database was moved to.
 
-7.  To automate this procedure, you can use Windows to enter a command line, that is similar to the following, on each Administration and Monitoring Server:
+7. To automate this procedure, you can use Windows to enter a command line, that is similar to the following, on each Administration and Monitoring Server:
 
-    `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”`
+   `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMAdministrationService" -Name "connectionString" -Value “Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;”`
 
-    `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;"`
+   `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and Hardware;Integrated Security=SSPI;"`
 
-    **Note**  
-    Replace the following value in the example above with those that match your environment:
+   **Note**  
+   Replace the following value in the example above with those that match your environment:
+
+   -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Recovery Database is.
 
-    -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Recovery Database is.
 
-     
 
 **Resume all Instances of the MBAM Administration and Monitoring Website**
 
@@ -328,10 +330,10 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     `PS C:\> Stop-s “Microsoft BitLocker Administration and Monitoring”`
 
-    **Note**  
+    **Note**  
     To run this command line, you must add the IIS Module for PowerShell to the current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable scripts to be run.
 
-     
+
 
 **Run MBAM Setup on Server B**
 
@@ -341,7 +343,7 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal= ReportsDatabase ADMINANDMON_MACHINENAMES=$DOMAIN$\$SERVERNAME$ COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ REPORTS_USERACCOUNT=$DOMAIN$\$USERNAME$ TOPOLOGY=$X$`
 
-    **Note**  
+    **Note**  
     Note: Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Compliance and Audit Database will be moved to.
@@ -352,7 +354,7 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     -   $X$ - Enter **0** if you are installing the MBAM Stand-alone topology, or **1** if you are installing the MBAM Configuration Manager topology.
 
-     
+
 
 **Back Up the Compliance and Audit Database on Server A**
 
@@ -394,12 +396,12 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     `PS C:\> Invoke-Sqlcmd -InputFile "Z:\BackupMBAMComplianceStatusDatabaseScript.sql" –ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the following value in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Compliance and Audit database will be backed up from.
 
-     
+
 
 **Move the Compliance and Audit Database from Server A to B**
 
@@ -411,14 +413,14 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     `PS C:\> Copy-Item “Z:\MBAM Compliance Status Database Data.bak” \\$SERVERNAME$\$DESTINATIONSHARE$`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$ - Enter the server name where the files will be copied to.
 
     -   $DESTINATIONSHARE$ - Enter the name of share and path where the files will be copied to.
 
-     
+
 
 **Restore the Compliance and Audit Database on Server B**
 
@@ -446,12 +448,12 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     `PS C:\> Invoke-Sqlcmd -InputFile "Z:\RestoreMBAMComplianceStatusDatabaseScript.sql" -ServerInstance $SERVERNAME$\$SQLINSTANCENAME$`
 
-    **Note**  
+    **Note**  
     Replace the following value in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Compliance and Audit Database will be restored to.
 
-     
+
 
 **Configure Access to the Compliance and Audit Database on Server B**
 
@@ -465,16 +467,18 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     `PS C:\> net localgroup "MBAM Compliance Auditing DB Access" $DOMAIN$\$REPORTSUSERNAME$  /add`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with the applicable values for your environment:
 
     -   $DOMAIN$\\$SERVERNAME$$ - Enter the domain and machine name of the MBAM Administration and Monitoring Server. The server name must be followed by a “$” as shown in the example. (for example, MyDomain\\MyServerName1$)
 
     -   $DOMAIN$\\$REPORTSUSERNAME$ - Enter the user account name that was used to configure the data source for the Compliance and Audit Reports.
 
-     
 
-    The command line for adding the servers to the MBAM Compliance and Audit Database access local group must be run for each Administration and Monitoring Server that will be accessing the database in your environment.
+
+~~~
+The command line for adding the servers to the MBAM Compliance and Audit Database access local group must be run for each Administration and Monitoring Server that will be accessing the database in your environment.
+~~~
 
 **Update the Database Connection Data on MBAM Administration and Monitoring Servers**
 
@@ -500,12 +504,12 @@ If you want to move the MBAM Compliance and Audit Database from one computer to
 
     `PS C:\> Set-WebConfigurationProperty '/connectionStrings/add[@name="Microsoft.Windows.Mdop.BitLockerManagement.StatusReportDataStore.ConnectionString"]' -PSPath "IIS:\sites\Microsoft Bitlocker Administration and Monitoring\MBAMComplianceStatusService" -Name "connectionString" -Value "Data Source=$SERVERNAME$\$SQLINSTANCENAME;Initial Catalog=MBAM Compliance Status;Integrated Security=SSPI;"`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Recovery Database is located.
 
-     
+
 
 **Resume All Instances of the MBAM Administration and Monitoring Website**
 
@@ -538,7 +542,7 @@ If you want to move the MBAM Compliance and Audit Reports from one computer to a
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=Reports COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ REPORTS_USERACCOUNTPW=$PASSWORD$ TOPOLOGY=$X$`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - Enter the server name and instance where the Compliance and Audit Database is located.
@@ -549,7 +553,7 @@ If you want to move the MBAM Compliance and Audit Reports from one computer to a
 
     -   $X$ - Enter **0** if you are installing the MBAM Stand-alone topology, or **1** if you are installing the MBAM Configuration Manager topology.
 
-     
+
 
 **Configure Access to the Compliance and Audit Reports on Server B**
 
@@ -559,14 +563,16 @@ If you want to move the MBAM Compliance and Audit Reports from one computer to a
 
     `PS C:\> net localgroup "MBAM Report Users" $DOMAIN$\$REPORTSUSERNAME$  /add`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with the applicable values for your environment:
 
     -   $DOMAIN$\\$REPORTSUSERNAME$ - Enter the user account name that was used to configure the data source for the Compliance and Audit reports.
 
-     
 
-    The command line for adding the users to the MBAM Report Users local group must be run for each user that will be accessing the reports in your environment.
+
+~~~
+The command line for adding the users to the MBAM Report Users local group must be run for each user that will be accessing the reports in your environment.
+~~~
 
 **Stop All Instances of the MBAM Administration and Monitoring Website**
 
@@ -578,30 +584,30 @@ If you want to move the MBAM Compliance and Audit Reports from one computer to a
 
 **Update the Database Connection Data on the MBAM Administration and Monitoring Servers**
 
-1.  On each server that is running the MBAM Administration and Monitoring Server feature, use the Internet Information Services (IIS) Manager console to update the Compliance and Audit Reports URL.
+1. On each server that is running the MBAM Administration and Monitoring Server feature, use the Internet Information Services (IIS) Manager console to update the Compliance and Audit Reports URL.
 
-2.  Select the **Microsoft BitLocker Administration and Monitoring** website, and use the **Configuration Editor** feature that is location under the **Management** section of the **Feature View**.
+2. Select the **Microsoft BitLocker Administration and Monitoring** website, and use the **Configuration Editor** feature that is location under the **Management** section of the **Feature View**.
 
-3.  Select the **appSettings** option from the **Section list** control.
+3. Select the **appSettings** option from the **Section list** control.
 
-4.  Select the row named **(Collection)** and open the **Collection Editor** by selecting the button on the right side of the row.
+4. Select the row named **(Collection)** and open the **Collection Editor** by selecting the button on the right side of the row.
 
-5.  In the **Collection Editor**, select the row named **Microsoft.Mbam.Reports.Url**.
+5. In the **Collection Editor**, select the row named **Microsoft.Mbam.Reports.Url**.
 
-6.  Update the value for **Microsoft.Mbam.Reports.Url** to reflect the server name for Server B. If the Compliance and Audit Reports feature was installed on a named SQL Reporting Services instance, be sure to add or update the name of the instance to the URL (for example, http://$SERVERNAME$/ReportServer\_$SQLSRSINSTANCENAME$/Pages....)
+6. Update the value for **Microsoft.Mbam.Reports.Url** to reflect the server name for Server B. If the Compliance and Audit Reports feature was installed on a named SQL Reporting Services instance, be sure to add or update the name of the instance to the URL (for example, http://$SERVERNAME$/ReportServer\_$SQLSRSINSTANCENAME$/Pages....)
 
-7.  To automate this procedure, you can use Windows PowerShell to enter a command line on each Administration and Monitoring Server that is similar to the following:
+7. To automate this procedure, you can use Windows PowerShell to enter a command line on each Administration and Monitoring Server that is similar to the following:
 
-    `PS C:\> Set-WebConfigurationProperty '/appSettings/add[@key="Microsoft.Mbam.Reports.Url"]' -PSPath "IIS:\ \sites\Microsoft Bitlocker Administration and Monitoring\HelpDesk" -Name "Value" -Value “http://$SERVERNAME$/ReportServer_$SRSINSTANCENAME$/Pages/ReportViewer.aspx?/ Microsoft+BitLocker+Administration+and+Monitoring/”`
+   `PS C:\> Set-WebConfigurationProperty '/appSettings/add[@key="Microsoft.Mbam.Reports.Url"]' -PSPath "IIS:\ \sites\Microsoft Bitlocker Administration and Monitoring\HelpDesk" -Name "Value" -Value “http://$SERVERNAME$/ReportServer_$SRSINSTANCENAME$/Pages/ReportViewer.aspx?/ Microsoft+BitLocker+Administration+and+Monitoring/”`
 
-    **Note**  
-    Replace the following values in the example above with those that match your environment:
+   **Note**  
+   Replace the following values in the example above with those that match your environment:
 
-    -   $SERVERNAME$ - Enter the name of the server name to which the Compliance and Audit Reports were installed.
+   -   $SERVERNAME$ - Enter the name of the server name to which the Compliance and Audit Reports were installed.
+
+   -   $SRSINSTANCENAME$ - Enter the name of the SQL Reporting Services instance to which the Compliance and Audit Reports were installed.
 
-    -   $SRSINSTANCENAME$ - Enter the name of the SQL Reporting Services instance to which the Compliance and Audit Reports were installed.
 
-     
 
 **Resume All Instances of the MBAM Administration and Monitoring Website**
 
@@ -611,10 +617,10 @@ If you want to move the MBAM Compliance and Audit Reports from one computer to a
 
     `PS C:\> Start-Website “Microsoft BitLocker Administration and Monitoring”`
 
-    **Note**  
+    **Note**  
     To run this command line, you must add the IIS Module for PowerShell to current instance of PowerShell. In addition, you must update the PowerShell execution policy to enable scripts to be run.
 
-     
+
 
 ## Moving the Administration and Monitoring Feature
 
@@ -633,7 +639,7 @@ If you want to move the MBAM Administration and Monitoring Reports feature from
 
     `PS C:\> MbamSetup.exe /qn I_ACCEPT_ENDUSER_LICENSE_AGREEMENT=1 AddLocal=AdministrationMonitoringServer, COMPLIDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ RECOVERYANDHWDB_SQLINSTANCE=$SERVERNAME$\$SQLINSTANCENAME$ SRS_REPORTSITEURL=$REPORTSSERVERURL$ TOPOLOGY=$X$`
 
-    **Note**  
+    **Note**  
     Replace the following values in the example above with those that match your environment:
 
     -   $SERVERNAME$\\$SQLINSTANCENAME$ - For the COMPLIDB\_SQLINSTANCE parameter, enter the server name and instance where the Compliance and Audit Database is located. For the RECOVERYANDHWDB\_SQLINSTANCE parameter, enter the server name and instance where the Recovery Database is located.
@@ -644,7 +650,7 @@ If you want to move the MBAM Administration and Monitoring Reports feature from
 
     -   $X$ - Enter **0** if you are installing the MBAM Stand-alone topology, or **1** if you are installing the MBAM Configuration Manager topology.
 
-     
+
 
 **Configure Access to the Databases**
 
@@ -658,25 +664,27 @@ If you want to move the MBAM Administration and Monitoring Reports feature from
 
     `PS C:\> net localgroup "MBAM Recovery and Hardware DB Access" $DOMAIN$\$SERVERNAME$$  /add`
 
-    **Note**  
+    **Note**  
     Replace the following value in the example above with the applicable values for your environment:
 
     -   $DOMAIN$\\$SERVERNAME$$ - Enter the domain and machine name of the Administration and Monitoring Server. The server name must be followed by a “$” symbol, as shown in the example (for example, MyDomain\\MyServerName1$).
 
     -   $DOMAIN$\\$REPORTSUSERNAME$ - Enter the user account name that was used to configure the data source for the Compliance and Audit Reports.
 
-     
 
-    The command lines that are listed for adding server computer accounts to the MBAM local groups must be run for each Administration and Monitoring Server that will be accessing the databases in your environment.
+
+~~~
+The command lines that are listed for adding server computer accounts to the MBAM local groups must be run for each Administration and Monitoring Server that will be accessing the databases in your environment.
+~~~
 
 ## Related topics
 
 
 [Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md
index 370270774b..dd4da603f5 100644
--- a/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md
+++ b/mdop/mbam-v2/how-to-recover-a-corrupted-drive-mbam-2.md
@@ -22,7 +22,7 @@ To recover a corrupted drive protected by BitLocker, a Microsoft BitLocker Admin
 **Important**  
 To avoid a potential loss of data, it is strongly recommended that you read the “repair-bde” help and clearly understand how to use the command before completing the following instructions.
 
- 
+ 
 
 **To recover a corrupted drive**
 
@@ -33,7 +33,7 @@ To avoid a potential loss of data, it is strongly recommended that you read the
     **Note**  
     If you are a member of the Help Desk Administrators role, you do not have to enter the user’s domain name or user name.
 
-     
+     
 
 3.  Click **Submit**. The recovery key will be displayed.
 
@@ -50,16 +50,16 @@ To avoid a potential loss of data, it is strongly recommended that you read the
     **Note**  
     Replace <fixed drive> with an available hard disk drive that has free space equal to or larger than the data on the corrupted drive. Data on the corrupted drive is recovered and moved to the specified hard disk drive.
 
-     
+     
 
 ## Related topics
 
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md
index c9a8cc7739..433c97297f 100644
--- a/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md
+++ b/mdop/mbam-v2/how-to-recover-a-drive-in-recovery-mode-mbam-2.md
@@ -21,10 +21,10 @@ The encrypted drive recovery features of Microsoft BitLocker Administration and
 
 Use this procedure to access the centralized key recovery data system, which can provide a recovery password if a recovery password ID and associated user identifier are supplied.
 
-**Important**  
+**Important**  
 Microsoft BitLocker Administration and Monitoring uses single-use recovery keys that expire upon use. The single use of a recovery password is automatically applied to operating system drives and fixed drives. On removable drives, it is applied when the drive is removed and then re-inserted and unlocked on a computer that has Group Policy settings activated to manage removable drives.
 
- 
+
 
 **To recover a drive in recovery mode**
 
@@ -36,38 +36,40 @@ Microsoft BitLocker Administration and Monitoring uses single-use recovery keys
 
 4.  Select one of the predefined options from the **Reason for Drive Unlock** list, and then click **Submit**.
 
-    **Note**  
+    **Note**  
     If you are an MBAM Advanced Helpdesk user, the user domain and user ID entries are not required.
 
-     
 
-    MBAM returns the following:
 
-    -   An error message if no matching recovery password is found
+~~~
+MBAM returns the following:
 
-    -   Multiple possible matches if the user has multiple matching recovery passwords
+-   An error message if no matching recovery password is found
 
-    -   The recovery password and recovery package for the submitted user
+-   Multiple possible matches if the user has multiple matching recovery passwords
 
-        **Note**  
-        If you are recovering a damaged drive, the recovery package option provides BitLocker with critical information that it needs to recover the drive.
+-   The recovery password and recovery package for the submitted user
 
-         
+    **Note**  
+    If you are recovering a damaged drive, the recovery package option provides BitLocker with critical information that it needs to recover the drive.
 
-    After the recovery password and recovery package are retrieved, the recovery password is displayed.
 
-5.  To copy the password, click **Copy Key**, and then paste the recovery password into an email message. Alternatively, click **Save** to save the recovery password to a file.
 
-    When the user types the recovery password into the system or uses the recovery package, the drive is unlocked.
+After the recovery password and recovery package are retrieved, the recovery password is displayed.
+~~~
+
+5. To copy the password, click **Copy Key**, and then paste the recovery password into an email message. Alternatively, click **Save** to save the recovery password to a file.
+
+   When the user types the recovery password into the system or uses the recovery package, the drive is unlocked.
 
 ## Related topics
 
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md b/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md
index 951c908edb..c562f3e90c 100644
--- a/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md
+++ b/mdop/mbam-v2/how-to-recover-a-moved-drive-mbam-2.md
@@ -28,7 +28,7 @@ When you move an operating system drive that is encrypted by using Microsoft Bit
     **Note**  
     In some cases, you may be able to click **I forgot the PIN** during the startup process, and then enter the recovery mode to display the recovery key ID.
 
-     
+     
 
 3.  Use the recovery key ID to retrieve the recovery password and unlock the drive from the Administration and Monitoring website.
 
@@ -41,9 +41,9 @@ When you move an operating system drive that is encrypted by using Microsoft Bit
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md b/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md
index 1595ce6c1d..9736d6ac88 100644
--- a/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md
+++ b/mdop/mbam-v2/how-to-reset-a-tpm-lockout-mbam-2.md
@@ -39,30 +39,32 @@ You can reset a TPM lockout only if MBAM owns the TPM.
 
     -   The TPM owner password file for the submitted computer
 
-    **Note**  
+    **Note**  
     If you are an Advanced Helpdesk user, the user domain and user ID fields are not required.
 
-     
 
-    After the TPM owner password is retrieved, the owner password is displayed.
 
-5.  To save the password to a .tpm file, click the **Save** button.
+~~~
+After the TPM owner password is retrieved, the owner password is displayed.
+~~~
 
-    The user will run the TPM management console, select the **Reset TPM lockout** option, and provide the TPM owner password file to reset the TPM lockout.
+5. To save the password to a .tpm file, click the **Save** button.
+
+   The user will run the TPM management console, select the **Reset TPM lockout** option, and provide the TPM owner password file to reset the TPM lockout.
+
+   **Important**  
+   Help Desk administrators should not give the TPM hash value or TPM owner password file to end users. The TPM information does not change, so it could pose a security risk if the file is given to end users.
 
-    **Important**  
-    Help Desk administrators should not give the TPM hash value or TPM owner password file to end users. The TPM information does not change, so it could pose a security risk if the file is given to end users.
 
-     
 
 ## Related topics
 
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md
index 337692a455..e9c34d8cd9 100644
--- a/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md
+++ b/mdop/mbam-v2/how-to-use-a-command-line-to-install-the-mbam-server.md
@@ -91,7 +91,7 @@ The following table describes the command line parameters for deploying the MBAM
 
 
 
          REPORTS_USERACCOUNT
          
-
          [UserDomain]\[UserName1]
          
+
          [UserDomain][UserName1]
          
 
          Domain and user account of the Reporting Services service account that will access the Compliance and Audit database
          
 
 
@@ -127,7 +127,7 @@ The following table describes the command line parameters for deploying the MBAM
 
 
 
- 
+ 
 
 ## Command Line for Deploying the MBAM 2.0 Server with the Configuration Manager Topology
 
@@ -181,7 +181,7 @@ The following table describes the command line parameters for installing the MBA
 
 
 
          REPORTS_USERACCOUNT
          
-
          [UserDomain]\[UserName1]
          
+
          [UserDomain][UserName1]
          
 
          Domain and user account of the Reporting Services service account that will access the Compliance and Audit database
          
 
 
@@ -202,16 +202,16 @@ The following table describes the command line parameters for installing the MBA
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-use-the-help-desk-portal.md b/mdop/mbam-v2/how-to-use-the-help-desk-portal.md
index 694173f657..285a8e790c 100644
--- a/mdop/mbam-v2/how-to-use-the-help-desk-portal.md
+++ b/mdop/mbam-v2/how-to-use-the-help-desk-portal.md
@@ -60,7 +60,7 @@ You can use the Administration and Monitoring website for many administrative ta
 **Note**  
 To access the various features offered by the Administration and Monitoring website, you must have the appropriate roles associated with your user account. For more information about understanding user roles, see [How to Manage MBAM Administrator Roles](how-to-manage-mbam-administrator-roles-mbam-2.md).
 
- 
+ 
 
 Use the following links to find information about the tasks that you can perform by using the Administration and Monitoring website:
 
@@ -74,9 +74,9 @@ Use the following links to find information about the tasks that you can perform
 
 -   [How to Determine BitLocker Encryption State of Lost Computers](how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md b/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md
index 6d68b544c4..298322fa61 100644
--- a/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md
+++ b/mdop/mbam-v2/how-to-use-the-self-service-portal-to-regain-access-to-a-computer.md
@@ -22,12 +22,12 @@ If end users get locked out of Windows by BitLocker because they forgot their pa
 **Note**  
 If the IT administrator configured an IIS Session State time-out, a message is displayed 60 seconds prior to the time-out.
 
- 
+ 
 
 **Note**  
 These instructions are written for and from the perspective of end users.
 
- 
+ 
 
 **To use the Self-Service Portal to regain access to a computer**
 
@@ -36,7 +36,7 @@ These instructions are written for and from the perspective of end users.
     **Note**  
     If the first eight digits match multiple keys, a message displays that requires you to enter all 32 digits of the recovery key ID.
 
-     
+     
 
 2.  In the **Reason** field, select a reason for your request for the recovery key.
 
@@ -49,9 +49,9 @@ These instructions are written for and from the perspective of end users.
 
 [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md
index 8f7656f687..06bda1be6f 100644
--- a/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md
+++ b/mdop/mbam-v2/how-to-validate-the-mbam-installation-with-configuration-manager.md
@@ -26,7 +26,7 @@ After installing Microsoft BitLocker Administration and Monitoring (MBAM) with C
     **Note**  
     To validate the installation, you must use a domain account that has local computer administrative credentials on each server.
 
-     
+     
 
 2.  Use the Configuration Manager console to confirm that a new collection, called “MBAM Supported Computers,” is displayed.
 
@@ -69,9 +69,9 @@ After installing Microsoft BitLocker Administration and Monitoring (MBAM) with C
 
 [Deploying MBAM with Configuration Manager](deploying-mbam-with-configuration-manager-mbam2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md b/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md
index eb078a1757..a4c029a574 100644
--- a/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-deployment-checklist-mbam-2.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 This checklist can be used to help you during Microsoft BitLocker Administration and Monitoring (MBAM) deployment with a Stand-alone topology.
 
-**Note**  
+**Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when deploying Microsoft BitLocker Administration and Monitoring features. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+
 
 @@ -43,13 +43,13 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
@@ -64,46 +64,45 @@ This checklist outlines the recommended steps and a high-level list of items to
 
        • MBAM Group Policy template
          • 
-Note  
-
          Keep track of the names of the servers each feature is installed on. This information will be used throughout the installation process.
          
+Note
          Keep track of the names of the servers each feature is installed on. This information will be used throughout the installation process.
          
 
          
- 
+
 
          
-
+
-
-
+
+
-
+
-
+
          
 

          
 Checklist box
 
          Complete the planning phase to prepare the computing environment for MBAM deployment.
          [MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md)
          MBAM 2.0 Planning Checklist
          		
 
          		
 
          
 
          
 Checklist box
 
          Review the MBAM supported configurations information to make sure selected client and server computers are supported for MBAM feature installation.
          [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)
          MBAM 2.0 Supported Configurations
          		
 
          		
 
          
 
          
 
 
 
          [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
          Deploying the MBAM 2.0 Server Infrastructure
          		
 
          		
 
          
 
          
 Checklist box
          Add Active Directory Domain Services security groups created during the planning phase to the appropriate local MBAM Server feature administrators groups on appropriate servers.
          [Planning for MBAM 2.0 Administrator Roles](planning-for-mbam-20-administrator-roles-mbam-2.md) and [How to Manage MBAM Administrator Roles](how-to-manage-mbam-administrator-roles-mbam-2.md)
          Add Active Directory Domain Services security groups created during the planning phase to the appropriate local MBAM Server feature administrators groups on appropriate servers.
          Planning for MBAM 2.0 Administrator Roles and How to Manage MBAM Administrator Roles
          		
 
          		
 
          
 
          
 Checklist box
 
          Create and deploy required MBAM Group Policy Objects.
          [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)
          Deploying MBAM 2.0 Group Policy Objects
          		
 
          		
 
          
 
          
 Checklist box
 
          Deploy the MBAM Client software.
          [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)
          Deploying the MBAM 2.0 Client
          		
 
          		
 
          
           
 
          
 
- 
+
 
 ## Related topics
 
 
 [Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md b/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md
index 0e457777cb..2dab81a1ef 100644
--- a/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-deployment-prerequisites-mbam-2.md
@@ -91,12 +91,12 @@ Each of the MBAM Server features has specific prerequisites that must be met bef
 
 
 
- 
 
-**Note**  
+
+**Note**  
 For a list of supported operating systems, see [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md).
 
- 
+
 
 ### Prerequisites for the Compliance and Audit Reports
 
@@ -114,7 +114,7 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
          Supported version of SQL Server
          
-
          See [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md) for supported versions.
          
+
          See MBAM 2.0 Supported Configurations for supported versions.
          
 
          Install SQL Server with:
          
 
            
 
          • SQL_Latin1_General_CP1_CI_AS collation
            • 
@@ -136,7 +136,7 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
- 
+
 
 ### Prerequisites for the Recovery Database
 
@@ -154,7 +154,7 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
            Supported version of SQL Server
            
-
            See [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md) for supported versions.
            
+
            See MBAM 2.0 Supported Configurations for supported versions.
            
 
            Install SQL Server with:
            
 
              
 
            • SQL_Latin1_General_CP1_CI_AS collation
              • 
@@ -179,20 +179,19 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
              Optional - Install Transparent Data Encryption (TDE) feature available in SQL Server
              
-
              The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with many laws, regulations, and guidelines established in various industries.
              
+
              The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with many laws, regulations, and guidelines established in various industries.
              
 
              
-Note  
-
              TDE performs real-time decryption of database information, which means that, if the account under which you are logged on has permissions to the database while you are viewing the recovery key information in the SQL Server tables, the recovery key information is visible.
              
+Note
              TDE performs real-time decryption of database information, which means that, if the account under which you are logged on has permissions to the database while you are viewing the recovery key information in the SQL Server tables, the recovery key information is visible.
              
 
              
 
              
- 
+
 
              
-
              More about TDE: [MBAM 2.0 Security Considerations](mbam-20-security-considerations-mbam-2.md).
              
+
              More about TDE: MBAM 2.0 Security Considerations.
              
 
 
 
 
- 
+
 
 ### Prerequisites for the Compliance and Audit Database
 
@@ -210,7 +209,7 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
              Supported version of SQL Server
              
-
              See [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md) for supported versions.
              
+
              See MBAM 2.0 Supported Configurations for supported versions.
              
 
              Install SQL Server with:
              
 
                
 
              • SQL_Latin1_General_CP1_CI_AS collation
                • 
@@ -235,15 +234,14 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
                Optional - Install Transparent Data Encryption (TDE) feature in SQL Server.
                
-
                The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with many laws, regulations, and guidelines established in various industries.
                
+
                The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with many laws, regulations, and guidelines established in various industries.
                
 
                
-Note  
-
                TDE performs real-time decryption of database information, which means that, if the account under which you are logged on has permissions to the database while you are viewing the recovery key information in the SQL Server tables, the recovery key information is visible.
                
+Note
                TDE performs real-time decryption of database information, which means that, if the account under which you are logged on has permissions to the database while you are viewing the recovery key information in the SQL Server tables, the recovery key information is visible.
                
 
                
 
                
- 
+
 
                
-
                More about TDE: [MBAM 2.0 Security Considerations](mbam-20-security-considerations-mbam-2.md)
                
+
                More about TDE: MBAM 2.0 Security Considerations
                
 
 
 
                SQL Server must have Database Engine Services installed and running during MBAM Server installation.
                
@@ -256,7 +254,7 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
- 
+
 
 ### Prerequisites for the Self-Service Portal
 
@@ -274,12 +272,12 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
                Supported version of Windows Server
                
-
                See [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md) for supported versions.
                
+
                See MBAM 2.0 Supported Configurations for supported versions.
                
 
                
 
 
 
                ASP.NET MVC 2.0
                
-
                [ASP.NET MVC 2 download](https://go.microsoft.com/fwlink/?LinkId=392270)
                
+
                ASP.NET MVC 2 download
                
 
 
 
                Web Service IIS Management Tools
                
@@ -288,7 +286,7 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 
 
- 
+
 
 ## Prerequisites for MBAM Clients
 
@@ -314,24 +312,23 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
                For more information, see the BIOS documentation.
                
 
 
-
                Windows 8 clients only: To have MBAM store and manage the TPM recovery keys: TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM. To turn off TPM auto-provisioning, see [Disable-TpmAutoProvisioning](https://go.microsoft.com/fwlink/?LinkId=286468).
                
+
                Windows 8 clients only: To have MBAM store and manage the TPM recovery keys: TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM. To turn off TPM auto-provisioning, see Disable-TpmAutoProvisioning.
                
 
                  
 
                • TPM auto-provisioning must be turned off.
                  • 
 
                • MBAM must be set as the owner of the TPM before you deploy MBAM.
                  • 
 
                
-
                To turn off TPM auto-provisioning, see [Disable-TpmAutoProvisioning](https://go.microsoft.com/fwlink/?LinkId=286468).
                
+
                To turn off TPM auto-provisioning, see Disable-TpmAutoProvisioning.
                
 
                
-Note  
-
                Ensure that the keyboard, video, or mouse are directly connected and not managed through a keyboard, video, or mouse (KVM) switch. A KVM switch can interfere with the ability of the computer to detect the physical presence of hardware.
                
+Note
                Ensure that the keyboard, video, or mouse are directly connected and not managed through a keyboard, video, or mouse (KVM) switch. A KVM switch can interfere with the ability of the computer to detect the physical presence of hardware.
                
 
                
 
                
- 
+
 
                
 
 
 
 
- 
+
 
 ## Related topics
 
@@ -340,9 +337,9 @@ For a list of supported operating systems, see [MBAM 2.0 Supported Configuration
 
 [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md b/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md
index 1a670e44b9..00ef5df75b 100644
--- a/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-planning-checklist-mbam-2.md
@@ -22,7 +22,7 @@ This checklist can be used to help you plan for preparing your computing environ
 **Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when planning for an Microsoft BitLocker Administration and Monitoring deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+ 
 
 @@ -43,64 +43,64 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
-
+
-
+
-
+
-
+
-
+
                
 

                
 Checklist box
 
                Review the getting started information about MBAM to gain a basic understanding of the product before beginning deployment planning.
                [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md)
                Getting Started with MBAM 2.0
                		
 
                		
 
                
 
                
 Checklist box
 
                Plan for MBAM 2.0 Deployment Prerequisites and prepare your computing environment.
                [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)
                MBAM 2.0 Deployment Prerequisites
                		
 
                		
 
                
 
                
 Checklist box
 
                Plan for and configure MBAM Group Policy requirements.
                [Planning for MBAM 2.0 Group Policy Requirements](planning-for-mbam-20-group-policy-requirements-mbam-2.md)
                Planning for MBAM 2.0 Group Policy Requirements
                		
 
                		
 
                
 
                
 Checklist box
 
                Plan for and create necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.
                [Planning for MBAM 2.0 Administrator Roles](planning-for-mbam-20-administrator-roles-mbam-2.md)
                Planning for MBAM 2.0 Administrator Roles
                		
 
                		
 
                
 
                
 Checklist box
 
                Review the MBAM 2.0 Supported Configurations documentation to ensure that hardware that meets MBAM installation system requirements is available.
                [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)
                MBAM 2.0 Supported Configurations
                		
 
                		
 
                
 
                
 Checklist box
 
                Plan for deploying MBAM Server feature deployment.
                [Planning for MBAM 2.0 Server Deployment](planning-for-mbam-20-server-deployment-mbam-2.md)
                Planning for MBAM 2.0 Server Deployment
                		
 
                		
 
                
 
                
 Checklist box
 
                Plan for deploying MBAM Client deployment.
                [Planning for MBAM 2.0 Client Deployment](planning-for-mbam-20-client-deployment-mbam-2.md)
                Planning for MBAM 2.0 Client Deployment
                		
 
                		
 
                
 
                
 Checklist box
 
                Validate your deployment plan in a test environment.
                [Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)
                Evaluating MBAM 2.0
                		
 
                		
 
                
                 
 
                
 
- 
+ 
 
 ## Related topics
 
 
 [Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md b/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md
index f9bdf7fc33..72c655763d 100644
--- a/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-security-considerations-mbam-2.md
@@ -82,7 +82,7 @@ No Active Directory groups are created automatically during the MBAM setup proce
 
 
 
- 
+ 
 
 ###  MBAM Server Local Groups
 
@@ -127,7 +127,7 @@ MBAM Setup creates local groups to support MBAM operations. You should add the A
 
 
 
- 
+ 
 
 ### SSRS Reports Service Account
 
@@ -138,7 +138,7 @@ When you configure the SSRS Reports service account, specify a domain user accou
 **Note**  
 If you change the name of the service account after you deploy MBAM, you must reconfigure the reporting data source to use the new service account credentials. Otherwise, you will not be able to access the Help Desk Portal.
 
- 
+ 
 
 ##  MBAM Log Files
 
@@ -147,7 +147,7 @@ The following MBAM Setup log files are created in the installing user’s %temp%
 
 **MBAM Server Setup log files**
 
-MSI*<five random characters>*.log  
+MSI<five random characters>.log  
 Logs the actions taken during MBAM Setup and MBAM Server Feature installation.
 
 InstallComplianceDatabase.log  
@@ -171,11 +171,11 @@ Logs actions taken to authorize web services to the MBAM Recovery database for k
 **Note**  
 In order to obtain additional MBAM Setup log files, you have to install MBAM by using the msiexec package and the /L <location> option. Log files are created in the location specified.
 
- 
+ 
 
 **MBAM Client Setup log files**
 
-MSI*<five random characters>*.log  
+MSI<five random characters>.log  
 Logs the actions taken during MBAM Client installation.
 
 ##  MBAM Database TDE Considerations
@@ -196,9 +196,9 @@ For more information about TDE in SQL Server 2008, see [SQL Server Encryption](
 
 [Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md b/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md
index b484bc23e5..403a3d2d2a 100644
--- a/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-supported-configurations-mbam-2.md
@@ -26,7 +26,7 @@ The recommended configuration for running MBAM in a production environment is wi
 **Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+ 
 
 ##  MBAM Server System Requirements
 
@@ -66,12 +66,12 @@ The following table lists the operating systems that are supported for the Micro
 
 
 
- 
+ 
 
 **Note**  
 There is no support for installing MBAM services, reports, or databases on a domain controller computer.
 
- 
+ 
 
 ### Server Processor, RAM, and Disk Space Requirements
 
@@ -107,7 +107,7 @@ There is no support for installing MBAM services, reports, or databases on a dom
 
 
 
- 
+ 
 
 ### SQL Server Database Requirements
 
@@ -116,7 +116,7 @@ The following table lists the SQL Server versions that are supported for the Ad
 **Note**  
 MBAM does not natively support SQL clustering, mirroring, or Availability Groups. To install the databases, you must run the MBAM Server installation on a stand-alone SQL server.
 
- 
+ 
 
 @@ -149,7 +149,7 @@ MBAM does not natively support SQL clustering, mirroring, or Availability Groups
 
                
 

 
                
 
- 
+ 
 
 @@ -183,7 +183,7 @@ MBAM does not natively support SQL clustering, mirroring, or Availability Groups
 
                
 

 
                
 
- 
+ 
 
 ##  MBAM Client System Requirements
 
@@ -229,7 +229,7 @@ The following table lists the operating systems that are supported for Microsoft
 
 
 
- 
+ 
 
 ### Client RAM Requirements
 
@@ -283,7 +283,7 @@ The following table lists the operating systems that are supported for Microsoft
 
 
 
- 
+ 
 
 ## Related topics
 
@@ -292,9 +292,9 @@ The following table lists the operating systems that are supported for Microsoft
 
 [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
index 54b3558d20..129b9e694f 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md
@@ -37,16 +37,16 @@ Administrators in this role have increased access to the Help Desk features from
 **Important**  
 To view reports, an administrative user must be a member of the **MBAM Report Users** security group on the Administration and Monitoring Server, Compliance and Audit Database, and on the server that hosts the Compliance and Audit Reports feature. As a best practice, create a security group in Active Directory Domain Services with rights on the local **MBAM Report Users** security group on both the Administration and Monitoring Server and the server that hosts the Compliance and Audit Reports.
 
- 
+ 
 
 ## Related topics
 
 
 [Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md
index eb40181301..b2f00742d9 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-client-deployment-mbam-2.md
@@ -26,7 +26,7 @@ If you deploy MBAM with the Configuration Manager topology, you can use Configur
 **Note**  
 Windows To Go is not supported for integrated Configuration Manager installations of MBAM if you are using Configuration Manager 2007.
 
- 
+ 
 
 ## Deploying the MBAM Client to Enable BitLocker Encryption After Computer Distribution to End Users
 
@@ -38,7 +38,7 @@ When you deploy the MBAM Client after you distribute computers to client compute
 **Note**  
 In this approach, users who have computers with a TPM chip are prompted to activate and initialize the TPM chip if the chip has not been previously activated.
 
- 
+ 
 
 ## Using the MBAM Client to Enable BitLocker Encryption Before Computer Distribution to End Users
 
@@ -50,7 +50,7 @@ If your organization wants to use the TPM chip to encrypt computers, the adminis
 **Note**  
 The TPM protector option requires the administrator to accept the BIOS prompt to activate and initialize the TPM before the computer is delivered to the user.
 
- 
+ 
 
 ## Related topics
 
@@ -59,9 +59,9 @@ The TPM protector option requires the administrator to accept the BIOS prompt to
 
 [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
index 4538b445d7..cb5cb89526 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md
@@ -25,10 +25,10 @@ MBAM supports the following types of BitLocker protectors for fixed data drives:
 
 The numeric password protector is applied automatically as part of volume encryption and does not need to be configured.
 
-**Important**  
+**Important**  
 The default Windows BitLocker drive encryption Group Policy Object (GPO) settings are not used by MBAM and can cause conflicting behavior if they are enabled. To enable MBAM to manage BitLocker, you must define the MBAM Group Policy settings only after installing the MBAM Group Policy template.
 
- 
+
 
 Enhanced startup PINs can contain characters, such as uppercase and lowercase letters, and numbers. Unlike BitLocker, MBAM does not support the use of symbols and spaces for enhanced PINs.
 
@@ -36,10 +36,10 @@ Install the MBAM Group Policy template on a computer that is capable of running
 
 The MDOP MBAM (BitLocker Management) GPO node contains four global policy settings and four child GPO settings nodes: Client Management, Fixed Drive, Operating System Drive, and Removable Drive. The following sections provide policy definitions and suggested policy settings to assist you in planning for MBAM GPO policy setting requirements.
 
-**Note**  
+**Note**  
 For more information about configuring the minimum, recommended GPO settings to enable MBAM to manage BitLocker encryption, see [How to Edit MBAM 2.0 GPO Settings](how-to-edit-mbam-20-gpo-settings-mbam-2.md).
 
- 
+
 
 ## Global Policy Definitions
 
@@ -86,7 +86,7 @@ This section describes MBAM Global policy definitions found at the following GPO
 
 
 
- 
+
 
 ## Client Management Policy Definitions
 
@@ -121,14 +121,13 @@ This section describes Client Management policy definitions for Microsoft BitLoc
 
                Configure user exemption policy
                
 
                Suggested Configuration: Not Configured
                
 
                This policy setting lets you configure a web site address, email address, or phone number that will instruct a user to request an exemption from BitLocker encryption.
                
-
                If you enable this policy setting and provide a web site address, email address, or phone number, users will see a dialog that gives them instructions on how to apply for an exemption from BitLocker protection. For more information about enabling BitLocker encryption exemptions for users, see [How to Manage User BitLocker Encryption Exemptions](how-to-manage-user-bitlocker-encryption-exemptions-mbam-2.md).
                
+
                If you enable this policy setting and provide a web site address, email address, or phone number, users will see a dialog that gives them instructions on how to apply for an exemption from BitLocker protection. For more information about enabling BitLocker encryption exemptions for users, see How to Manage User BitLocker Encryption Exemptions.
                
 
                If you either disable or do not configure this policy setting, the exemption request instructions will not be presented to users.
                
 
                
-Note  
-
                User exemption is managed per user, not per computer. If multiple users log on to the same computer and any one user is not exempt, the computer will be encrypted.
                
+Note
                User exemption is managed per user, not per computer. If multiple users log on to the same computer and any one user is not exempt, the computer will be encrypted.
                
 
                
 
                
- 
+
 
                
 
 
@@ -141,7 +140,7 @@ This section describes Client Management policy definitions for Microsoft BitLoc
 
 
 
- 
+
 
 ##  Fixed Drive Policy Definitions
 
@@ -205,7 +204,7 @@ This section describes Fixed Drive policy definitions for Microsoft BitLocker Ad
 
 
 
- 
+
 
 ## Operating System Drive Policy Definitions
 
@@ -233,7 +232,7 @@ This section describes Operating System Drive policy definitions for Microsoft B
 
              • Allow Standby States (S1-S3) When Sleeping (Plugged In)
                • 
 
              • Allow Standby States (S1-S3) When Sleeping (On Battery)
                • 
 
              
-
              If you are running Microsoft Windows 8 or later, and you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.
              
+
              If you are running Microsoft Windows 8 or later, and you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.
              
 
              On a computer with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN).
              
 
              If you enable this policy setting, users have to put the operating system drive under BitLocker protection, and the drive will be encrypted.
              
 
              If you disable this policy, users will not be able to put the operating system drive under BitLocker protection. If you apply this policy after the operating system drive is encrypted, the drive will be decrypted.
              
@@ -255,7 +254,7 @@ This section describes Operating System Drive policy definitions for Microsoft B
 
 
 
- 
+
 
 ## Removable Drive Policy Definitions
 
@@ -312,16 +311,16 @@ This section describes Removable Drive Policy definitions for Microsoft BitLocke
 
 
 
- 
+
 
 ## Related topics
 
 
 [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md
index e45a843ab5..65b9bccf65 100644
--- a/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md
+++ b/mdop/mbam-v2/planning-for-mbam-20-server-deployment-mbam-2.md
@@ -22,7 +22,7 @@ The Microsoft BitLocker Administration and Monitoring (MBAM) server infrastructu
 **Note**  
 Installations of Microsoft BitLocker Administration and Monitoring on a single server are recommended only for test environments.
 
- 
+ 
 
 ## Planning for MBAM Server Deployment
 
@@ -69,7 +69,7 @@ To deploy MBAM features on multiple servers, you have to install the features in
 **Note**  
 Keep track of the names of the computers on which you install each feature. You have to use this information throughout the installation process. You can print and use a deployment checklist to assist in this effort. For more information about the MBAM Deployment Checklist, see [MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md).
 
- 
+ 
 
 ## Related topics
 
@@ -78,9 +78,9 @@ Keep track of the names of the computers on which you install each feature. You
 
 [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md b/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md
index cfd68be2e8..e825d97948 100644
--- a/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/planning-to-deploy-mbam-20-mbam-2.md
@@ -34,7 +34,7 @@ The MBAM Server infrastructure depends on a set of server features that can be i
 **Note**  
 An MBAM installation on a single server is recommended only for lab environments.
 
- 
+ 
 
 The MBAM Client enables administrators to enforce and monitor BitLocker drive encryption on computers in the enterprise. The BitLocker client can be integrated into an organization by deploying the client through an enterprise software delivery system or by installing the client agent on client computers as part of the initial imaging process.
 
@@ -49,9 +49,9 @@ With MBAM, you can encrypt a computer in your organization either before the end
 
 [Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md b/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md
index 095a5884d7..a125cec907 100644
--- a/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md
+++ b/mdop/mbam-v2/planning-to-deploy-mbam-with-configuration-manager-2.md
@@ -19,10 +19,10 @@ ms.date: 08/30/2016
 
 To deploy MBAM with the Configuration Manager topology, a three-server architecture, which supports 200,000 clients, is recommended. Use a separate server to run Configuration Manager, and install the basic Administration and Monitoring features on two servers, as shown in the architecture image in [Getting Started - Using MBAM with Configuration Manager](getting-started---using-mbam-with-configuration-manager.md).
 
-**Important**  
+**Important**  
 Windows To Go is not supported when you install the integrated topology of MBAM with Configuration Manager 2007.
 
- 
+
 
 ## Deployment Prerequisites for Installing MBAM with Configuration Manager
 
@@ -47,23 +47,23 @@ Ensure that you have met the following prerequisites before you install MBAM wit
 
 
 
              Enable the Hardware Inventory Client Agent on the Configuration Manager Server.
              
-
              For Configuration Manager 2007, see [How to Configure Hardware Inventory for a Site](https://go.microsoft.com/fwlink/?LinkId=301656).
              
-
              For System Center 2012 Configuration Manager, see [How to Configure Hardware Inventory in Configuration Manager](https://go.microsoft.com/fwlink/?LinkId=301685).
              
+
              For Configuration Manager 2007, see How to Configure Hardware Inventory for a Site.
              
+
              For System Center 2012 Configuration Manager, see How to Configure Hardware Inventory in Configuration Manager.
              
 
 
 
              Enable the Desired Configuration Management (DCM) agent or the compliance settings, depending on the version of Configuration Manager that you are using.
              
-
              For Configuration Manager 2007, enable the see [Desired Configuration Management Client Agent Properties](https://go.microsoft.com/fwlink/?LinkId=301686).
              
-
              For System Center 2012 Configuration Manager, see [Configuring Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/?LinkId=301687).
              
+
              For Configuration Manager 2007, enable the see Desired Configuration Management Client Agent Properties.
              
+
              For System Center 2012 Configuration Manager, see Configuring Compliance Settings in Configuration Manager.
              
 
 
 
              Define a reporting services point in Configuration Manager. Required for SQL Reporting Services.
              
-
              For Configuration Manager 2007, see [How to Create a Reporting Services Point for SQL Reporting Services](https://go.microsoft.com/fwlink/?LinkId=301688).
              
-
              For System Center 2012 Configuration Manager, see [Prerequisites for Reporting in Configuration Manager](https://go.microsoft.com/fwlink/?LinkId=301689).
              
+
              For Configuration Manager 2007, see How to Create a Reporting Services Point for SQL Reporting Services.
              
+
              For System Center 2012 Configuration Manager, see Prerequisites for Reporting in Configuration Manager.
              
 
 
 
 
- 
+
 
 ##  Configuration Manager Supported Versions
 
@@ -89,22 +89,21 @@ MBAM supports the following versions of Configuration Manager:
 
              SP1 or later
              
 
              64-bit
              
 
              
-Note  
-
              Although Configuration Manager 2007 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.
              
+Note
              Although Configuration Manager 2007 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.
              
 
              
 
              
- 
+
 
              
 
 
-
              Microsoft System Center 2012 Configuration Manager
              
+
              Microsoft System Center 2012 Configuration Manager
              
 
              SP1
              
 
              64-bit
              
 
 
 
 
- 
+
 
 For a list of supported configurations for the Configuration Manager Server, see the appropriate webpage for the version of Configuration Manager that you are using. MBAM has no additional system requirements for the Configuration Manager Server.
 
@@ -150,9 +149,9 @@ The following table lists the server processor, RAM, and disk space requirements
 
 
 
- 
 
-## SQL Server Processor, RAM, and Disk Space Requirements
+
+## SQL Server Processor, RAM, and Disk Space Requirements
 
 
 The following table lists the server processor, RAM, and disk space requirements for the SQL Server computer when you are using the Configuration Manager Integration topology.
@@ -189,7 +188,7 @@ The following table lists the server processor, RAM, and disk space requirements
 
 
 
- 
+
 
 ## Required permissions to install the MBAM Server
 
@@ -219,9 +218,9 @@ To install MBAM with Configuration Manager, you must have an administrative user
 
 
 
- 
 
-**System Center 2012 Configuration Manager**
+
+**System Center 2012 Configuration Manager**
 
 @@ -250,7 +249,7 @@ To install MBAM with Configuration Manager, you must have an administrative user
 
              
 

 
              
 
- 
+
 
 **Configuration Manager 2007**
 
@@ -281,7 +280,7 @@ To install MBAM with Configuration Manager, you must have an administrative user
 
 
 
- 
+
 
 ## Order of Deployment of MBAM Features for the Configuration Manager Topology
 
@@ -322,7 +321,7 @@ This checklist outlines the recommended steps and a high-level list of items to
 
 Checklist box
 
              Review the getting started information, which describes how Configuration Manager works with MBAM and shows the recommended high-level architecture.
              
-
              [Getting Started - Using MBAM with Configuration Manager](getting-started---using-mbam-with-configuration-manager.md)
              
+
              Getting Started - Using MBAM with Configuration Manager
              
 
              
 
 
@@ -334,34 +333,34 @@ This checklist outlines the recommended steps and a high-level list of items to
 
 Checklist box
 
              Plan for and configure MBAM Group Policy requirements.
              
-
              [Planning for MBAM 2.0 Group Policy Requirements](planning-for-mbam-20-group-policy-requirements-mbam-2.md)
              
+
              Planning for MBAM 2.0 Group Policy Requirements
              
 
              
 
 
 Checklist box
-
              Plan for and create necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.
              
-
              [Planning for MBAM 2.0 Administrator Roles](planning-for-mbam-20-administrator-roles-mbam-2.md)
              
+
              Plan for and create necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.
              
+
              Planning for MBAM 2.0 Administrator Roles
              
 
              
 
 
 Checklist box
 
              Plan for deploying MBAM Client deployment.
              
-
              [Planning for MBAM 2.0 Client Deployment](planning-for-mbam-20-client-deployment-mbam-2.md)
              
+
              Planning for MBAM 2.0 Client Deployment
              
 
              
 
 
 
 
- 
+
 
 ## Related topics
 
 
 [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md b/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md
index 5d1fc5b989..ac91e39c60 100644
--- a/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/preparing-your-environment-for-mbam-20-mbam-2.md
@@ -31,7 +31,7 @@ To ensure successful installation of MBAM Clients and MBAM Server features, ensu
 **Note**  
 MBAM Setup checks that all prerequisites are met before installation starts. If all prerequisites are not met, Setup will fail.
 
- 
+ 
 
 [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)
 
@@ -43,7 +43,7 @@ Before MBAM can manage clients in the enterprise, you must define Group Policy f
 **Important**  
 MBAM will not work with policies for stand-alone BitLocker drive encryption. Group Policy settings must be defined for MBAM, or BitLocker encryption and enforcement will fail.
 
- 
+ 
 
 [Planning for MBAM 2.0 Group Policy Requirements](planning-for-mbam-20-group-policy-requirements-mbam-2.md)
 
@@ -61,9 +61,9 @@ The membership of Microsoft BitLocker Administration and Monitoring roles can be
 
 [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md
index 25d06daa80..c67aa2acee 100644
--- a/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md
+++ b/mdop/mbam-v2/release-notes-for-mbam-20-mbam-2.md
@@ -199,96 +199,96 @@ This section contains hotfixes and KB articles for MBAM 2.0.
 
 
              2831166
              
 
              Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed"
              
-
              [support.microsoft.com/kb/2831166/EN-US](https://support.microsoft.com/kb/2831166/EN-US)
              
+
              support.microsoft.com/kb/2831166/EN-US
              
 
 
 
              2870849
              
 
              Users cannot retrieve BitLocker Recovery key using MBAM 2.0 Self Service Portal
              
-
              [support.microsoft.com/kb/2870849/EN-US](https://support.microsoft.com/kb/2870849/EN-US)
              
+
              support.microsoft.com/kb/2870849/EN-US
              
 
 
 
              2756402
              
 
              MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description
              
-
              [support.microsoft.com/kb/2756402/EN-US](https://support.microsoft.com/kb/2756402/EN-US)
              
+
              support.microsoft.com/kb/2756402/EN-US
              
 
 
 
              2620287
              
 
              Error Message “Server Error in ‘/Reports’ Application” When You Click Reports Tab in MBAM
              
-
              [support.microsoft.com/kb/2620287/EN-US](https://support.microsoft.com/kb/2620287/EN-US)
              
+
              support.microsoft.com/kb/2620287/EN-US
              
 
 
 
              2639518
              
 
              Error opening Enterprise or Computer Compliance Reports in MBAM
              
-
              [support.microsoft.com/kb/2639518/EN-US](https://support.microsoft.com/kb/2639518/EN-US)
              
+
              support.microsoft.com/kb/2639518/EN-US
              
 
 
 
              2620269
              
 
              MBAM Enterprise Reporting Not Getting Updated
              
-
              [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)
              
+
              support.microsoft.com/kb/2620269/EN-US
              
 
 
 
              2712461
              
 
              Installing MBAM on a Domain Controller is not supported
              
-
              [support.microsoft.com/kb/2712461/EN-US](https://support.microsoft.com/kb/2712461/EN-US)
              
+
              support.microsoft.com/kb/2712461/EN-US
              
 
 
 
              2876732
              
 
              You receive error code 0x80071a90 during Standalone or Configuration Manager Integration setup of MBAM 2.0
              
-
              [support.microsoft.com/kb/2876732/EN-US](https://support.microsoft.com/kb/2876732/EN-US)
              
+
              support.microsoft.com/kb/2876732/EN-US
              
 
 
 
              2754259
              
 
              MBAM and Secure Network Communication
              
-
              [support.microsoft.com/kb/2754259/EN-US](https://support.microsoft.com/kb/2754259/EN-US)
              
+
              support.microsoft.com/kb/2754259/EN-US
              
 
 
 
              2870842
              
 
              MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008
              
-
              [support.microsoft.com/kb/2870842/EN-US](https://support.microsoft.com/kb/2870842/EN-US)
              
+
              support.microsoft.com/kb/2870842/EN-US
              
 
 
 
              2668533
              
 
              MBAM Setup fails if SQL SSRS is not configured properly
              
-
              [support.microsoft.com/kb/2668533/EN-US](https://support.microsoft.com/kb/2668533/EN-US)
              
+
              support.microsoft.com/kb/2668533/EN-US
              
 
 
 
              2870847
              
-
              MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"
              
-
              [support.microsoft.com/kb/2870847/EN-US](https://support.microsoft.com/kb/2870847/EN-US)
              
+
              MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"
              
+
              support.microsoft.com/kb/2870847/EN-US
              
 
 
 
              2870839
              
 
              MBAM 2.0 Enterprise Reports are not refreshed in MBAM 2.0 Standalone topology due to SQL job CreateCache failure
              
-
              [support.microsoft.com/kb/2870839/EN-US](https://support.microsoft.com/kb/2870839/EN-US)
              
+
              support.microsoft.com/kb/2870839/EN-US
              
 
 
 
              2620269
              
 
              MBAM Enterprise Reporting Not Getting Updated
              
-
              [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)
              
+
              support.microsoft.com/kb/2620269/EN-US
              
 
 
 
              2935997
              
 
              MBAM Supported Computers compliance reporting incorrectly includes unsupported products
              
-
              [support.microsoft.com/kb/2935997/EN-US](https://support.microsoft.com/kb/2935997/EN-US)
              
+
              support.microsoft.com/kb/2935997/EN-US
              
 
 
 
              2612822
              
 
              Computer Record is Rejected in MBAM
              
-
              [support.microsoft.com/kb/2612822/EN-US](https://support.microsoft.com/kb/2612822/EN-US)
              
+
              support.microsoft.com/kb/2612822/EN-US
              
 
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [About MBAM 2.0](about-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md
index 10e0560c95..003c3164cc 100644
--- a/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md
+++ b/mdop/mbam-v2/release-notes-for-mbam-20-sp1.md
@@ -37,7 +37,7 @@ If you are using MBAM with Configuration Manager, and you want to upgrade to MBA
     **Note**  
     All existing BitLocker compliance data will be deleted when you delete the existing baseline in Configuration Manager. The data will be regenerated over time, but it is recommended that you save a copy of the data in case you need the compliance data for a particular computer before the compliance data has been regenerated.
 
-     
+     
 
     1.  To save historical BitLocker compliance data, open the **BitLocker Enterprise Compliance Details** Report.
 
@@ -147,96 +147,96 @@ This section contains hotfixes and KB articles for MBAM 2.0 SP1.
 
 
              2831166
              
 
              Installing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 fails with "System Center CM Objects Already Installed"
              
-
              [support.microsoft.com/kb/2831166/EN-US](https://support.microsoft.com/kb/2831166/EN-US)
              
+
              support.microsoft.com/kb/2831166/EN-US
              
 
 
 
              2870849
              
 
              Users cannot retrieve BitLocker Recovery key using MBAM 2.0 Self Service Portal
              
-
              [support.microsoft.com/kb/2870849/EN-US](https://support.microsoft.com/kb/2870849/EN-US)
              
+
              support.microsoft.com/kb/2870849/EN-US
              
 
 
 
              2756402
              
 
              MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description
              
-
              [support.microsoft.com/kb/2756402/EN-US](https://support.microsoft.com/kb/2756402/EN-US)
              
+
              support.microsoft.com/kb/2756402/EN-US
              
 
 
 
              2620287
              
 
              Error Message “Server Error in ‘/Reports’ Application” When You Click Reports Tab in MBAM
              
-
              [support.microsoft.com/kb/2620287/EN-US](https://support.microsoft.com/kb/2620287/EN-US)
              
+
              support.microsoft.com/kb/2620287/EN-US
              
 
 
 
              2639518
              
 
              Error opening Enterprise or Computer Compliance Reports in MBAM
              
-
              [support.microsoft.com/kb/2639518/EN-US](https://support.microsoft.com/kb/2639518/EN-US)
              
+
              support.microsoft.com/kb/2639518/EN-US
              
 
 
 
              2620269
              
 
              MBAM Enterprise Reporting Not Getting Updated
              
-
              [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)
              
+
              support.microsoft.com/kb/2620269/EN-US
              
 
 
 
              2712461
              
 
              Installing MBAM on a Domain Controller is not supported
              
-
              [support.microsoft.com/kb/2712461/EN-US](https://support.microsoft.com/kb/2712461/EN-US)
              
+
              support.microsoft.com/kb/2712461/EN-US
              
 
 
 
              2876732
              
 
              You receive error code 0x80071a90 during Standalone or Configuration Manager Integration setup of MBAM 2.0
              
-
              [support.microsoft.com/kb/2876732/EN-US](https://support.microsoft.com/kb/2876732/EN-US)
              
+
              support.microsoft.com/kb/2876732/EN-US
              
 
 
 
              2754259
              
 
              MBAM and Secure Network Communication
              
-
              [support.microsoft.com/kb/2754259/EN-US](https://support.microsoft.com/kb/2754259/EN-US)
              
+
              support.microsoft.com/kb/2754259/EN-US
              
 
 
 
              2870842
              
 
              MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008
              
-
              [support.microsoft.com/kb/2870842/EN-US](https://support.microsoft.com/kb/2870842/EN-US)
              
+
              support.microsoft.com/kb/2870842/EN-US
              
 
 
 
              2668533
              
 
              MBAM Setup fails if SQL SSRS is not configured properly
              
-
              [support.microsoft.com/kb/2668533/EN-US](https://support.microsoft.com/kb/2668533/EN-US)
              
+
              support.microsoft.com/kb/2668533/EN-US
              
 
 
 
              2870847
              
-
              MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"
              
-
              [support.microsoft.com/kb/2870847/EN-US](https://support.microsoft.com/kb/2870847/EN-US)
              
+
              MBAM 2.0 Setup fails with "Error retrieving Configuration Manager Server role settings for 'Reporting Services Point' role"
              
+
              support.microsoft.com/kb/2870847/EN-US
              
 
 
 
              2870839
              
 
              MBAM 2.0 Enterprise Reports are not refreshed in MBAM 2.0 Standalone topology due to SQL job CreateCache failure
              
-
              [support.microsoft.com/kb/2870839/EN-US](https://support.microsoft.com/kb/2870839/EN-US)
              
+
              support.microsoft.com/kb/2870839/EN-US
              
 
 
 
              2620269
              
 
              MBAM Enterprise Reporting Not Getting Updated
              
-
              [support.microsoft.com/kb/2620269/EN-US](https://support.microsoft.com/kb/2620269/EN-US)
              
+
              support.microsoft.com/kb/2620269/EN-US
              
 
 
 
              2935997
              
 
              MBAM Supported Computers compliance reporting incorrectly includes unsupported products
              
-
              [support.microsoft.com/kb/2935997/EN-US](https://support.microsoft.com/kb/2935997/EN-US)
              
+
              support.microsoft.com/kb/2935997/EN-US
              
 
 
 
              2612822
              
 
              Computer Record is Rejected in MBAM
              
-
              [support.microsoft.com/kb/2612822/EN-US](https://support.microsoft.com/kb/2612822/EN-US)
              
+
              support.microsoft.com/kb/2612822/EN-US
              
 
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [About MBAM 2.0 SP1](about-mbam-20-sp1.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md b/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md
index 60b2e680b5..a5bd540199 100644
--- a/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md
+++ b/mdop/mbam-v2/understanding-mbam-reports-in-configuration-manager.md
@@ -145,7 +145,7 @@ This report shows information about the overall BitLocker compliance across your
 
 
 
- 
+ 
 
 **BitLocker Enterprise Compliance Details Report - Compliance States**
 
@@ -176,7 +176,7 @@ This report shows information about the overall BitLocker compliance across your
 
 
 
- 
+ 
 
 ### BitLocker Enterprise Compliance Summary Report
 
@@ -243,7 +243,7 @@ Use this report type to show information about the overall BitLocker compliance
 
 
 
- 
+ 
 
 **BitLocker Enterprise Compliance Summary Report - Computer Details**
 
@@ -290,7 +290,7 @@ Use this report type to show information about the overall BitLocker compliance
 
 
 
- 
+ 
 
 ### BitLocker Computer Compliance Report
 
@@ -299,7 +299,7 @@ Use this report type to collect information that is specific to a computer. The
 **Note**  
 Removable Data Volume encryption status is not shown in the report.
 
- 
+ 
 
 **BitLocker Computer Compliance Report – Computer Details Fields**
 
@@ -390,7 +390,7 @@ Removable Data Volume encryption status is not shown in the report.
 
 
 
- 
+ 
 
 **BitLocker Computer Compliance Report – Computer Volume Fields**
 
@@ -433,16 +433,16 @@ Removable Data Volume encryption status is not shown in the report.
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md
index ed5bf90a4b..731bc11158 100644
--- a/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md
+++ b/mdop/mbam-v2/understanding-mbam-reports-mbam-2.md
@@ -22,7 +22,7 @@ If you chose the Stand-alone topology when you installed Microsoft BitLocker Adm
 **Note**  
 If you chose the Configuration Manager topology when you installed Microsoft BitLocker Administration and Monitoring (MBAM), reports are generated from Configuration Manager rather than from MBAM. For more information about reports that are run from Configuration Manager, see [Understanding MBAM Reports in Configuration Manager](understanding-mbam-reports-in-configuration-manager.md).
 
- 
+ 
 
 ## Understanding Reports
 
@@ -70,7 +70,7 @@ Use this report type to collect information on overall BitLocker compliance in y
 
 
 
- 
+ 
 
 **Enterprise Compliance Report Compliance States**
 
@@ -105,7 +105,7 @@ Use this report type to collect information on overall BitLocker compliance in y
 
 
 
- 
+ 
 
 ### Computer Compliance Report
 
@@ -116,7 +116,7 @@ This report can be viewed by clicking the computer name in the Enterprise Compli
 **Note**  
 Removable Data Volume encryption status will not be shown in the report.
 
- 
+ 
 
 **Computer Compliance Report Fields**
 
@@ -191,7 +191,7 @@ Removable Data Volume encryption status will not be shown in the report.
 
 
 
- 
+ 
 
 **Computer Compliance Report Drive Fields**
 
@@ -242,7 +242,7 @@ Removable Data Volume encryption status will not be shown in the report.
 
 
 
- 
+ 
 
 ### Recovery Audit Report
 
@@ -304,21 +304,21 @@ Use this report type to audit users who have requested access to recovery keys.
 
 
 
- 
+ 
 
 **Note**  
 Report results can be saved to a file by clicking the **Export** button on the reports menu bar. For more information about how to run MBAM reports, see [How to Generate MBAM Reports](how-to-generate-mbam-reports-mbam-2.md).
 
- 
+ 
 
 ## Related topics
 
 
 [Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md b/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md
index 93450b86e8..7b3884f5c8 100644
--- a/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md
+++ b/mdop/mbam-v2/upgrading-from-previous-versions-of-mbam.md
@@ -83,7 +83,7 @@ Use the following instructions to upgrade from a previous version of MBAM when y
     **Note**  
     The certificate must be created before this step to enable you to select it on this page.
 
-     
+     
 
 8.  On the **Configure the location of the Compliance Status database** page, specify the SQL Server instance name and the name of the database that stores the compliance and audit data. You must also specify where the database files and log information will be located.
 
@@ -102,7 +102,7 @@ Use the following instructions to upgrade from a previous version of MBAM when y
     **Note**  
     The port number that you specify must be an unused port number on the Administration and Monitoring Server unless you specify a unique host header name.
 
-     
+     
 
 15. On the **Configure the Administration and Monitoring Server** page, specify the desired virtual directory for the Help Desk website.
 
@@ -130,9 +130,9 @@ To validate the Client upgrade, do the following:
 
 [Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/using-mbam-with-configuration-manager.md b/mdop/mbam-v2/using-mbam-with-configuration-manager.md
index e13aa6308e..065e2ffd49 100644
--- a/mdop/mbam-v2/using-mbam-with-configuration-manager.md
+++ b/mdop/mbam-v2/using-mbam-with-configuration-manager.md
@@ -24,7 +24,7 @@ This integration moves the Microsoft BitLocker Administration and Monitoring com
 **Important**  
 Windows To Go is not supported when you install the integrated topology of MBAM with Configuration Manager 2007.
 
- 
+ 
 
 ## Getting Started – Using MBAM with Configuration Manager
 
@@ -59,9 +59,9 @@ This section describes the MBAM reports that you can run from Configuration Mana
 
 [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v2/using-your-pin-or-password.md b/mdop/mbam-v2/using-your-pin-or-password.md
index 470f62e39b..cdf27ed7a0 100644
--- a/mdop/mbam-v2/using-your-pin-or-password.md
+++ b/mdop/mbam-v2/using-your-pin-or-password.md
@@ -29,7 +29,7 @@ The password is used to unlock drives on your computer that do not contain the o
 **Note**  
 Your Help Desk may set drives to unlock automatically. This eliminates the need to provide a PIN or password to view the information on the drives.
 
- 
+ 
 
 ## Unlocking Your Computer if You Forget Your PIN or Password
 
@@ -71,9 +71,9 @@ Before you can change the password on a BitLocker protected drive, you must unlo
 
     -   To change your password, select **Manage Your Password**. Enter your new password into both fields and select **Reset Password**.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/about-mbam-25-sp1.md b/mdop/mbam-v25/about-mbam-25-sp1.md
index a17ede4bf3..e9fefc297b 100644
--- a/mdop/mbam-v25/about-mbam-25-sp1.md
+++ b/mdop/mbam-v25/about-mbam-25-sp1.md
@@ -51,7 +51,7 @@ The following groups might be interested in using MBAM to manage BitLocker:
 **Note**  
 BitLocker is not explained in detail in this MBAM documentation. For more information, see [BitLocker Drive Encryption Overview](https://go.microsoft.com/fwlink/p/?LinkId=225013).
 
- 
+ 
 
 ## What’s new in MBAM 2.5 SP1
 
@@ -129,7 +129,7 @@ The Windows team has backported FIPS-compliant recovery keys with a hotfix, and
 **Note**  
 Client computers that are running the Windows 8 operating system still require a DRA protector since the hotfix was not backported to that OS. See [Hotfix Package 2 for BitLocker Administration and Monitoring 2.5](https://support.microsoft.com/kb/3015477) to download and install the BitLocker hotfix for Windows 7 and Windows 8 computers. For information about DRA, see [Using Data Recovery Agents with BitLocker](https://go.microsoft.com/fwlink/?LinkId=393557).
 
- 
+ 
 
 To enable FIPS compliance in your organization, you must configure the Federal Information Processing Standard (FIPS) Group Policy settings. For configuration instructions, see [BitLocker Group Policy Settings](https://go.microsoft.com/fwlink/?LinkId=393560).
 
@@ -243,9 +243,9 @@ For more information and late-breaking news that is not included in this documen
 
 [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/about-mbam-25.md b/mdop/mbam-v25/about-mbam-25.md
index 1357167f7d..e379ef1ec5 100644
--- a/mdop/mbam-v25/about-mbam-25.md
+++ b/mdop/mbam-v25/about-mbam-25.md
@@ -51,7 +51,7 @@ The following groups might be interested in using MBAM to manage BitLocker:
 **Note**  
 BitLocker is not explained in detail in this MBAM documentation. For more information, see [BitLocker Drive Encryption Overview](https://go.microsoft.com/fwlink/p/?LinkId=225013).
 
- 
+ 
 
 ## What’s new in MBAM 2.5
 
@@ -69,7 +69,7 @@ The MBAM Group Policy Templates must be downloaded separately from the MBAM inst
 **Important**  
 Do not change the Group Policy settings in the **BitLocker Drive Encryption** node, or MBAM will not work correctly. When you configure the Group Policy settings in the **MDOP MBAM (BitLocker Management)** node, MBAM automatically configures the BitLocker Drive Encryption settings for you.
 
- 
+ 
 
 The template files that you need to copy to a server or workstation are:
 
@@ -83,59 +83,59 @@ The template files that you need to copy to a server or workstation are:
 
 Copy the template files to the location that best meets your needs. For the language-specific files, which must be copied to a language-specific folder, the Group Policy Management Console is required to view the files.
 
--   To install the template files locally on a server or workstation, copy the files to one of the following locations.
+- To install the template files locally on a server or workstation, copy the files to one of the following locations.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
              



              File typeFile location
              language neutral (.admx)
              %systemroot%\policyDefinitions
              language specific (.adml)
              %systemroot%\policyDefinitions\[MUIculture] (for example, the U.S. English language specific file will be stored in %systemroot%\policyDefinitions\en-us)
              
+  
+  +  +  +  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
              



              File typeFile location
              language neutral (.admx)
              %systemroot%\policyDefinitions
              language specific (.adml)
              %systemroot%\policyDefinitions[MUIculture] (for example, the U.S. English language specific file will be stored in %systemroot%</em>policyDefinitions\en-us)
              
 
-     
+     
 
--   To make the templates available to all Group Policy administrators in a domain, copy the files to one of the following locations on a domain controller.
+- To make the templates available to all Group Policy administrators in a domain, copy the files to one of the following locations on a domain controller.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
              



              File typeDomain controller file location
              Language neutral (.admx)
              %systemroot%sysvol\domain\policies\PolicyDefinitions
              Language specific (.adml)
              %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] (for example, the U.S. English language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us)
              
+  
+  +  +  +  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
+  
              



              File typeDomain controller file location
              Language neutral (.admx)
              %systemroot%sysvol\domain\policies\PolicyDefinitions
              Language specific (.adml)
              %systemroot%\sysvol\domain\policies\PolicyDefinitions[MUIculture] (for example, the U.S. English language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us)
              
 
-     
+     
 
 For more information about template files, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/?LinkId=392818).
 
@@ -179,7 +179,7 @@ To enable you to configure encryption policy enforcement, a new Group Policy set
 
 
 
- 
+ 
 
 ### Ability to provide a URL in the BitLocker Drive Encryption wizard to point to your security policy
 
@@ -250,7 +250,7 @@ The following table lists the security groups that you must create in AD DS. You
 
 
 
- 
+ 
 
 After you create the security groups in AD DS, assign users and/or groups to the appropriate security group to enable the corresponding level of access to the Administration and Monitoring Website. To enable individuals with each role to access the Administration and Monitoring Website, you must also specify each security group when you are configuring the Administration and Monitoring Website.
 
@@ -286,20 +286,20 @@ Windows PowerShell Help for MBAM is available in the following formats:
 
 
 
              On TechNet as webpages
              
-
              https://go.microsoft.com/fwlink/?LinkId=393498
              
+
              https://go.microsoft.com/fwlink/?LinkId=393498
              
 
 
 
              On the Download Center as a Word .docx file
              
-
              https://go.microsoft.com/fwlink/?LinkId=393497
              
+
              https://go.microsoft.com/fwlink/?LinkId=393497
              
 
 
 
              On the Download Center as a .pdf file
              
-
              https://go.microsoft.com/fwlink/?LinkId=393499
              
+
              https://go.microsoft.com/fwlink/?LinkId=393499
              
 
 
 
 
- 
+ 
 
 ### Support for ASCII-only and enhanced PINs and ability to prevent sequential and repeating characters
 
@@ -368,9 +368,9 @@ For more information and late-breaking news that is not included in this documen
 
 [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/accessibility-for-mbam-25.md b/mdop/mbam-v25/accessibility-for-mbam-25.md
index 854ef72eaa..5618291576 100644
--- a/mdop/mbam-v25/accessibility-for-mbam-25.md
+++ b/mdop/mbam-v25/accessibility-for-mbam-25.md
@@ -33,7 +33,7 @@ Access keys let you quickly use a command by pressing a few keys. You can get to
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ## Documentation in alternative formats
 
@@ -67,13 +67,13 @@ For information about the availability of Microsoft product documentation and bo
 
              (609) 987-8116
              
 
 
-
              [http://www.learningally.org/](https://go.microsoft.com/fwlink/?linkid=239)
              
+
              http://www.learningally.org/
              
 
              Web addresses can change, so you might be unable to connect to the website or sites mentioned here.
              
 
 
 
 
- 
+ 
 
 ## Customer service for people with hearing impairments
 
@@ -100,9 +100,9 @@ For more information about how accessible technology for computers helps to impr
 
 [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/administering-mbam-25-features.md b/mdop/mbam-v25/administering-mbam-25-features.md
index af59ef6842..ba93616f8c 100644
--- a/mdop/mbam-v25/administering-mbam-25-features.md
+++ b/mdop/mbam-v25/administering-mbam-25-features.md
@@ -34,7 +34,7 @@ MBAM provides a custom control panel, called BitLocker Encryption Options, that
 **Note**  
 This customized control panel does not replace the default Windows BitLocker control panel.
 
- 
+ 
 
 [Understanding the BitLocker Encryption Options and BitLocker Drive Encryption Items in Control Panel](understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md)
 
@@ -47,9 +47,9 @@ This customized control panel does not replace the default Windows BitLocker con
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md b/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md
index 81a2609660..3e68d38e01 100644
--- a/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md
+++ b/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md
@@ -72,20 +72,20 @@ Windows PowerShell Help for MBAM is available in the following formats:
 
 
 
              On TechNet as webpages
              
-
              https://go.microsoft.com/fwlink/?LinkId=393498
              
+
              https://go.microsoft.com/fwlink/?LinkId=393498
              
 
 
 
              On the Download Center as a Word .docx file
              
-
              https://go.microsoft.com/fwlink/?LinkId=393497
              
+
              https://go.microsoft.com/fwlink/?LinkId=393497
              
 
 
 
              On the Download Center as a .pdf file
              
-
              https://go.microsoft.com/fwlink/?LinkId=393499
              
+
              https://go.microsoft.com/fwlink/?LinkId=393499
              
 
 
 
 
- 
+ 
 
 ## Configurations that you can do only with Windows PowerShell but not with the MBAM Server Configuration wizard
 
@@ -125,12 +125,12 @@ Windows PowerShell Help for MBAM is available in the following formats:
 
 
 
- 
+ 
 
 **Note**  
 You cannot disable the MBAM databases with a Windows PowerShell cmdlet or the MBAM Server Configuration wizard. To prevent the accidental removal of your compliance and audit data, database administrators must remove databases manually.
 
- 
+ 
 
 ## Prerequisites and requirements for using Windows PowerShell to configure MBAM Server features
 
@@ -167,7 +167,7 @@ Before starting the configuration, complete the following prerequisites.
 
 
 
- 
+ 
 
 **Permission-related prerequisites**
 
@@ -197,7 +197,7 @@ Before starting the configuration, complete the following prerequisites.
 
              This user account must be a part of the local administrators group or the Backup Operators group to register the MBAM Volume Shadow Copy Service (VSS) Writer.
              
 
              By default, the database administrator or system administrator has the required "create any database" permissions.
              
 
              
-
              For more information about VSS Writer, see [Volume Shadow Copy Service](https://go.microsoft.com/fwlink/?LinkId=392814).
              
+
              For more information about VSS Writer, see Volume Shadow Copy Service.
              
 
 
 
              For the System Center Configuration Manager Integration feature only:
              
@@ -234,7 +234,7 @@ Before starting the configuration, complete the following prerequisites.
 
 
 
- 
+ 
 
 ## Using Windows PowerShell to configure MBAM on a remote computer
 
@@ -255,7 +255,7 @@ Before starting the configuration, complete the following prerequisites.
 
                
 
              • Ensure that the MBAM 2.5 Server software has been installed on the remote computer.
                • 
 
              • Use the Credential Security Support Provider (CredSSP) Protocol to open the Windows PowerShell session.
                • 
-
              • Enable Windows Remote Management (WinRM). If you fail to enable WinRM and to configure it correctly, the New-PSSession cmdlet that is described in this table displays an error and describes how to fix the issue. For more information about WinRM, see [Using Windows Remote Management](https://go.microsoft.com/fwlink/?LinkId=393064).
                • 
+
              • Enable Windows Remote Management (WinRM). If you fail to enable WinRM and to configure it correctly, the New-PSSession cmdlet that is described in this table displays an error and describes how to fix the issue. For more information about WinRM, see Using Windows Remote Management.
                • 
 
              
 
 
@@ -273,7 +273,7 @@ Before starting the configuration, complete the following prerequisites.
 
 
 
- 
+ 
 
 ## Required accounts and corresponding Windows PowerShell cmdlet parameters
 
@@ -309,7 +309,7 @@ Specifies the administrative credential that the local SSRS instance uses to con
 **Important**  
 The account specified in the administrative credentials should have limited user rights for improved security. Also, the password of the account should be set to not expire.
 
- 
+ 
 
 ReportsReadOnlyAccessGroup
 
@@ -348,9 +348,9 @@ For improved security, set the account that is specified in the administrative c
 
 To view the local security setting, open the **Local Security Policy editor**, expand the **Local Policies** node, select the **User Rights Assignment** node, and then double-click the **Impersonate a client after authentication** and **Log on as a batch job** Group Policy settings in the details pane.
 
- 
+ 
 
- 
+ 
 
 
 
@@ -364,11 +364,11 @@ To view the local security setting, open the **Local Security Policy editor**, e
 
 [Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/configuring-the-mbam-25-server-features.md b/mdop/mbam-v25/configuring-the-mbam-25-server-features.md
index 5afb8c6a37..d5431e95f6 100644
--- a/mdop/mbam-v25/configuring-the-mbam-25-server-features.md
+++ b/mdop/mbam-v25/configuring-the-mbam-25-server-features.md
@@ -42,31 +42,31 @@ Review and complete the following steps before you start configuring the MBAM Se
 
 
 
              Review the recommended architecture for MBAM.
              
-
              [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
              
+
              High-Level Architecture for MBAM 2.5
              
 
 
 
              Review the supported configurations for MBAM.
              
-
              [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
              
+
              MBAM 2.5 Supported Configurations
              
 
 
 
              Complete the required prerequisites on each server.
              
 
 
 
 
              Install the MBAM Server software on each server where you will configure an MBAM Server feature.
              
-
              [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
              
+
              Installing the MBAM 2.5 Server Software
              
 
 
 
              Review the prerequisites for using Windows PowerShell to configure MBAM Server features (if you are using this method to configure MBAM Server features).
              
-
              [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
              
+
              Configuring MBAM 2.5 Server Features by Using Windows PowerShell
              
 
 
 
 
- 
+ 
 
 ## Steps for configuring MBAM Server features
 
@@ -87,24 +87,24 @@ Each row in the following table describes the features that you will configure o
 
 
 
              Configure the databases.
              
-
              [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md)
              
+
              How to Configure the MBAM 2.5 Databases
              
 
 
 
              Configure the reports.
              
-
              [How to Configure the MBAM 2.5 Reports](how-to-configure-the-mbam-25-reports.md)
              
+
              How to Configure the MBAM 2.5 Reports
              
 
 
 
              Configure the web applications.
              
-
              [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md)
              
+
              How to Configure the MBAM 2.5 Web Applications
              
 
 
 
              Configure the System Center Configuration Manager Integration (if applicable).
              
-
              [How to Configure the MBAM 2.5 System Center Configuration Manager Integration](how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md)
              
+
              How to Configure the MBAM 2.5 System Center Configuration Manager Integration
              
 
 
 
 
- 
+ 
 
 For a list of events about MBAM Server feature configuration, see [Server Event Logs](server-event-logs.md).
 
@@ -114,9 +114,9 @@ For a list of events about MBAM Server feature configuration, see [Server Event
 
 
 Configuring the MBAM 2.5 Server Features
- 
+ 
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
index b962c0d5bc..3c22c4bb2d 100644
--- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
+++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
@@ -26,80 +26,82 @@ MDOP Group Policy templates are available for download in a self-extracting, com
 
 **How to download and deploy the MDOP Group Policy templates**
 
-1.  Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates
-](https://www.microsoft.com/en-us/download/details.aspx?id=55531).
+1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates
+   ](https://www.microsoft.com/en-us/download/details.aspx?id=55531).
 
-2.  Run the downloaded file to extract the template folders.
+2. Run the downloaded file to extract the template folders.
 
-    **Warning**  
-    Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
+   **Warning**  
+   Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
 
-     
 
-3.  In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
 
-4.  Locate the appropriate .adml file by language-culture (that is, *en* for English-United States).
+3. In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
 
-5.  Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
+4. Locate the appropriate .adml file by language-culture (that is, *en* for English-United States).
 
-    **Local files.** To configure Group Policy settings from the local device, copy template files to the following locations:
+5. Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
              



              File typeFile location
              Group Policy template (.admx)
              %systemroot%\policyDefinitions
              Group Policy language file (.adml)
              %systemroot%\policyDefinitions\[MUIculture]
              
+   **Local files.** To configure Group Policy settings from the local device, copy template files to the following locations:
 
-     
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
              



              File typeFile location
              Group Policy template (.admx)
              %systemroot%<strong>policyDefinitions
              Group Policy language file (.adml)
              %systemroot%<strong>policyDefinitions[MUIculture]
              
 
-    **Domain central store.** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
              



              File typeFile location
              Group Policy template (.admx)
              %systemroot%\sysvol\domain\policies\PolicyDefinitions
              Group Policy language file (.adml)
              %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]\[MUIculture]
              
-    
              For example, the U.S. English ADML language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us.
              
 
-     
+~~~
+**Domain central store.** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
 
-6.  Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology. See [Editing the MBAM 2.5 Group Policy Settings](editing-the-mbam-25-group-policy-settings.md) for more information.
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
              



              File typeFile location
              Group Policy template (.admx)
              %systemroot%\sysvol\domain\policies\PolicyDefinitions
              Group Policy language file (.adml)
              %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]\[MUIculture]
              
+
              For example, the U.S. English ADML language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us.
              
+~~~
 
-    For descriptions of the Group Policy settings, see [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md).
+
+
+6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology. See [Editing the MBAM 2.5 Group Policy Settings](editing-the-mbam-25-group-policy-settings.md) for more information.
+
+   For descriptions of the Group Policy settings, see [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md).
 
 
 ## Related topics
@@ -107,11 +109,11 @@ MDOP Group Policy templates are available for download in a self-extracting, com
 
 [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)
 
- 
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+
 
 
 
diff --git a/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md b/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md
index d2d19ae89c..b5343853e6 100644
--- a/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md
+++ b/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md
@@ -38,28 +38,28 @@ You can customize the Self-Service Portal in the following ways:
 
 
 
              You can brand the Self-Service Portal with your company name, Help Desk URL, and can change the Session Time-out setting to make the end user’s session expire after a specified period of inactivity.
              
-
              [How to Set the Self-Service Portal Branding and Session Time-out](how-to-set-the-self-service-portal-branding-and-session-time-out.md)
              
+
              How to Set the Self-Service Portal Branding and Session Time-out
              
 
 
 
              You can turn the Self-Service Portal notice text on or off.
              
-
              [How to Turn the Self-Service Portal Notice Text On or Off](how-to-turn-the-self-service-portal-notice-text-on-or-off.md)
              
+
              How to Turn the Self-Service Portal Notice Text On or Off
              
 
 
 
              You can configure a localized version of the Self-Service Portal "HelpdeskText" statement, which tells end users how to get additional help when they are using the Self-Service Portal.
              
-
              [How to Localize the “HelpdeskText” Statement that Points Users to More Self-Service Portal Information](how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md)
              
+
              How to Localize the “HelpdeskText” Statement that Points Users to More Self-Service Portal Information
              
 
 
 
              You can configure a localized version of the Self-Service Portal "HelpdeskURL" to display to end users by default.
              
-
              [How to Localize the Self-Service Portal “HelpdeskURL”](how-to-localize-the-self-service-portal-helpdeskurl.md)
              
+
              How to Localize the Self-Service Portal “HelpdeskURL”
              
 
 
 
              You can configure localized notice text to display to end users by default in the Self-Service Portal.
              
-
              [How to Localize the Self-Service Portal Notice Text](how-to-localize-the-self-service-portal-notice-text.md)
              
+
              How to Localize the Self-Service Portal Notice Text
              
 
 
 
 
- 
+ 
 
 
 
@@ -68,7 +68,7 @@ You can customize the Self-Service Portal in the following ways:
 
 [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md b/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md
index 85e73537ad..ea0c9dff8f 100644
--- a/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md
+++ b/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md
@@ -22,7 +22,7 @@ To deploy MBAM, you have to set Group Policy settings that define MBAM implement
 **Important**  
 Do not change the Group Policy settings in the **BitLocker Drive Encryption** node, or MBAM will not work correctly. When you configure the Group Policy settings in the **MDOP MBAM (BitLocker Management)** node, MBAM automatically configures the **BitLocker Drive Encryption** settings for you.
 
- 
+ 
 
 ## Copying the MBAM 2.5 Group Policy Templates
 
@@ -54,9 +54,9 @@ Since MBAM offers a customized MBAM control panel that can replace the default W
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/deploying-mbam-25.md b/mdop/mbam-v25/deploying-mbam-25.md
index f9918a643e..48ab4bb17d 100644
--- a/mdop/mbam-v25/deploying-mbam-25.md
+++ b/mdop/mbam-v25/deploying-mbam-25.md
@@ -40,32 +40,32 @@ Use this information to identify the procedures you can follow to deploy and con
 
            • How to install the MBAM Server software.
              • 
 
            • How to configure the MBAM Server features.
              • 
 
            
-
            [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)
            
+
            Deploying the MBAM 2.5 Server Infrastructure
            
 
 
 
            How to download and deploy the MBAM Group Policy Templates, which are required to manage MBAM Clients and BitLocker encryption policies in the enterprise.
            
-
            [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)
            
+
            Deploying MBAM 2.5 Group Policy Objects
            
 
 
 
            How to use the MBAM Client Windows Installer files to deploy the MBAM Client software.
            
-
            [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
            
+
            Deploying the MBAM 2.5 Client
            
 
 
 
            Checklist that can assist you in deploying the MBAM Server features and MBAM Client.
            
-
            [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)
            
+
            MBAM 2.5 Deployment Checklist
            
 
 
 
            How to upgrade MBAM from previous versions.
            
-
            [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)
            
+
            Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions
            
 
 
 
            How to remove MBAM Server features or software.
            
-
            [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md)
            
+
            Removing MBAM Server Features or Software
            
 
 
 
 
- 
+ 
 
 ## Other resources for deploying MBAM
 
@@ -88,9 +88,9 @@ Use this information to identify the procedures you can follow to deploy and con
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/deploying-the-mbam-25-client.md b/mdop/mbam-v25/deploying-the-mbam-25-client.md
index 802e36cddf..0a20208aa0 100644
--- a/mdop/mbam-v25/deploying-the-mbam-25-client.md
+++ b/mdop/mbam-v25/deploying-the-mbam-25-client.md
@@ -29,7 +29,7 @@ After configuring Group Policy settings, you can use an enterprise software depl
 **Note**  
 Beginning in MBAM 2.5 SP1, a separate MSI is no longer included with the MBAM product. However, you can extract the MSI from the executable file (.exe) that is included with the product.
 
- 
+ 
 
 [How to Deploy the MBAM Client to Desktop or Laptop Computers](how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md)
 
@@ -61,11 +61,11 @@ This section explains how to install the MBAM Client by using a command line.
 
 [Planning for MBAM 2.5](planning-for-mbam-25.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md b/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md
index aa8f2c56a5..d60e1044e5 100644
--- a/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md
+++ b/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md
@@ -33,32 +33,32 @@ To deploy the Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 Serve
 
 
 
            Install the MBAM 2.5 Server software on each server where you want to configure an MBAM Server feature.
            
-
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            
+
            Installing the MBAM 2.5 Server Software
            
 
 
 
            Configure the databases, reports, web applications, and the optional System Center Configuration Manager Integration topology.
            
 
            You can use the MBAM Server Configuration wizard or Windows PowerShell cmdlets to do the configuration.
            
-
            [Configuring the MBAM 2.5 Server Features](configuring-the-mbam-25-server-features.md)
            
+
            Configuring the MBAM 2.5 Server Features
            
 
 
 
            Validate the MBAM Server configuration.
            
-
            [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
            
+
            Validating the MBAM 2.5 Server Feature Configuration
            
 
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Deploying MBAM 2.5](deploying-mbam-25.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md b/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md
index c9dc1731d9..8e285009f6 100644
--- a/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md
+++ b/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md
@@ -33,11 +33,11 @@ To successfully deploy Microsoft BitLocker Administration and Monitoring (MBAM),
 
 
 
            Copy the MBAM 2.5 Group Policy Templates.
            
-
            [Copying the MBAM 2.5 Group Policy Templates](copying-the-mbam-25-group-policy-templates.md)
            
+
            Copying the MBAM 2.5 Group Policy Templates
            
 
 
 
            Determine which Group Policy Objects (GPOs) you want to use in your MBAM implementation. Based on the needs of your organization, you might have to configure additional Group Policy settings.
            
-
            [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md) – contains descriptions of the GPOs
            
+
            Planning for MBAM 2.5 Group Policy Requirements – contains descriptions of the GPOs
            
 
 
 
            Set the Group Policy settings for your organization.
            
@@ -46,12 +46,12 @@ To successfully deploy Microsoft BitLocker Administration and Monitoring (MBAM),
 
 
 
- 
+ 
 
 **Important**  
 Do not change the Group Policy settings in the **BitLocker Drive Encryption** node, or MBAM will not work correctly. When you configure the Group Policy settings in the **MDOP MBAM (BitLocker Management)** node, MBAM automatically configures the **BitLocker Drive Encryption** settings for you.
 
- 
+ 
 
 **To edit MBAM Client Group Policy settings**
 
@@ -92,7 +92,7 @@ Do not change the Group Policy settings in the **BitLocker Drive Encryption** no
     
     
 
-     
+     
 
 ## Related topics
 
@@ -101,11 +101,11 @@ Do not change the Group Policy settings in the **BitLocker Drive Encryption** no
 
 [Copying the MBAM 2.5 Group Policy Templates](copying-the-mbam-25-group-policy-templates.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md
index ef05b1cfea..67c54060da 100644
--- a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md
+++ b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md
@@ -26,241 +26,240 @@ To evaluate MBAM by using the Stand-alone topology, use the information in the f
 
 **To evaluate MBAM 2.5 by using the Stand-alone topology**
 
-1.  Before installing MBAM, do the following:
+1. Before installing MBAM, do the following:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            TaskWhere to get instructions
            Ensure that you have installed all of the prerequisite software.
            [MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies](mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md)
            Check the required hardware, RAM, and other specifications.
            [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
            Review the prerequisites for using Windows PowerShell if you plan to use the cmdlets to configure MBAM.
            [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            TaskWhere to get instructions
            Ensure that you have installed all of the prerequisite software.
            MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
            Check the required hardware, RAM, and other specifications.
            MBAM 2.5 Supported Configurations
            Review the prerequisites for using Windows PowerShell if you plan to use the cmdlets to configure MBAM.
            Configuring MBAM 2.5 Server Features by Using Windows PowerShell
            
 
-     
 
-2.  Install the MBAM Server software, and then configure the features you want.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            TaskWhere to get instructions
            Install the MBAM Server software on each server where you want to configure an MBAM Server feature.
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            Configure the Compliance and Audit Database and the Recovery Database.
            [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md)
            Configure the Reports feature.
            [How to Configure the MBAM 2.5 Reports](how-to-configure-the-mbam-25-reports.md)
            Configure the web applications.
            [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md)
            
+2. Install the MBAM Server software, and then configure the features you want.
 
-     
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            TaskWhere to get instructions
            Install the MBAM Server software on each server where you want to configure an MBAM Server feature.
            Installing the MBAM 2.5 Server Software
            Configure the Compliance and Audit Database and the Recovery Database.
            How to Configure the MBAM 2.5 Databases
            Configure the Reports feature.
            How to Configure the MBAM 2.5 Reports
            Configure the web applications.
            How to Configure the MBAM 2.5 Web Applications
            
 
-3.  On a client computer, do the following:
 
-    1.  Install the MBAM Client on a client computer.
 
-    2.  Apply the MBAM Group Policy Objects (GPOs) to the computer.
+3. On a client computer, do the following:
 
-    3.  Set the following registry keys to force the MBAM Client to wake up faster and at regular intervals:
+   1.  Install the MBAM Client on a client computer.
 
-        ``` syntax
-        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
-        "ClientWakeupFrequency"=dword:00000001
-        "StatusReportingFrequency"=dword:00000001
-        ```
+   2.  Apply the MBAM Group Policy Objects (GPOs) to the computer.
 
-        ``` syntax
-        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
-        "NoStartupDelay"=dword:00000001
-        ```
+   3.  Set the following registry keys to force the MBAM Client to wake up faster and at regular intervals:
 
-        **Note**  
-        Because these keys wake up the MBAM Client every minute, we recommend that you use these registry key settings only in a test environment.
+       ``` syntax
+       [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
+       "ClientWakeupFrequency"=dword:00000001
+       "StatusReportingFrequency"=dword:00000001
+       ```
 
-         
+       ``` syntax
+       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
+       "NoStartupDelay"=dword:00000001
+       ```
 
-    4.  Restart the **BitLocker Management Client Service**.
+       **Note**  
+       Because these keys wake up the MBAM Client every minute, we recommend that you use these registry key settings only in a test environment.
 
-## Evaluating MBAM 2.5 by using the System Center 2012 Configuration Manager Integration topology
+
+
+   4.  Restart the **BitLocker Management Client Service**.
+
+## Evaluating MBAM 2.5 by using the System Center 2012 Configuration Manager Integration topology
 
 
 To evaluate MBAM by using the Configuration Manager Integration topology, use the information in the following tables to install the MBAM Server software, and then configure the MBAM Server features in your test environment. After installing the MBAM Client on a client computer, you will complete additional steps to force the MBAM Client to report the computer’s status to MBAM more quickly.
 
-**To evaluate MBAM 2.5 by using the System Center 2012 Configuration Manager Integration topology**
+**To evaluate MBAM 2.5 by using the System Center 2012 Configuration Manager Integration topology**
 
-1.  Before installing MBAM, review the prerequisite software and supported configuration.
+1. Before installing MBAM, review the prerequisite software and supported configuration.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            TaskWhere to get instructions
            Ensure that you have installed all of the prerequisite software.
            [MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies](mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md)
            
-    
            [MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology](mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md)
            Check the required hardware, RAM, and other specifications.
            [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
            Review the prerequisites for using Windows PowerShell if you plan to use the cmdlets to configure MBAM.
            [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
            Create or edit the .mof files.
            [Edit the Configuration.mof File](edit-the-configurationmof-file-mbam-25.md)
            
-    
            [Create or Edit the Sms_def.mof File](create-or-edit-the-sms-defmof-file-mbam-25.md)
            
-
-     
-
-2.  Install the MBAM Server software, and then configure the features you want.
-
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            TaskWhere to get instructions
            Install the MBAM Server software on each server where you want to configure an MBAM Server feature.
            
-    
            
-    Note  
-    
            You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](https://technet.microsoft.com/library/ee210546.aspx).
            
-    
            
-    
            
-     
-    
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            Configure the Compliance and Audit Database and the Recovery Database.
            [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md)
            Configure the Reports feature.
            [How to Configure the MBAM 2.5 Reports](how-to-configure-the-mbam-25-reports.md)
            Configure the web applications.
            [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md)
            Configure the System Center Configuration Manager to install the Configuration Manager objects.
            [How to Configure the MBAM 2.5 System Center Configuration Manager Integration](how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md)
            
-
-     
-
-3.  On a client computer, do the following:
-
-    1.  Install the MBAM Client and the Configuration Manager Client on a client computer.
-
-    2.  Apply the MBAM Group Policy Objects to the computer.
-
-    3.  Set the following registry keys to force the MBAM Client to wake up faster and at regular intervals:
-
-        ``` syntax
-        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
-        "ClientWakeupFrequency"=dword:00000001
-        "StatusReportingFrequency"=dword:00000001
-        ```
-
-        ``` syntax
-        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
-        "NoStartupDelay"=dword:00000001
-        ```
-
-        **Note**  
-        Because these keys wake up the MBAM Client every minute, we recommend that you use these registry key settings only in a test environment.
-
-         
-
-    4.  Restart the **BitLocker Management Client Service**.
-
-    5.  In Control Panel, open **Configuration Manager**, and then click the **Actions** tab.
-    
-    6.  Select **Hardware Inventory Cycle**, and then click **Run Now**. This step runs the hardware inventory by using the new classes that you imported to your .mof files, and then sends the data to the Configuration Manager server.
-
-    7.  Select **Machine Policy Retrieval & Evaluation Cycle**, and then click **Run Now** to apply the Group Policy Objects that are relevant to that client computer.
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            TaskWhere to get instructions
            Ensure that you have installed all of the prerequisite software.
            MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
            
+   
            MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology
            Check the required hardware, RAM, and other specifications.
            MBAM 2.5 Supported Configurations
            Review the prerequisites for using Windows PowerShell if you plan to use the cmdlets to configure MBAM.
            Configuring MBAM 2.5 Server Features by Using Windows PowerShell
            Create or edit the .mof files.
            Edit the Configuration.mof File
            
+   
            Create or Edit the Sms_def.mof File
            
 
 
 
-4.  In the Configuration Manager console, do the following:
+2. Install the MBAM Server software, and then configure the features you want.
 
-    1.  In the navigation pane, right-click **MBAM Supported Computers**, click **Update Membership**, and then click **Yes** to force the client computer to report its membership immediately.
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            TaskWhere to get instructions
            Install the MBAM Server software on each server where you want to configure an MBAM Server feature.
            
+   
            
+   Note
            You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see Data-tier Applications.
            
+   
            
+   
            
 
-    2.  In the navigation pane, click **MBAM Supported Computers** to verify that the client computer appears in the collection.
+   
            Installing the MBAM 2.5 Server Software
            Configure the Compliance and Audit Database and the Recovery Database.
            How to Configure the MBAM 2.5 Databases
            Configure the Reports feature.
            How to Configure the MBAM 2.5 Reports
            Configure the web applications.
            How to Configure the MBAM 2.5 Web Applications
            Configure the System Center Configuration Manager to install the Configuration Manager objects.
            How to Configure the MBAM 2.5 System Center Configuration Manager Integration
            
 
-5.  On the client computer, in Control Panel, reopen **Configuration Manager** again, and do the following:
 
-    1.  Click the **Actions** tab, and then rerun **Machine Policy Retrieval & Evaluation Cycle**.
 
-    2.  Click the **Configurations** tab, select the BitLocker baseline, and then click **Evaluate**.
+3. On a client computer, do the following:
 
-6.  In the Configuration Manager console, verify that the client computer appears on the Enterprise Compliance Report: as follows:
+   1.  Install the MBAM Client and the Configuration Manager Client on a client computer.
 
-    1.  In the navigation pane, select the **Monitoring** workspace.
+   2.  Apply the MBAM Group Policy Objects to the computer.
 
-    2.  In the console tree, expand **Overview** > **Reporting** > **Reports** > **MBAM**.
+   3.  Set the following registry keys to force the MBAM Client to wake up faster and at regular intervals:
 
-    3.  Select the folder that represents the language in which you want to view reports, and then select the report in the results pane.
+       ``` syntax
+       [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
+       "ClientWakeupFrequency"=dword:00000001
+       "StatusReportingFrequency"=dword:00000001
+       ```
+
+       ``` syntax
+       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
+       "NoStartupDelay"=dword:00000001
+       ```
+
+       **Note**  
+       Because these keys wake up the MBAM Client every minute, we recommend that you use these registry key settings only in a test environment.
+
+
+
+   4.  Restart the **BitLocker Management Client Service**.
+
+   5.  In Control Panel, open **Configuration Manager**, and then click the **Actions** tab.
+
+   6.  Select **Hardware Inventory Cycle**, and then click **Run Now**. This step runs the hardware inventory by using the new classes that you imported to your .mof files, and then sends the data to the Configuration Manager server.
+
+   7.  Select **Machine Policy Retrieval & Evaluation Cycle**, and then click **Run Now** to apply the Group Policy Objects that are relevant to that client computer.
+
+
+
+4. In the Configuration Manager console, do the following:
+
+   1.  In the navigation pane, right-click **MBAM Supported Computers**, click **Update Membership**, and then click **Yes** to force the client computer to report its membership immediately.
+
+   2.  In the navigation pane, click **MBAM Supported Computers** to verify that the client computer appears in the collection.
+
+5. On the client computer, in Control Panel, reopen **Configuration Manager** again, and do the following:
+
+   1.  Click the **Actions** tab, and then rerun **Machine Policy Retrieval & Evaluation Cycle**.
+
+   2.  Click the **Configurations** tab, select the BitLocker baseline, and then click **Evaluate**.
+
+6. In the Configuration Manager console, verify that the client computer appears on the Enterprise Compliance Report: as follows:
+
+   1.  In the navigation pane, select the **Monitoring** workspace.
+
+   2.  In the console tree, expand **Overview** > **Reporting** > **Reports** > **MBAM**.
+
+   3.  Select the folder that represents the language in which you want to view reports, and then select the report in the results pane.
 
 ## Evaluating MBAM 2.5 by using the System Center Configuration Manager 2007 Integration topology
 
@@ -269,134 +268,133 @@ To evaluate MBAM by using the Configuration Manager Integration topology, follow
 
 **To evaluate MBAM by using the Configuration Manager 2007 Integration topology**
 
-1.  Before you install MBAM, do the following:
+1. Before you install MBAM, do the following:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            TaskWhere to get instructions
            Ensure that you have installed all of the prerequisite software.
            [MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies](mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md)
            
-    
            [MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology](mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md)
            Check the required hardware, RAM, and other specifications.
            [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
            Create or edit the .mof files.
            [Edit the Configuration.mof File](edit-the-configurationmof-file-mbam-25.md)
            
-    
            [Create or Edit the Sms_def.mof File](create-or-edit-the-sms-defmof-file-mbam-25.md)
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            TaskWhere to get instructions
            Ensure that you have installed all of the prerequisite software.
            MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
            
+   
            MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology
            Check the required hardware, RAM, and other specifications.
            MBAM 2.5 Supported Configurations
            Create or edit the .mof files.
            Edit the Configuration.mof File
            
+   
            Create or Edit the Sms_def.mof File
            
 
-     
 
-2.  Install the MBAM Server software, and then configure the features you want.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            TaskWhere to get instructions
            Install the MBAM Server software on each server where you want to configure an MBAM Server feature.
            
-    
            
-    Note  
-    
            You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](https://technet.microsoft.com/library/ee210546.aspx).
            
-    
            
-    
            
-     
-    
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            Configure the Compliance and Audit Database and the Recovery Database.
            [How to Configure the MBAM 2.5 Databases](how-to-configure-the-mbam-25-databases.md)
            Configure the Reports feature.
            [How to Configure the MBAM 2.5 Reports](how-to-configure-the-mbam-25-reports.md)
            Configure the web applications.
            [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md)
            Configure the System Center Configuration Manager to install the Configuration Manager objects.
            [How to Configure the MBAM 2.5 System Center Configuration Manager Integration](how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md)
            
+2. Install the MBAM Server software, and then configure the features you want.
 
-     
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            TaskWhere to get instructions
            Install the MBAM Server software on each server where you want to configure an MBAM Server feature.
            
+   
            
+   Note
            You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see Data-tier Applications.
            
+   
            
+   
            
 
-3.  On a client computer, do the following:
+   
            Installing the MBAM 2.5 Server Software
            Configure the Compliance and Audit Database and the Recovery Database.
            How to Configure the MBAM 2.5 Databases
            Configure the Reports feature.
            How to Configure the MBAM 2.5 Reports
            Configure the web applications.
            How to Configure the MBAM 2.5 Web Applications
            Configure the System Center Configuration Manager to install the Configuration Manager objects.
            How to Configure the MBAM 2.5 System Center Configuration Manager Integration
            
 
-    1.  Install the MBAM Client on a client computer.
 
-    2.  Apply the MBAM Group Policy Objects to the computer.
 
-    3.  Set the following registry keys to force the MBAM Client to wake up more quickly and at faster intervals:
+3. On a client computer, do the following:
 
-        ``` syntax
-        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
-        "ClientWakeupFrequency"=dword:00000001
-        "StatusReportingFrequency"=dword:00000001
-        ```
+   1.  Install the MBAM Client on a client computer.
 
-        ``` syntax
-        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
-        "NoStartupDelay"=dword:00000001
-        ```
+   2.  Apply the MBAM Group Policy Objects to the computer.
 
-        **Note**  
-        Because these keys wake up the MBAM Client every minute, we recommend that you use these registry key settings only in an evaluation environment.
+   3.  Set the following registry keys to force the MBAM Client to wake up more quickly and at faster intervals:
 
-         
+       ``` syntax
+       [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement
+       "ClientWakeupFrequency"=dword:00000001
+       "StatusReportingFrequency"=dword:00000001
+       ```
 
-    4.  Restart the **BitLocker Management Client Service**.
+       ``` syntax
+       [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM]
+       "NoStartupDelay"=dword:00000001
+       ```
 
-    5.  In Control Panel, open **Configuration Manager**, and then click the **Actions** tab.
+       **Note**  
+       Because these keys wake up the MBAM Client every minute, we recommend that you use these registry key settings only in an evaluation environment.
 
-    6.  Select **Machine Policy Retrieval & Evaluation Cycle**, and then click **Run Now** to apply the Group Policy Objects that are relevant to that client computer.
 
-    7.  Select **Hardware Inventory Cycle**, and then click **Run Now**. This step runs the hardware inventory by using the new classes that you imported to your .mof files and then sends the data to the Configuration Manager server.
 
-4.  In the Configuration Manager console, do the following:
+   4.  Restart the **BitLocker Management Client Service**.
 
-    1.  In the navigation pane, right-click **MBAM Supported Computers**, click **Update Membership**, and then click **Yes** to force the client computer to report its membership immediately.
+   5.  In Control Panel, open **Configuration Manager**, and then click the **Actions** tab.
 
-    2.  In the navigation pane, click **MBAM Supported Computers** to verify that the client computer appears in the collection.
+   6.  Select **Machine Policy Retrieval & Evaluation Cycle**, and then click **Run Now** to apply the Group Policy Objects that are relevant to that client computer.
 
-5.  On the client computer, in Control Panel, reopen **Configuration Manager** again, and do the following:
+   7.  Select **Hardware Inventory Cycle**, and then click **Run Now**. This step runs the hardware inventory by using the new classes that you imported to your .mof files and then sends the data to the Configuration Manager server.
 
-    1.  Click the **Actions** tab, and then rerun **Machine Policy Retrieval & Evaluation Cycle**.
+4. In the Configuration Manager console, do the following:
 
-    2.  Click the **Configurations** tab, select the BitLocker baseline, and click **Evaluate**.
+   1.  In the navigation pane, right-click **MBAM Supported Computers**, click **Update Membership**, and then click **Yes** to force the client computer to report its membership immediately.
 
-6.  In the Configuration Manager console, verify that the client computer appears on the Enterprise Compliance Report, as follows
+   2.  In the navigation pane, click **MBAM Supported Computers** to verify that the client computer appears in the collection.
 
-    1.  In the navigation pane, expand **Computer Management** > **Reporting** > **Reporting Services** > **<server name>MBAM**.
+5. On the client computer, in Control Panel, reopen **Configuration Manager** again, and do the following:
 
-    2.  Within the **MBAM** node, select the folder that represents the language in which you want to view reports, and then select the report from the results pane.
+   1.  Click the **Actions** tab, and then rerun **Machine Policy Retrieval & Evaluation Cycle**.
+
+   2.  Click the **Configurations** tab, select the BitLocker baseline, and click **Evaluate**.
+
+6. In the Configuration Manager console, verify that the client computer appears on the Enterprise Compliance Report, as follows
+
+   1.  In the navigation pane, expand **Computer Management** > **Reporting** > **Reporting Services** > **<server name>MBAM**.
+
+   2.  Within the **MBAM** node, select the folder that represents the language in which you want to view reports, and then select the report from the results pane.
 
 
 ## Related topics
@@ -404,7 +402,7 @@ To evaluate MBAM by using the Configuration Manager Integration topology, follow
 
 [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
- 
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
index d14a28b305..9fe1680548 100644
--- a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
+++ b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
@@ -32,7 +32,7 @@ For descriptions of the Stand-alone reports, see [Understanding MBAM 2.5 Stand-a
 **Note**  
 To run the reports, you must be a member of the **MBAM Report Users** group, which you configure in Active Directory Domain Services. For more information, see [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md).
 
- 
+ 
 
 **To open the Administration and Monitoring Website**
 
@@ -49,7 +49,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
     **Note**  
     Configure SQL Server Reporting Services (SSRS) to use Secure Sockets Layer (SSL) before configuring the Administration and Monitoring Website. If, for any reason, SSRS is not configured to use SSL, the URL for the Reports will be set to HTTP instead of to HTTPS when you configure the Administration and Monitoring Website. If you then go to the Administration and Monitoring Website and select a report, the following message displays: “Only Secure Content is Displayed.” To show the report, click **Show All Content**.
 
-     
+     
 
 **To generate an Enterprise Compliance Report**
 
@@ -105,7 +105,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
 
 [Understanding MBAM 2.5 Stand-alone Reports](understanding-mbam-25-stand-alone-reports.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/getting-started-with-mbam-25.md b/mdop/mbam-v25/getting-started-with-mbam-25.md
index 8573805e6d..27038fd66a 100644
--- a/mdop/mbam-v25/getting-started-with-mbam-25.md
+++ b/mdop/mbam-v25/getting-started-with-mbam-25.md
@@ -44,32 +44,32 @@ Before you start planning your MBAM deployment, review the following topics.
 
 
 
            High-level overview of MBAM 2.5 that describes how you can use it in your organization.
            
-
            [About MBAM 2.5](about-mbam-25.md)
            
+
            About MBAM 2.5
            
 
 
 
            Release notes, which lists known issues in the product.
            
-
            [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)
            
+
            Release Notes for MBAM 2.5
            
 
 
 
            Information about how you can evaluate MBAM 2.5 in a test environment.
            
-
            [Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)
            
+
            Evaluating MBAM 2.5 in a Test Environment
            
 
 
 
            Description of the MBAM 2.5 features and the recommended architecture of the Stand-alone and Configuration Manager Integration topologies in a production environment.
            
-
            [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
            
+
            High-Level Architecture for MBAM 2.5
            
 
 
 
            Description and illustration of each MBAM Server feature, without the recommended architecture.
            
-
            [Illustrated Features of an MBAM 2.5 Deployment](illustrated-features-of-an-mbam-25-deployment.md)
            
+
            Illustrated Features of an MBAM 2.5 Deployment
            
 
 
 
            Describes the keyboard shortcuts that are available for MBAM 2.5.
            
-
            [Accessibility for MBAM 2.5](accessibility-for-mbam-25.md)
            
+
            Accessibility for MBAM 2.5
            
 
 
 
 
- 
+ 
 
 ## How to get MDOP technologies
 
@@ -95,9 +95,9 @@ MBAM 2.5 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is pa
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md b/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md
index c64a5d7e90..5ef9f09421 100644
--- a/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md
+++ b/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md
@@ -22,7 +22,7 @@ This topic describes how to hide the **BitLocker Drive Encryption** Control Pane
 **Note**  
 Microsoft BitLocker Administration and Monitoring (MBAM) creates an additional, custom Control Panel item, called **BitLocker Encryption Options**, which enables end users to manage their PIN and password, turn on BitLocker for a drive, and check encryption.
 
- 
+ 
 
 See [Understanding the BitLocker Encryption Options and BitLocker Drive Encryption Items in Control Panel](understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md) to read about:
 
@@ -33,7 +33,7 @@ See [Understanding the BitLocker Encryption Options and BitLocker Drive Encrypti
 **Important**  
 Do not change the Group Policy settings in the **BitLocker Drive Encryption** node. If you do, MBAM will not work correctly. When you configure the Group Policy settings in the **MDOP MBAM (BitLocker Management)** node, MBAM automatically configures the **BitLocker Drive Encryption** settings for you.
 
- 
+ 
 
 **To hide the default BitLocker Drive Encryption item in Control Panel**
 
@@ -52,7 +52,7 @@ Do not change the Group Policy settings in the **BitLocker Drive Encryption** no
 
 [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
index 175d4ccc4c..3f47fccbd0 100644
--- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
@@ -23,7 +23,7 @@ For a list of the supported versions of the software mentioned in this topic, se
 **Important**  
 Windows To Go is not supported for the Configuration Manager Integration topology installation when you are using Configuration Manager 2007.
 
- 
+ 
 
 ## Recommended number of servers and supported number of clients
 
@@ -54,7 +54,7 @@ The recommended number of servers and supported number of clients in a productio
 
 
 
- 
+ 
 
 ## Differences between Configuration Manager Integration and stand-alone topologies
 
@@ -130,7 +130,7 @@ The **monitoring web services** are used by the MBAM Client and the websites to
 
 **Important**
            The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database. 
 
- 
+ 
 
 ### Management workstation
 
@@ -142,7 +142,7 @@ The **monitoring web services** are used by the MBAM Client and the websites to
 
     **NOTE**
            The workstation does not have to be a dedicated computer.
 
-     
+     
 
 ### MBAM Client and Configuration Manager Client computer
 
@@ -160,7 +160,7 @@ The **MBAM Client**:
 
 The **Configuration Manager Client** enables Configuration Manager to collect hardware compatibility data about the client computers and report compliance information.
 
- 
+ 
 
 ## Differences in MBAM deployment for supported Configuration Manager versions
 
@@ -193,7 +193,7 @@ When you deploy MBAM with the Configuration Manager Integration topology, you ca
 
 
 
- 
+ 
 
 ## How MBAM works with Configuration Manager
 
@@ -273,7 +273,7 @@ The integration of MBAM with Configuration Manager is based on a configuration p
 
 
 
- 
+ 
 
 
 ## Related topics
@@ -285,9 +285,9 @@ The integration of MBAM with Configuration Manager is based on a configuration p
 
 [Illustrated Features of an MBAM 2.5 Deployment](illustrated-features-of-an-mbam-25-deployment.md)
 
- 
+ 
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md
index f60664557b..48a70ddaaa 100644
--- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md
+++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md
@@ -24,7 +24,7 @@ For a list of the supported versions of the software mentioned in this topic, se
 **Note**  
 We recommend you use a single-server architecture in test environments only.
 
- 
+ 
 
 ## Recommended number of servers and supported number of clients
 
@@ -55,7 +55,7 @@ The recommended number of servers and supported number of clients in a productio
 
 
 
- 
+ 
 
 ## Recommended MBAM high-level architecture with the Stand-alone topology
 
@@ -114,7 +114,7 @@ The **monitoring web services** are used by the MBAM Client and the websites to
 **Important**  
 The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM websites communicate directly with the Recovery Database.
 
- 
+ 
 
 Management workstation
 
@@ -149,7 +149,7 @@ The MBAM Client:
 
 [Illustrated Features of an MBAM 2.5 Deployment](illustrated-features-of-an-mbam-25-deployment.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md
index a6201dae45..1c818b89dc 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md
@@ -41,38 +41,37 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 
 
            Review the recommended architecture for MBAM.
            
-
            [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
            
+
            High-Level Architecture for MBAM 2.5
            
 
 
 
            Review the supported configurations for MBAM.
            
-
            [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
            
+
            MBAM 2.5 Supported Configurations
            
 
 
 
            Complete the required prerequisites on each server.
            
 
 
 
 
            Install the MBAM Server software on each server where you plan to configure an MBAM Server feature.
            
 
            
-Note  
-
            You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see [Data-tier Applications](https://technet.microsoft.com/library/ee210546.aspx).
            
+Note
            You can install the databases to a remote SQL Server computer by using Windows PowerShell or an exported data-tier application (DAC) package. For more information about DAC packages, see Data-tier Applications.
            
 
            
 
            
- 
+
 
            
-
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            
+
            Installing the MBAM 2.5 Server Software
            
 
 
 
            Review the prerequisites for using Windows PowerShell if you plan to use Windows PowerShell cmdlets to configure MBAM Server features.
            
-
            [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
            
+
            Configuring MBAM 2.5 Server Features by Using Windows PowerShell
            
 
 
 
 
- 
+
 
 **To configure the databases by using Windows PowerShell**
 
@@ -82,138 +81,134 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 **To configure the Compliance and Audit Database by using the wizard**
 
-1.  On the server where you want to configure the databases, start the **MBAM Server Configuration** wizard. You can select **MBAM Server Configuration** from the **Start** menu to open the wizard.
+1. On the server where you want to configure the databases, start the **MBAM Server Configuration** wizard. You can select **MBAM Server Configuration** from the **Start** menu to open the wizard.
 
-2.  Click **Add New Features**, select **Compliance and Audit Database** and **Recovery Database**, and then click **Next**. The wizard checks that all prerequisites for the databases have been met.
+2. Click **Add New Features**, select **Compliance and Audit Database** and **Recovery Database**, and then click **Next**. The wizard checks that all prerequisites for the databases have been met.
 
-3.  If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
+3. If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
 
-4.  Using the following descriptions, enter the field values in the wizard:
+4. Using the following descriptions, enter the field values in the wizard:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            FieldDescription
            SQL Server name
            Name of the server where you are configuring the Compliance and Audit Database.
            
-    
            
-    Note  
-    
            You must add an exception on the Compliance and Audit Database computer to enable inbound traffic on the Microsoft SQL Server port. The default port number is 1433.
            
-    
            
-    
            
-     
-    
            SQL Server database instance
            Name of the database instance where the compliance and audit data will be stored. You must also specify where the database information will be located.
            Database name
            Name of the database that will store the compliance data.
            
-    
            
-    Note  
-    
            If you are upgrading from a previous version of MBAM, you must use the same database name as the name that was used in your previous deployment.
            
-    
            
-    
            
-     
-    
            Read/write access domain user or group
            Domain user or group that has read/write permission to this database to enable the web applications to access the data and reports in this database.
            
-    
            If you enter a user in this field, it must be the same value as the value in the Web service application pool domain account field on the Configure Web Applications page.
            
-    
            If you enter a group in this field, the value in the Web service application pool domain account field on the Configure Web Applications page must be a member of the group you enter in this field.
            Read-only access domain user or group
            Name of the user or group that will have read-only permission to this database to enable the reports to access the compliance data in this database.
            
-    
            If you enter a user in this field, it must be the same user as the one you specify in the Compliance and Audit Database domain account field on the Configure Reports page.
            
-    
            If you enter a group in this field, the value that you specify in the Compliance and Audit Database domain account field on the Configure Reports page must be a member of the group that you specify in this field.
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            FieldDescription
            SQL Server name
            Name of the server where you are configuring the Compliance and Audit Database.
            
+   
            
+   Note
            You must add an exception on the Compliance and Audit Database computer to enable inbound traffic on the Microsoft SQL Server port. The default port number is 1433.
            
+   
            
+   
            
 
-     
+   
            SQL Server database instance
            Name of the database instance where the compliance and audit data will be stored. You must also specify where the database information will be located.
            Database name
            Name of the database that will store the compliance data.
            
+   
            
+   Note
            If you are upgrading from a previous version of MBAM, you must use the same database name as the name that was used in your previous deployment.
            
+   
            
+   
            
 
-5.  Continue to the next section to configure the Recovery Database.
+   
            Read/write access domain user or group
            Domain user or group that has read/write permission to this database to enable the web applications to access the data and reports in this database.
            
+   
            If you enter a user in this field, it must be the same value as the value in the Web service application pool domain account field on the Configure Web Applications page.
            
+   
            If you enter a group in this field, the value in the Web service application pool domain account field on the Configure Web Applications page must be a member of the group you enter in this field.
            Read-only access domain user or group
            Name of the user or group that will have read-only permission to this database to enable the reports to access the compliance data in this database.
            
+   
            If you enter a user in this field, it must be the same user as the one you specify in the Compliance and Audit Database domain account field on the Configure Reports page.
            
+   
            If you enter a group in this field, the value that you specify in the Compliance and Audit Database domain account field on the Configure Reports page must be a member of the group that you specify in this field.
            
+
+
+
+5. Continue to the next section to configure the Recovery Database.
 
 **To configure the Recovery Database by using the wizard**
 
-1.  Using the following descriptions, enter the field values in the wizard:
+1. Using the following descriptions, enter the field values in the wizard:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            FieldDescription
            SQL Server name
            Name of the server where you are configuring the Recovery Database.
            
-    
            
-    Note  
-    
            You must add an exception on the Recovery Database computer to enable inbound traffic on the Microsoft SQL Server port. The default port number is 1433.
            
-    
            
-    
            
-     
-    
            SQL Server database instance
            Name of the database instance where the recovery data will be stored. You must also specify where the database information will be located.
            Database name
            Name of the database that will store the recovery data.
            
-    
            
-    Note  
-    
            If you are upgrading from a previous version of MBAM, you must use the same database name as the name that was used in your previous deployment.
            
-    
            
-    
            
-     
-    
            Read/write access domain user or group
            Domain user or group that has read/write permission to this database to enable the web applications to access the data and reports in this database.
            
-    
            If you enter a user in this field, it must be the same value as the value in the Web service application pool domain account field on the Configure Web Applications page.
            
-    
            If you enter a group in this field, the value in the Web service application pool domain account field on the Configure Web Applications page must be a member of the group you enter in this field.
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            FieldDescription
            SQL Server name
            Name of the server where you are configuring the Recovery Database.
            
+   
            
+   Note
            You must add an exception on the Recovery Database computer to enable inbound traffic on the Microsoft SQL Server port. The default port number is 1433.
            
+   
            
+   
            
 
-     
+   
            SQL Server database instance
            Name of the database instance where the recovery data will be stored. You must also specify where the database information will be located.
            Database name
            Name of the database that will store the recovery data.
            
+   
            
+   Note
            If you are upgrading from a previous version of MBAM, you must use the same database name as the name that was used in your previous deployment.
            
+   
            
+   
            
 
-2.  When you finish your entries, click **Next**.
+   
            Read/write access domain user or group
            Domain user or group that has read/write permission to this database to enable the web applications to access the data and reports in this database.
            
+   
            If you enter a user in this field, it must be the same value as the value in the Web service application pool domain account field on the Configure Web Applications page.
            
+   
            If you enter a group in this field, the value in the Web service application pool domain account field on the Configure Web Applications page must be a member of the group you enter in this field.
            
 
-    The wizard checks that all prerequisites for the databases have been met.
 
-3.  If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Next** again.
 
-4.  On the **Summary** page, review the features that will be added.
+2. When you finish your entries, click **Next**.
 
-    **Note**  
-    To create a Windows PowerShell script of the entries that you just made, click **Export PowerShell Script**, and then save the script.
+   The wizard checks that all prerequisites for the databases have been met.
 
-     
+3. If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Next** again.
 
-5.  Click **Add** to add the MBAM databases on the server, and then click **Close**.
+4. On the **Summary** page, review the features that will be added.
+
+   **Note**  
+   To create a Windows PowerShell script of the entries that you just made, click **Export PowerShell Script**, and then save the script.
+
+
+
+5. Click **Add** to add the MBAM databases on the server, and then click **Close**.
 
 
 
@@ -230,11 +225,11 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md
index fb5bff9f6b..b76b25843c 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md
@@ -41,31 +41,31 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 
 
            Review the recommended architecture for MBAM.
            
-
            [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
            
+
            High-Level Architecture for MBAM 2.5
            
 
 
 
            Review the supported configurations for MBAM.
            
-
            [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
            
+
            MBAM 2.5 Supported Configurations
            
 
 
 
            Complete the required prerequisites on each server.
            
 
 
 
 
            Install the MBAM Server software on each server where you plan to configure an MBAM Server feature.
            
-
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            
+
            Installing the MBAM 2.5 Server Software
            
 
 
 
            Review the prerequisites for using Windows PowerShell if you plan to use Windows PowerShell cmdlets to configure MBAM Server features.
            
-
            [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
            
+
            Configuring MBAM 2.5 Server Features by Using Windows PowerShell
            
 
 
 
 
- 
+
 
 **To configure the Reports by using Windows PowerShell**
 
@@ -75,86 +75,84 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 **To configure the Reports by using the wizard**
 
-1.  On the server where you want to configure the Reports, start the **MBAM Server Configuration** wizard. You can select **MBAM Server Configuration** from the **Start** menu to open the wizard.
+1. On the server where you want to configure the Reports, start the **MBAM Server Configuration** wizard. You can select **MBAM Server Configuration** from the **Start** menu to open the wizard.
 
-2.  Click **Add New Features**, select **Reports**, and then click **Next**. The wizard checks that all prerequisites for the Reports have been met.
+2. Click **Add New Features**, select **Reports**, and then click **Next**. The wizard checks that all prerequisites for the Reports have been met.
 
-3.  Click **Next** to continue.
+3. Click **Next** to continue.
 
-4.  Using the following descriptions, enter the field values in the wizard:
+4. Using the following descriptions, enter the field values in the wizard:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            FieldDescription
            SQL Server Reporting Services instance
            Instance of SQL Server Reporting Services where the Reports will be configured.
            Reporting role domain group
            Name of the domain Users group whose members have rights to access the reports on the Administration and Monitoring Server.
            SQL Server name
            Name of the server where the Compliance and Audit Database is configured.
            SQL Server database instance
            Name of the instance of SQL Server (for example, MSSQLSERVER) where the Compliance and Audit Database is configured.
            
-    
            
-    Note  
-    
            You must add an exception on the Reports computer to enable inbound traffic on the port of the Reporting Server (the default port is 80).
            
-    
            
-    
            
-     
-    
            Database name
            Name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status, although you can change the name when you configure the Compliance and Audit Database.
            
-    
            
-    Note  
-    
            If you are upgrading from a previous version of MBAM, you must use the same database name as the name used in your previous deployment.
            
-    
            
-    
            
-     
-    
            Compliance and Audit Database domain account
            Domain user account and password to access the Compliance and Audit Database.
            
-    
            If the value you enter in the Read-only access domain user or group field on the Configure Databases page is a user, you must enter that same value in this field.
            
-    
            If the value that you enter in the Read-only access domain user or group field on the Configure Databases page is a group, the value that you enter in this field must be a member of that group.
            
-    
            Configure the password for this account to never expire. The user account should be able to access all data that is available to the MBAM Reports Users group.
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            FieldDescription
            SQL Server Reporting Services instance
            Instance of SQL Server Reporting Services where the Reports will be configured.
            Reporting role domain group
            Name of the domain Users group whose members have rights to access the reports on the Administration and Monitoring Server.
            SQL Server name
            Name of the server where the Compliance and Audit Database is configured.
            SQL Server database instance
            Name of the instance of SQL Server (for example, MSSQLSERVER) where the Compliance and Audit Database is configured.
            
+   
            
+   Note
            You must add an exception on the Reports computer to enable inbound traffic on the port of the Reporting Server (the default port is 80).
            
+   
            
+   
            
 
-     
+   
            Database name
            Name of the Compliance and Audit Database. By default, the database name is MBAM Compliance Status, although you can change the name when you configure the Compliance and Audit Database.
            
+   
            
+   Note
            If you are upgrading from a previous version of MBAM, you must use the same database name as the name used in your previous deployment.
            
+   
            
+   
            
 
-5.  When you finish your entries, click **Next**.
+   
            Compliance and Audit Database domain account
            Domain user account and password to access the Compliance and Audit Database.
            
+   
            If the value you enter in the Read-only access domain user or group field on the Configure Databases page is a user, you must enter that same value in this field.
            
+   
            If the value that you enter in the Read-only access domain user or group field on the Configure Databases page is a group, the value that you enter in this field must be a member of that group.
            
+   
            Configure the password for this account to never expire. The user account should be able to access all data that is available to the MBAM Reports Users group.
            
 
-    The wizard checks that all prerequisites for the Reports feature have been met.
 
-6.  Click **Next** to continue.
 
-7.  On the **Summary** page, review the features that will be added.
+5. When you finish your entries, click **Next**.
 
-    **Note**  
-    To create a Windows PowerShell script of the entries that you just made, click **Export PowerShell Script**, and then save the script.
+   The wizard checks that all prerequisites for the Reports feature have been met.
 
-     
+6. Click **Next** to continue.
 
-8.  Click **Add** to add the Reports on the server, and then click **Close**.
+7. On the **Summary** page, review the features that will be added.
+
+   **Note**  
+   To create a Windows PowerShell script of the entries that you just made, click **Export PowerShell Script**, and then save the script.
+
+
+
+8. Click **Add** to add the Reports on the server, and then click **Close**.
 
 
 
@@ -169,11 +167,11 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
 
- 
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+
 
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md
index b6785d8f0d..38766dc323 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md
@@ -43,38 +43,37 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 
 
            Review the recommended architecture for MBAM.
            
-
            [High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology](high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md)
            
+
            High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology
            
 
 
 
            Review the supported configurations for MBAM.
            
-
            [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
            
+
            MBAM 2.5 Supported Configurations
            
 
 
 
            Complete the required prerequisites on each server.
            
 
 
 
 
            Install the MBAM Server software on each server where you will configure an MBAM Server feature.
            
 
            
-Note  
-
            For this topology, you must install the Configuration Manager console on the computer where you are installing the MBAM Server software.
            
+Note
            For this topology, you must install the Configuration Manager console on the computer where you are installing the MBAM Server software.
            
 
            
 
            
- 
+
 
            
-
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            
+
            Installing the MBAM 2.5 Server Software
            
 
 
 
            Review Windows PowerShell prerequisites (applicable only if you are going to use Windows PowerShell cmdlets to configure MBAM).
            
-
            [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
            
+
            Configuring MBAM 2.5 Server Features by Using Windows PowerShell
            
 
 
 
 
- 
+
 
 **To configure Configuration Manager Integration by using Windows PowerShell**
 
@@ -119,14 +118,14 @@ The instructions are based on the recommended architecture in [High-Level Archit
     
     
 
-     
+
 
 5.  On the **Summary** page, review the features that will be added.
 
-    **Note**  
+    **Note**  
     To create a Windows PowerShell script of the entries you just made, click **Export PowerShell Script** and save the script.
 
-     
+
 
 6.  Click **Add** to add the Configuration Manager Integration feature to the server, and then click **Close**.
 
@@ -139,11 +138,11 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
 
- 
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+
 
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md
index b9681dcec1..dba8888b3b 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md
@@ -48,7 +48,7 @@ The web applications comprise the following websites and their corresponding web
 
 
 
- 
+
 
 **Before you start the configuration:**
 
@@ -66,49 +66,47 @@ The web applications comprise the following websites and their corresponding web
 
 
 
            Review the recommended architecture for MBAM.
            
-
            [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
            
+
            High-Level Architecture for MBAM 2.5
            
 
 
 
            Review the supported configurations for MBAM.
            
-
            [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
            
+
            MBAM 2.5 Supported Configurations
            
 
 
 
            Complete the required prerequisites on each server.
            
 
            
-Note  
-
            Ensure that you configure SQL ServerReporting Services (SSRS) to use the Secure Sockets Layer (SSL) before you configure the Administration and Monitoring Website. Otherwise, the Reports feature will use HTTP instead of HTTPS.
            
+Note
            Ensure that you configure SQL ServerReporting Services (SSRS) to use the Secure Sockets Layer (SSL) before you configure the Administration and Monitoring Website. Otherwise, the Reports feature will use HTTP instead of HTTPS.
            
 
            
 
            
- 
+
 
            
 
 
 
 
            Register service principal names (SPNs) for the application pool account for the websites. You need to do this step only if you do not have administrative domain rights in Active Directory Domain Services (AD DS). If you do have these rights in AD DS, MBAM will create the SPNs for you.
            
-
            [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md#bkmk-regvirtualspn)
            
+
            Planning How to Secure the MBAM Websites
            
 
 
 
            Install the MBAM Server software on each server where you will configure an MBAM Server feature.
            
 
            
-Note  
-
            If you plan to install the websites on one server and the web services on another, you will be able to configure them only by using the Enable-MbamWebApplication Windows PowerShell cmdlet. The MBAM Server Configuration wizard does not support configuring these items on separate servers.
            
+Note
            If you plan to install the websites on one server and the web services on another, you will be able to configure them only by using the Enable-MbamWebApplication Windows PowerShell cmdlet. The MBAM Server Configuration wizard does not support configuring these items on separate servers.
            
 
            
 
            
- 
+
 
            
-
            [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
            
+
            Installing the MBAM 2.5 Server Software
            
 
 
 
            Review the prerequisites for using Windows PowerShell if you plan to use cmdlets to configure MBAM Server features.
            
-
            [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
            
+
            Configuring MBAM 2.5 Server Features by Using Windows PowerShell
            
 
 
 
 
- 
+
 
 **To configure the web applications by using Windows PowerShell**
 
@@ -118,71 +116,69 @@ The web applications comprise the following websites and their corresponding web
 
 **To configure the settings for all web applications using the wizard**
 
-1.  On the server where you want to configure the web applications, start the MBAM Server Configuration wizard. You can select **MBAM Server Configuration** from the **Start** menu to open the wizard.
+1. On the server where you want to configure the web applications, start the MBAM Server Configuration wizard. You can select **MBAM Server Configuration** from the **Start** menu to open the wizard.
 
-2.  Click **Add New Features**, select **Administration and Monitoring Website** and **Self-Service Portal**, and then click **Next**. The wizard checks that all prerequisites for the web applications have been met.
+2. Click **Add New Features**, select **Administration and Monitoring Website** and **Self-Service Portal**, and then click **Next**. The wizard checks that all prerequisites for the web applications have been met.
 
-3.  If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
+3. If the prerequisite check is successful, click **Next** to continue. Otherwise, resolve any missing prerequisites, and then click **Check prerequisites again**.
 
-4.  Use the following descriptions to enter the field values in the wizard.
+4. Use the following descriptions to enter the field values in the wizard.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            FieldDescription
            Security certificate
            Select a previously created certificate to optionally encrypt the communication between the web services and the server on which you are configuring the websites. If you choose Do not use a certificate, your web communication may not be secure.
            Host name
            Name of the host computer where you are configuring the websites.
            Installation path
            Path where you are installing the websites.
            Port
            Port number to use for website and service communication.
            
-    
            
-    Note  
-    
            You must set a firewall exception to enable communication through the specified port.
            
-    
            
-    
            
-     
-    
            Web service application pool domain account and password
            Domain user account and password for the web service application pool.
            
-    
            If you enter a user name in the Read/write access domain user or group field on the Configure Databases page, you must enter that same value in this field.
            
-    
            If you enter a group name in the Read/write access domain user or group field on the Configure Databases page, the value you enter in this field must be a member of that group.
            
-    
            If you do not specify credentials, the credentials that were specified for any previously enabled web application will be used. All web applications must use the same application pool credentials. If you specify different credentials for different web applications, the most recently specified value will be used.
            
-    
            
-    Important  
-    
            For improved security, set the account that is specified in the credentials to have limited user rights. Also, set the password of the account to never expire.
            
-    
            
-    
            
-     
-    
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            FieldDescription
            Security certificate
            Select a previously created certificate to optionally encrypt the communication between the web services and the server on which you are configuring the websites. If you choose Do not use a certificate, your web communication may not be secure.
            Host name
            Name of the host computer where you are configuring the websites.
            Installation path
            Path where you are installing the websites.
            Port
            Port number to use for website and service communication.
            
+   
            
+   Note
            You must set a firewall exception to enable communication through the specified port.
            
+   
            
+   
            
 
-     
+   
            Web service application pool domain account and password
            Domain user account and password for the web service application pool.
            
+   
            If you enter a user name in the Read/write access domain user or group field on the Configure Databases page, you must enter that same value in this field.
            
+   
            If you enter a group name in the Read/write access domain user or group field on the Configure Databases page, the value you enter in this field must be a member of that group.
            
+   
            If you do not specify credentials, the credentials that were specified for any previously enabled web application will be used. All web applications must use the same application pool credentials. If you specify different credentials for different web applications, the most recently specified value will be used.
            
+   
            
+   Important
            For improved security, set the account that is specified in the credentials to have limited user rights. Also, set the password of the account to never expire.
            
+   
            
+   
            
 
-5.  Verify that the built-in IIS\_IUSRS account or the application pool account has been added to the **Impersonate a client after authentication** and the **Log on as a batch job** local security settings.
+   
            
 
-    To check whether it has been added to the local security settings, open the **Local Security Policy editor**, expand the **Local Policies** node, click the **User Rights Assignment** node, and double-click **Impersonate a client after authentication** and **Log on as a batch job** policies in the right pane.
+
+
+5. Verify that the built-in IIS\_IUSRS account or the application pool account has been added to the **Impersonate a client after authentication** and the **Log on as a batch job** local security settings.
+
+   To check whether it has been added to the local security settings, open the **Local Security Policy editor**, expand the **Local Policies** node, click the **User Rights Assignment** node, and double-click **Impersonate a client after authentication** and **Log on as a batch job** policies in the right pane.
 
 **To configure connection information for the databases by using the wizard**
 
@@ -215,7 +211,7 @@ The web applications comprise the following websites and their corresponding web
     
     
 
-     
+
 
 2.  Use the following field descriptions to configure the connection information in the wizard for the Recovery Database.
 
@@ -246,157 +242,157 @@ The web applications comprise the following websites and their corresponding web
     
     
 
-     
+
 
 **To configure the web applications by using the wizard**
 
-1.  Use the following descriptions to enter the field values in the wizard to configure the Administration and Monitoring Website.
+1. Use the following descriptions to enter the field values in the wizard to configure the Administration and Monitoring Website.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            FieldDescription
            Advanced Helpdesk role domain group
            Domain user group whose members have access to all areas of the Administration and Monitoring Website except the Reports area.
            Helpdesk role domain group
            Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website.
            Use System Center Configuration Manager Integration
            Select this check box if you are configuring MBAM with the Configuration Manager Integration topology. Selecting this check box makes all reports, except the Recovery Audit report, appear in Configuration Manager instead of in the Administration and Monitoring Website.
            Reporting role domain group
            Domain user group whose members have read-only access to the Reports area of the Administration and Monitoring Website.
            SQL Server Reporting Services URL
            URL for the SSRS server where the MBAM Reports are configured.
            
-    
            Examples of report URLs:
            
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            Type of host nameExample
            Example with a fully qualified domain name
            https://MyReportServer.Contoso.com/ReportServer
            Example with a custom host name
            https://MyReportServer/ReportServer
            
-    
             
            Virtual directory
            Virtual directory of the Administration and Monitoring Website. This name corresponds to the website’s physical directory on the server and is appended to the website’s host name, for example:
            
-    
            http(s)://<hostname>:<port>/HelpDesk/
            
-    
            If you do not specify a virtual directory, the value HelpDesk will be used.
            Data Migration role domain group (optional)
            Domain user group whose members have access to use the Write-Mbam*Information Cmdlets to write recovery information via this endpoint.
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            FieldDescription
            Advanced Helpdesk role domain group
            Domain user group whose members have access to all areas of the Administration and Monitoring Website except the Reports area.
            Helpdesk role domain group
            Domain user group whose members have access to the Manage TPM and Drive Recovery areas of the Administration and Monitoring Website.
            Use System Center Configuration Manager Integration
            Select this check box if you are configuring MBAM with the Configuration Manager Integration topology. Selecting this check box makes all reports, except the Recovery Audit report, appear in Configuration Manager instead of in the Administration and Monitoring Website.
            Reporting role domain group
            Domain user group whose members have read-only access to the Reports area of the Administration and Monitoring Website.
            SQL Server Reporting Services URL
            URL for the SSRS server where the MBAM Reports are configured.
            
+   
            Examples of report URLs:
            
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            Type of host nameExample
            Example with a fully qualified domain name
            https://MyReportServer.Contoso.com/ReportServer
            Example with a custom host name
            https://MyReportServer/ReportServer
            
+   
             
            Virtual directory
            Virtual directory of the Administration and Monitoring Website. This name corresponds to the website’s physical directory on the server and is appended to the website’s host name, for example:
            
+   
            http(s)://<hostname>:<port>/HelpDesk/
            
+   
            If you do not specify a virtual directory, the value HelpDesk will be used.
            Data Migration role domain group (optional)
            Domain user group whose members have access to use the Write-Mbam*Information Cmdlets to write recovery information via this endpoint.
            
 
-     
 
-2.  Use the following description to enter the field values in the wizard to configure the Self-Service Portal.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            FieldDescription
            Virtual directory
            Virtual directory of the web application. This name corresponds to the website’s physical directory on the server, and is appended to the website’s host name, for example:
            
-    
            http(s)://<hostname>:<port>/SelfService/
            
-    
            If you do not specify a virtual directory, the value SelfService will be used.
            Company name
            Specify a company name for the Self-Service Portal, for example:
            
-    
            Contoso IT
            
-    
            This company name is viewed by all Self-Service Portal users.
            Helpdesk URL text
            Specify a text statement that directs users to your organization's Helpdesk website, for example:
            
-    
            Contact Helpdesk or IT department
            Helpdesk URL
            Specify the URL for your organization's Helpdesk website, for example:
            
-    
            http(s)://<companyHelpdeskURL>/
            Notice text file
            Select a file that contains the notice you want displayed to users on the Self-Service Portal landing page.
            Do not display notice text to users
            Select this check box to specify that the notice text is not displayed to users.
            
+2. Use the following description to enter the field values in the wizard to configure the Self-Service Portal.
 
-     
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
            



            FieldDescription
            Virtual directory
            Virtual directory of the web application. This name corresponds to the website’s physical directory on the server, and is appended to the website’s host name, for example:
            
+   
            http(s)://<hostname>:<port>/SelfService/
            
+   
            If you do not specify a virtual directory, the value SelfService will be used.
            Company name
            Specify a company name for the Self-Service Portal, for example:
            
+   
            Contoso IT
            
+   
            This company name is viewed by all Self-Service Portal users.
            Helpdesk URL text
            Specify a text statement that directs users to your organization's Helpdesk website, for example:
            
+   
            Contact Helpdesk or IT department
            Helpdesk URL
            Specify the URL for your organization's Helpdesk website, for example:
            
+   
            http(s)://<companyHelpdeskURL>/
            Notice text file
            Select a file that contains the notice you want displayed to users on the Self-Service Portal landing page.
            Do not display notice text to users
            Select this check box to specify that the notice text is not displayed to users.
            
 
-3.  When you finish your entries, click **Next**.
 
-    The wizard checks that all prerequisites for the web applications have been met.
 
-4.  Click **Next** to continue.
+3. When you finish your entries, click **Next**.
 
-5.  On the **Summary** page, review the features that will be added.
+   The wizard checks that all prerequisites for the web applications have been met.
 
-    **Note**  
-    To create a Windows PowerShell script for the entries you made, click **Export PowerShell Script** and save the script.
+4. Click **Next** to continue.
 
-     
+5. On the **Summary** page, review the features that will be added.
 
-6.  Click **Add** to add the web applications to the server, and then click **Close**.
+   **Note**  
+   To create a Windows PowerShell script for the entries you made, click **Export PowerShell Script** and save the script.
 
-    To customize the Self-Service Portal by adding custom notice text, your company name, pointers to more information, and so on, see [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md).
+
+
+6. Click **Add** to add the web applications to the server, and then click **Close**.
+
+   To customize the Self-Service Portal by adding custom notice text, your company name, pointers to more information, and so on, see [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md).
 
 **To configure the Self-Service Portal if client computers cannot access the CDN**
 
 1.  Determine whether you are running Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1. If so, do nothing. Your Self-Service Portal configuration is complete.
 
-    **Note**  
+    **Note**  
     Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 installs the JavaScript files in setup, and so does not need to be connected to the Microsoft Ajax Content Delivery Network in order to configure the Self-Service Portal. The following steps are necessary only if you are using a version of Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 previous to SP1.
 
-     
+
 
 2.  Determine if your client computers have access to the Microsoft Ajax Content Delivery Network (CDN).
 
@@ -422,11 +418,11 @@ The web applications comprise the following websites and their corresponding web
 
 [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md b/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md
index e12f8ba900..c187bc1e3c 100644
--- a/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md
+++ b/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md
@@ -26,38 +26,38 @@ Your client computers need access to the CDN, which gives the Self-Service Porta
 **Note**  
 In MBAM 2.5 SP1, the JavaScript files are included in the product, and you do not need to follow the instructions in this section to configure the SSP to support clients that cannot access the internet.
 
- 
+ 
 
 **How to configure the Self-Service Portal when client computers cannot access the CDN**
 
-1.  Download the following JavaScript files from the CDN:
+1. Download the following JavaScript files from the CDN:
 
-    -   [jQuery-1.10.2.min.js](https://go.microsoft.com/fwlink/?LinkID=390515)
+   -   [jQuery-1.10.2.min.js](https://go.microsoft.com/fwlink/?LinkID=390515)
 
-    -   [jQuery.validate.min.js](https://go.microsoft.com/fwlink/?LinkID=390516)
+   -   [jQuery.validate.min.js](https://go.microsoft.com/fwlink/?LinkID=390516)
 
-    -   [jQuery.validate.unobtrusive.min.js](https://go.microsoft.com/fwlink/?LinkID=390517)
+   -   [jQuery.validate.unobtrusive.min.js](https://go.microsoft.com/fwlink/?LinkID=390517)
 
-2.  Copy the JavaScript files to the **Scripts** directory of the Self-Service Portal. This directory is located in *<MBAM Self-Service Install Directory>\\*Self Service Website\\Scripts.
+2. Copy the JavaScript files to the **Scripts** directory of the Self-Service Portal. This directory is located in <MBAM Self-Service Install Directory>\\Self Service Website\\Scripts.
 
-3.  Open Internet Information Services (IIS) Manager.
+3. Open Internet Information Services (IIS) Manager.
 
-4.  Expand **Sites** > **Microsoft BitLocker Administration and Monitoring**, and highlight **SelfService**.
+4. Expand **Sites** > **Microsoft BitLocker Administration and Monitoring**, and highlight **SelfService**.
 
-    **Note**  
-    *SelfService* is the default virtual directory name. If you chose a different name for this directory during the configuration, remember to replace *SelfService* in these instructions with the name you chose.
+   **Note**  
+   *SelfService* is the default virtual directory name. If you chose a different name for this directory during the configuration, remember to replace *SelfService* in these instructions with the name you chose.
 
-     
+     
 
-5.  In the middle pane, double-click **Application Settings**.
+5. In the middle pane, double-click **Application Settings**.
 
-6.  For each item in the following list, edit the application settings to reference the new location by replacing /<*virtual directory*>/ with /SelfService/ (or whatever name you chose during configuration). For example, the virtual directory path will be similar to /selfservice/Scripts/ jQuery-1.10.2.min.js.
+6. For each item in the following list, edit the application settings to reference the new location by replacing /<*virtual directory*>/ with /SelfService/ (or whatever name you chose during configuration). For example, the virtual directory path will be similar to /selfservice/Scripts/ jQuery-1.10.2.min.js.
 
-    -   jQueryPath: /<*virtual directory*>/Scripts/jQuery-1.10.2.min.js
+   -   jQueryPath: /<*virtual directory*>/Scripts/jQuery-1.10.2.min.js
 
-    -   jQueryValidatePath: /<*virtual directory*>/Scripts/jQuery.validate.min.js
+   -   jQueryValidatePath: /<*virtual directory*>/Scripts/jQuery.validate.min.js
 
-    -   jQueryValidateUnobtrusivePath: /<*virtual directory*>/Scripts/jQuery.validate.unobtrusive.min.js
+   -   jQueryValidateUnobtrusivePath: /<*virtual directory*>/Scripts/jQuery.validate.unobtrusive.min.js
 
 
 
@@ -66,7 +66,7 @@ In MBAM 2.5 SP1, the JavaScript files are included in the product, and you do no
 
 [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md b/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md
index e475c8d4a8..27bfffcf2d 100644
--- a/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md
+++ b/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md
@@ -29,7 +29,7 @@ Type the following command at the command prompt to automatically accept the end
 **Note**  
 The **/ju** and **/jm** command-line options are not supported and cannot be used to install the MBAM Client software.
 
- 
+ 
 
 Type the following command at the command prompt to extract and install the MSP:
 
@@ -42,7 +42,7 @@ Then, install the MSI silently by running the following command:
 **Note**  
 Beginning in MBAM 2.5 SP1, a separate MSI is no longer included with the MBAM product. However, you can extract the MSI from the executable file (.exe) that is included with the product, after accepting the EULA.
 
- 
+ 
 
 ## OPTIN\_FOR\_MICROSOFT\_UPDATES=1 command-line option
 
@@ -74,7 +74,7 @@ You can use this command-line option with either of the following installation m
 
 
 
- 
+ 
 
 
 ## Related topics
@@ -82,9 +82,9 @@ You can use this command-line option with either of the following installation m
 
 [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
 
- 
+ 
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md b/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md
index 006771ac78..04cb113b89 100644
--- a/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md
+++ b/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md
@@ -36,7 +36,7 @@ Before you start the MBAM Client deployment, review the [MBAM 2.5 Supported Conf
     **Important**  
     The MBAM Client does not start BitLocker Drive Encryption actions if a remote desktop protocol connection is active. All remote console connections must be closed and a user must be logged on to a physical console session before BitLocker Drive Encryption begins.
 
-     
+     
 
 
 ## Related topics
@@ -44,7 +44,7 @@ Before you start the MBAM Client deployment, review the [MBAM 2.5 Supported Conf
 
 [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md b/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md
index 48fd677e6f..58fc45a61e 100644
--- a/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md
+++ b/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md
@@ -28,7 +28,7 @@ To complete this task, you need access to the **Reports** area of the Administra
 **Note**  
 Device compliance is determined by the BitLocker policies that your enterprise has deployed. You may want to verify your deployed policies before you try to determine the BitLocker encryption state of a device.
 
- 
+ 
 
 **To determine the last known BitLocker encryption state of lost computers**
 
@@ -49,11 +49,11 @@ Device compliance is determined by the BitLocker policies that your enterprise h
 
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index cc63ce3d45..9ad697322f 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -33,34 +33,34 @@ This topic explains how to enable BitLocker on an end user's computer by using M
 
 **To enable BitLocker using MBAM 2.5 SP1 as part of a Windows deployment**
 
-1.  In MBAM 2.5 SP1, the recommended approach to enable BitLocker during a Windows Deployment is by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
+1. In MBAM 2.5 SP1, the recommended approach to enable BitLocker during a Windows Deployment is by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
 
-    -   The `Invoke-MbamClientDeployment.ps1` script enacts BitLocker during the imaging process. When required by BitLocker policy, the MBAM agent immediately prompts the domain user to create a PIN or password when the domain user first logs on after imaging.
+   -   The `Invoke-MbamClientDeployment.ps1` script enacts BitLocker during the imaging process. When required by BitLocker policy, the MBAM agent immediately prompts the domain user to create a PIN or password when the domain user first logs on after imaging.
 
-    -   Easy to use with MDT, System Center Configuration Manager, or standalone imaging processes
+   -   Easy to use with MDT, System Center Configuration Manager, or standalone imaging processes
 
-    -   Compatible with PowerShell 2.0 or higher
+   -   Compatible with PowerShell 2.0 or higher
 
-    -   Encrypt OS volume with TPM key protector
+   -   Encrypt OS volume with TPM key protector
 
-    -   Fully support BitLocker pre-provisioning
+   -   Fully support BitLocker pre-provisioning
 
-    -   Optionally encrypt FDDs
+   -   Optionally encrypt FDDs
 
-    -   Escrow TPM OwnerAuth
-    For Windows 7, MBAM must own the TPM for escrow to occur.
-    For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported.
-    For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details.
+   -   Escrow TPM OwnerAuth
+   For Windows 7, MBAM must own the TPM for escrow to occur.
+   For Windows 8.1, Windows 10 RTM and Windows 10 version 1511, escrow of TPM OwnerAuth is supported.
+   For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details.
 
-    -   Escrow recovery keys and recovery key packages
+   -   Escrow recovery keys and recovery key packages
 
-    -   Report encryption status immediately
+   -   Report encryption status immediately
 
-    -   New WMI providers
+   -   New WMI providers
 
-    -   Detailed logging
+   -   Detailed logging
 
-    -   Robust error handling
+   -   Robust error handling
 
    You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=54439). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
 
@@ -131,127 +131,127 @@ Here are a list of common error messages:
    | **WS_E_ENDPOINT_UNREACHABLE**
            2151481360 (0x803D0010) | The remote endpoint was not reachable. |
    | **WS_E_ENDPOINT_FAULT_RECEIVED**
            2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. |
    | **WS_E_INVALID_ENDPOINT_URL**
            2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |
-     
+     
 
-2.  **Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell**
+2. **Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell**
 
-    1.  In MDT, create a new deployment share or open an existing deployment share.
+   1.  In MDT, create a new deployment share or open an existing deployment share.
 
-        **Note**  
-        The `Invoke-MbamClientDeployment.ps1` PowerShell script can be used with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool.
+       **Note**  
+       The `Invoke-MbamClientDeployment.ps1` PowerShell script can be used with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool.
 
-        **Caution**  
-        If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the `SaveWinPETpmOwnerAuth.wsf` script in WinPE immediately before the installation reboots into the full operating system. **If you do not use this script, you will lose the TPM owner authorization value on reboot.**
+       **Caution**  
+       If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the `SaveWinPETpmOwnerAuth.wsf` script in WinPE immediately before the installation reboots into the full operating system. **If you do not use this script, you will lose the TPM owner authorization value on reboot.**
 
-    2.  Copy `Invoke-MbamClientDeployment.ps1` to **<DeploymentShare>\\Scripts**. If you are using pre-provisioning, copy the `SaveWinPETpmOwnerAuth.wsf` file into **<DeploymentShare>\\Scripts**.
+   2.  Copy `Invoke-MbamClientDeployment.ps1` to **<DeploymentShare>\\Scripts**. If you are using pre-provisioning, copy the `SaveWinPETpmOwnerAuth.wsf` file into **<DeploymentShare>\\Scripts**.
 
-    3.  Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share.
+   3.  Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share.
 
-        1.  Under the **Applications** node, click **New Application**.
+       1.  Under the **Applications** node, click **New Application**.
 
-        2.  Select **Application with Source Files**. Click **Next**.
+       2.  Select **Application with Source Files**. Click **Next**.
 
-        3.  In **Application Name**, type “MBAM 2.5 SP1 Client”. Click **Next**.
+       3.  In **Application Name**, type “MBAM 2.5 SP1 Client”. Click **Next**.
 
-        4.  Browse to the directory containing `MBAMClientSetup-.msi`. Click **Next**.
+       4.  Browse to the directory containing `MBAMClientSetup-.msi`. Click **Next**.
 
-        5.  Type “MBAM 2.5 SP1 Client” as the directory to create. Click **Next**.
+       5.  Type “MBAM 2.5 SP1 Client” as the directory to create. Click **Next**.
 
-        6.  Enter `msiexec /i MBAMClientSetup-.msi /quiet` at the command line. Click **Next**.
+       6.  Enter `msiexec /i MBAMClientSetup-.msi /quiet` at the command line. Click **Next**.
 
-        7.  Accept the remaining defaults to complete the New Application wizard.
+       7.  Accept the remaining defaults to complete the New Application wizard.
 
-    4.  In MDT, right-click the name of the deployment share and click **Properties**. Click the **Rules** tab. Add the following lines:
+   4.  In MDT, right-click the name of the deployment share and click **Properties**. Click the **Rules** tab. Add the following lines:
 
-        `SkipBitLocker=YES``BDEInstall=TPM``BDEInstallSuppress=NO``BDEWaitForEncryption=YES`
+       `SkipBitLocker=YES``BDEInstall=TPM``BDEInstallSuppress=NO``BDEWaitForEncryption=YES`
 
-        Click OK to close the window.
+       Click OK to close the window.
 
-    5.  Under the Task Sequences node, edit an existing task sequence used for Windows Deployment. If you want, you can create a new task sequence by right-clicking the **Task Sequences** node, selecting **New Task Sequence**, and completing the wizard.
+   5.  Under the Task Sequences node, edit an existing task sequence used for Windows Deployment. If you want, you can create a new task sequence by right-clicking the **Task Sequences** node, selecting **New Task Sequence**, and completing the wizard.
 
-        On the **Task Sequence** tab of the selected task sequence, perform these steps:
+       On the **Task Sequence** tab of the selected task sequence, perform these steps:
 
-        1.  Under the **Preinstall** folder, enable the optional task **Enable BitLocker (Offline)** if you want BitLocker enabled in WinPE, which encrypts used space only.
+       1.  Under the **Preinstall** folder, enable the optional task **Enable BitLocker (Offline)** if you want BitLocker enabled in WinPE, which encrypts used space only.
 
-        2.  To persist TPM OwnerAuth when using pre-provisioning, allowing MBAM to escrow it later, do the following:
+       2.  To persist TPM OwnerAuth when using pre-provisioning, allowing MBAM to escrow it later, do the following:
 
-            1.  Find the **Install Operating System** step
+           1.  Find the **Install Operating System** step
 
-            2.  Add a new **Run Command Line** step after it
+           2.  Add a new **Run Command Line** step after it
 
-            3.  Name the step **Persist TPM OwnerAuth**
+           3.  Name the step **Persist TPM OwnerAuth**
 
-            4.  Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"`
-            **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details.
+           4.  Set the command line to `cscript.exe "%SCRIPTROOT%/SaveWinPETpmOwnerAuth.wsf"`
+           **Note:** For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM. See [TPM owner password](https://docs.microsoft.com/en-us/windows/security/hardware-protection/tpm/change-the-tpm-owner-password) for further details.
 
-        3.  In the **State Restore** folder, delete the **Enable BitLocker** task.
+       3.  In the **State Restore** folder, delete the **Enable BitLocker** task.
 
-        4.  In the **State Restore** folder under **Custom Tasks**, create a new **Install Application** task and name it **Install MBAM Agent**. Click the **Install Single Application** radio button and browse to the MBAM 2.5 SP1 client application created earlier.
+       4.  In the **State Restore** folder under **Custom Tasks**, create a new **Install Application** task and name it **Install MBAM Agent**. Click the **Install Single Application** radio button and browse to the MBAM 2.5 SP1 client application created earlier.
 
-        5.  In the **State Restore** folder under **Custom Tasks**, create a new **Run PowerShell Script** task (after the MBAM 2.5 SP1 Client application step) with the following settings (update the parameters as appropriate for your environment):
+       5.  In the **State Restore** folder under **Custom Tasks**, create a new **Run PowerShell Script** task (after the MBAM 2.5 SP1 Client application step) with the following settings (update the parameters as appropriate for your environment):
 
-            -   Name: Configure BitLocker for MBAM
+           -   Name: Configure BitLocker for MBAM
 
-            -   PowerShell script: `Invoke-MbamClientDeployment.ps1`
+           -   PowerShell script: `Invoke-MbamClientDeployment.ps1`
 
-            -   Parameters:
+           -   Parameters:
 
-                
-                -                -                -                -                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
-                
            




            -RecoveryServiceEndpoint
            Required
            MBAM recovery service endpoint
            -StatusReportingServiceEndpoint
            Optional
            MBAM status reporting service endpoint
            -EncryptionMethod
            Optional
            Encryption method (default: AES 128)
            -EncryptAndEscrowDataVolume
            Switch
            Specify to encrypt data volume(s) and escrow data volume recovery key(s)
            -WaitForEncryptionToComplete
            Switch
            Specify to wait for the encryption to complete
            -DoNotResumeSuspendedEncryption
            Switch
            Specify that the deployment script will not resume suspended encryption
            -IgnoreEscrowOwnerAuthFailure
            Switch
            Specify to ignore TPM owner-auth escrow failure. It should be used in the scenarios where MBAM is not able to read the TPM owner-auth, e.g. if TPM auto provisioning is enabled
            -IgnoreEscrowRecoveryKeyFailure
            Switch
            Specify to ignore volume recovery key escrow failure
            -IgnoreReportStatusFailure
            Switch
            Specify to ignore status reporting failure
            
+               
+               +               +               +               +               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
+               
            




            -RecoveryServiceEndpoint
            Required
            MBAM recovery service endpoint
            -StatusReportingServiceEndpoint
            Optional
            MBAM status reporting service endpoint
            -EncryptionMethod
            Optional
            Encryption method (default: AES 128)
            -EncryptAndEscrowDataVolume
            Switch
            Specify to encrypt data volume(s) and escrow data volume recovery key(s)
            -WaitForEncryptionToComplete
            Switch
            Specify to wait for the encryption to complete
            -DoNotResumeSuspendedEncryption
            Switch
            Specify that the deployment script will not resume suspended encryption
            -IgnoreEscrowOwnerAuthFailure
            Switch
            Specify to ignore TPM owner-auth escrow failure. It should be used in the scenarios where MBAM is not able to read the TPM owner-auth, e.g. if TPM auto provisioning is enabled
            -IgnoreEscrowRecoveryKeyFailure
            Switch
            Specify to ignore volume recovery key escrow failure
            -IgnoreReportStatusFailure
            Switch
            Specify to ignore status reporting failure
            
 
-                 
+                 
 
 **To enable BitLocker using MBAM 2.5 or earlier as part of a Windows deployment**
 
diff --git a/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md b/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md
index 96ffe5ab95..ff06699bd3 100644
--- a/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md
+++ b/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md
@@ -22,7 +22,7 @@ You can configure a localized version of the Self-Service Portal "HelpdeskText"
 **Note**  
 In the following instructions, *SelfService* is the default virtual directory name for the Self-Service Portal. You might have used a different name when you configured the Self-Service Portal.
 
- 
+ 
 
 **To display a localized version of the HelpdeskText statement**
 
@@ -47,9 +47,9 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md)
 
- 
+ 
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md b/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md
index 0132d75505..39f6b21718 100644
--- a/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md
+++ b/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md
@@ -24,7 +24,7 @@ If you create a localized version, as described in the following instructions, M
 **Note**  
 In the following instructions, *SelfService* is the default virtual directory name for the Self-Service Portal. You might have used a different name when you configured the Self-Service Portal.
 
- 
+ 
 
 **To localize the Self-Service Portal URL**
 
@@ -49,9 +49,9 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md)
 
- 
+ 
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md b/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md
index 86e5bd0ada..65d97745b3 100644
--- a/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md
+++ b/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md
@@ -28,7 +28,7 @@ To display localized notice text, you create a localized Notice.txt file, and th
 **Note**  
 You can configure the path by using the **NoticeTextPath** item in **Application Settings**.
 
- 
+ 
 
 MBAM displays the notice text, based on the following rules:
 
@@ -43,7 +43,7 @@ If an end user’s browser is set to a language that does not have a correspondi
 
 <*MBAM Self-Service Install Directory*>\\Self Service Website\\
 
- 
+ 
 
 **To create a localized Notice.txt file**
 
@@ -54,7 +54,7 @@ If an end user’s browser is set to a language that does not have a correspondi
     **Note**  
     Some language folders already exist, so you might not have to create a folder. If you do have to create a language folder, see [National Language Support (NLS) API Reference](https://go.microsoft.com/fwlink/?LinkId=317947) for a list of the valid names that you can use for the <*Language*> folder.
 
-     
+     
 
 2.  Create a Notice.txt file that contains the localized notice text.
 
@@ -71,7 +71,7 @@ If an end user’s browser is set to a language that does not have a correspondi
 
 [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md b/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md
index a8b191f42a..5cb63887d0 100644
--- a/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md
+++ b/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md
@@ -41,26 +41,25 @@ To exempt users from BitLocker protection, you have to:
 
            Add the exempted user to a security group for a Group Policy Object that is configured specifically for exempted users.
            
 
            When members of this security group sign in to a computer, the user’s Group Policy setting exempts the user from BitLocker protection. The user’s Group Policy setting overwrites the computer policy, and the computer will remain exempt from BitLocker encryption.
            
 
            
-Note  
-
            MBAM does not enact the encryption policy if the computer is already BitLocker-protected and the user is exempted. However, if another user who is not exempt from the encryption policy signs in to the computer, encryption will take place.
            
+Note
            MBAM does not enact the encryption policy if the computer is already BitLocker-protected and the user is exempted. However, if another user who is not exempt from the encryption policy signs in to the computer, encryption will take place.
            
 
            
 
            
- 
+
 
            
 
 
 
 
- 
+
 
 The following steps describe what occurs when end users request an exemption from the BitLocker Drive Encryption exemption process through the MBAM Client or through whatever process your organization uses. You must configure MBAM Group Policy settings to allow end users to request an exemption from BitLocker Drive Encryption.
 
 1.  When end users sign in to a computer that is required to be encrypted, they receive a notification that their computer is going to be encrypted. They can select **Request Exemption** and postpone the encryption by selecting **Postpone**, or they can select **Start Encryption** to accept the BitLocker encryption.
 
-    **Note**  
+    **Note**  
     Selecting **Request Exemption** postpones the BitLocker protection until the maximum time that is set in the User Exemption Policy.
 
-     
+
 
 2.  If end users select **Request Exemption**, they receive a notification telling them to contact the organization’s BitLocker administration group. Depending on how the **Configure User Exemption Policy** is configured, users are provided with one or more of the following contact methods:
 
@@ -98,26 +97,25 @@ To exempt users from BitLocker protection, you have to:
 
            Add the exempted user to a security group for a Group Policy Object that is configured specifically for exempted users.
            
 
            When members of this security group sign in to a computer, the user’s Group Policy setting exempts the user from BitLocker protection. The user’s Group Policy setting overwrites the computer policy, and the computer will remain exempt from BitLocker encryption.
            
 
            
-Note  
-
            If the computer is already BitLocker-protected, the User Exemption Policy has no effect. In addition, if another user signs in to a computer that is not exempt from the encryption policy, encryption will take place.
            
+Note
            If the computer is already BitLocker-protected, the User Exemption Policy has no effect. In addition, if another user signs in to a computer that is not exempt from the encryption policy, encryption will take place.
            
 
            
 
            
- 
+
 
            
 
 
 
 
- 
+
 
 The following steps describe what occurs when end users request an exemption from the BitLocker Drive Encryption exemption process through the MBAM Client or through whatever process your organization uses. You must configure MBAM Group Policy settings to allow end users to request an exemption from BitLocker Drive Encryption.
 
 1.  When end users sign in to a computer that is required to be encrypted, they receive a notification that their computer is going to be encrypted. They can select **Request Exemption** and postpone the encryption by selecting **Postpone**, or they can select **Start Encryption** to accept the BitLocker encryption.
 
-    **Note**  
+    **Note**  
     Selecting **Request Exemption** postpones the BitLocker protection until the maximum time that is set in the User Exemption Policy.
 
-     
+
 
 2.  If end users select **Request Exemption**, they receive a notification telling them to contact the organization’s BitLocker administration group. Depending on how the **Configure User Exemption Policy** is configured, users are provided with one or more of the following contact methods:
 
@@ -143,10 +141,10 @@ The following steps describe what occurs when end users request an exemption fro
 
     When a user signs in to a computer controlled by BitLocker, the MBAM Client checks the User Exemption Policy setting. If the computer is already encrypted, BitLocker protection is not suspended. If the computer is not encrypted, MBAM does not prompt the user to encrypt.
 
-    **Important**  
+    **Important**  
     Shared computer scenarios require special consideration when you are using BitLocker user exemptions. If a non-exempt user signs in to a computer that is shared with an exempt user, the computer may be encrypted.
 
-     
+
 
 
 ## Related topics
@@ -156,9 +154,9 @@ The following steps describe what occurs when end users request an exemption fro
 
 [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)
 
- 
 
- 
+
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
index f37d3856b7..590fce21ac 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
@@ -69,7 +69,6 @@ To automate this procedure, you can use Windows PowerShell to enter a command th
 
 ```powershell
 Stop-Website "Microsoft BitLocker Administration and Monitoring"
-
 ```
 
 >[!NOTE]
@@ -156,7 +155,6 @@ Copy-Item "Z:\SQLServerInstanceCertificateFile"
 
 Copy-Item "Z:\SQLServerInstanceCertificateFilePrivateKey"
 \\$SERVERNAME$\$DESTINATIONSHARE$
-
 ```
 Use the information in the following table to replace the values in the code example with values that match your environment.
 
@@ -231,48 +229,48 @@ Use the information in the following table to replace the values in the code exa
 
 ### Configure access to the Database on Server B and update connection data
 
-1.  Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process.
+1. Verify that the Microsoft SQL Server user login that enables Recovery Database access on the restored database is mapped to the access account that you provided during the configuration process.
 
-    >[!NOTE]
-    >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
+   >[!NOTE]
+   >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
 
-2.  On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites.
+2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the MBAM websites.
 
-3.  Edit the following registry key:
+3. Edit the following registry key:
 
-    **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString**
+   **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\RecoveryDBConnectionString**
 
-4.  Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
+4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
 
-5.  Update the **Initial Catalog** value with the recovered database name.
+5. Update the **Initial Catalog** value with the recovered database name.
 
-6.  To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
+6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
 
-    ```powershell
-    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
-    RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
-    Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
+   ```powershell
+   reg add "HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\MBAM Server\\Web" /v
+   RecoveryDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
+   Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
 
-    Set-WebConfigurationProperty
-    'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
-    "IIS:\sites\Microsoft Bitlocker Administration and
-    Monitoring\MBAMAdministrationService" -Name "connectionString" -Value "Data
-    Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
-    Hardware;Integrated Security=SSPI;"
+   Set-WebConfigurationProperty
+   'connectionStrings/add[@name="KeyRecoveryConnectionString"]' -PSPath
+   "IIS:\sites\Microsoft Bitlocker Administration and
+   Monitoring\MBAMAdministrationService" -Name "connectionString" -Value "Data
+   Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery and
+   Hardware;Integrated Security=SSPI;"
 
-    Set-WebConfigurationProperty
-    'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
-    -PSPath "IIS:\sites\Microsoft Bitlocker Administration and
-    Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
-    "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery
-    and Hardware;Integrated Security=SSPI;"
-    ```
+   Set-WebConfigurationProperty
+   'connectionStrings/add[\@name="Microsoft.Mbam.RecoveryAndHardwareDataStore.ConnectionString"]'
+   -PSPath "IIS:\sites\Microsoft Bitlocker Administration and
+   Monitoring\MBAMRecoveryAndHardwareService" -Name "connectionString" -Value
+   "Data Source=$SERVERNAME$\$SQLINSTANCENAME$;Initial Catalog=MBAM Recovery
+   and Hardware;Integrated Security=SSPI;"
+   ```
 
-    >[!Note]
-    >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
+   >[!Note]
+   >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
 
 
-7.  Use the following table to replace the values in the code example with values that match your environment.
+7. Use the following table to replace the values in the code example with values that match your environment.
 
    |Parameter|Description|
    |---------|-----------|
@@ -330,7 +328,6 @@ To automate this procedure, you can use Windows PowerShell to enter a command th
 
 ```powershell
 Stop-Website "Microsoft BitLocker Administration and Monitoring"
-
 ```
 
 >[!NOTE]
@@ -443,34 +440,33 @@ Stop-Website "Microsoft BitLocker Administration and Monitoring"
 
 ### Configure access to the Database on Server B and update connection data
 
-1.  Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process.
+1. Verify that the Microsoft SQL Server user login that enables Compliance and Audit Database access on the restored database is mapped to the access account that you provided during the configuration process.
 
-    >[!NOTE]
-    >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
+   >[!NOTE]
+   >If the login is not the same, create a login by using SQL Server Management Studio, and map it to the existing database user.
 
-2.  On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website.
+2. On the server that is running the Administration and Monitoring Website, use the Internet Information Services (IIS) Manager console to update the connection string information for the Website.
 
-3.  Edit the following registry key:
+3. Edit the following registry key:
 
-    **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString**
+   **HKLM\\Software\\Microsoft\\MBAM Server\\Web\\ComplianceDBConnectionString**
 
-4.  Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
+4. Update the **Data Source** value with the name of the server and instance (for example, \$SERVERNAME\$\\\$SQLINSTANCENAME) to which the Recovery Database was moved.
 
-5.  Update the **Initial Catalog** value with the recovered database name.
+5. Update the **Initial Catalog** value with the recovered database name.
 
-6.  To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
+6. To automate this process, you can use the Windows PowerShell command prompt to enter a command line on the Administration and Monitoring Server that is similar to the following:
 
-    ```powershell
-    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
-    ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
-    Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
-
-    ```
-    >[!NOTE]
-    >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
+   ```powershell
+   reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MBAM Server\Web" /v
+   ComplianceDBConnectionString /t REG_SZ /d "Integrated Security=SSPI;Initial
+   Catalog=$DATABASE$;Data Source=$SERVERNAME$\$SQLINSTANCENAME$" /f
+   ```
+   >[!NOTE]
+   >This connection string is shared by all local MBAM web applications. Therefore, it needs to be updated only once per server.
 
 
-7.  Using the following table, replace the values in the code example with values that match your environment.
+7. Using the following table, replace the values in the code example with values that match your environment.
 
    |Parameter | Description |
    |---------|------------|
@@ -495,7 +491,6 @@ To automate this procedure, you can use Windows PowerShell to run a command that
 
 ```powershell
 Start-Website "Microsoft BitLocker Administration and Monitoring"
-
 ```
 
 >[!NOTE]
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md b/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md
index b3e9f30678..c77b29982c 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md
@@ -32,7 +32,7 @@ The high-level steps for moving the Reports feature are:
 **Note**  
 To run the example Windows PowerShell scripts in this topic, you must update the Windows PowerShell execution policy to enable scripts to be run. See [Running Windows PowerShell Scripts](https://technet.microsoft.com/library/ee176949.aspx) for instructions.
 
- 
+ 
 
 **Stop the MBAM Administration and Monitoring Website**
 
@@ -103,7 +103,7 @@ To run the example Windows PowerShell scripts in this topic, you must update the
     
     
 
-     
+     
 
 **Resume the instance of the Administration and Monitoring Website**
 
@@ -118,7 +118,7 @@ To run the example Windows PowerShell scripts in this topic, you must update the
     **Note**  
     To run this command, you must add the IIS module for Windows PowerShell to the current instance of Windows PowerShell.
 
-     
+     
 
 
 
@@ -131,11 +131,11 @@ To run the example Windows PowerShell scripts in this topic, you must update the
 
 [Moving MBAM 2.5 Features to Another Server](moving-mbam-25-features-to-another-server.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md b/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md
index 8646e2da3c..6b57070737 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md
@@ -26,7 +26,7 @@ Use these procedures to move the following MBAM websites from one computer to an
 **Important**  
 During the configuration of both websites, you must provide the same connection string, Reports URL, group accounts, and web service application pool domain account as the ones that you are currently using. If you don’t use the same values, you cannot access some of the servers. To get the current values, use the **Get-MbamWebApplication** Windows PowerShell cmdlet.
 
- 
+ 
 
 **To move the Administration and Monitoring Website to another server**
 
@@ -63,7 +63,7 @@ During the configuration of both websites, you must provide the same connection
 
 [Moving MBAM 2.5 Features to Another Server](moving-mbam-25-features-to-another-server.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md
index c3fce52876..5ee41f6f49 100644
--- a/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md
@@ -33,7 +33,7 @@ You can use this procedure with the Administration and Monitoring Website (also
 
 
 
            Create a recovery key package file by accessing the Drive Recovery area of the Administration and Monitoring Website.
            
-
            To access the Drive Recovery area, you must be assigned the MBAM Helpdesk Users role or the MBAM Advanced Helpdesk Users role. You may have given these roles different names when you created them. For more information, see [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md#bkmk-helpdesk-roles).
            
+
            To access the Drive Recovery area, you must be assigned the MBAM Helpdesk Users role or the MBAM Advanced Helpdesk Users role. You may have given these roles different names when you created them. For more information, see Planning for MBAM 2.5 Groups and Accounts.
            
 
 
 
            Copy the package file to the computer that contains the corrupted drive.
            
@@ -41,12 +41,12 @@ You can use this procedure with the Administration and Monitoring Website (also
 
 
 
            Use the repair-bde command to complete the recovery process.
            
-
            To avoid a potential loss of data, it is strongly recommended that you review the [Manage-bde](https://go.microsoft.com/fwlink/?LinkId=393567) command before using it.
            
+
            To avoid a potential loss of data, it is strongly recommended that you review the Manage-bde command before using it.
            
 
 
 
 
- 
+ 
 
 **To recover a corrupted drive**
 
@@ -59,7 +59,7 @@ You can use this procedure with the Administration and Monitoring Website (also
     **Note**  
     If you are a member of the Advanced Helpdesk Users access group, you do not have to enter the user’s domain name or user name.
 
-     
+     
 
 4.  Click **Submit**. The recovery key will be displayed.
 
@@ -76,7 +76,7 @@ You can use this procedure with the Administration and Monitoring Website (also
     **Note**  
     Replace <*fixed drive*> with an available hard disk drive that has free space equal to or larger than the data on the corrupted drive. Data on the corrupted drive is recovered and moved to the specified hard disk drive.
 
-     
+     
 
 
 ## Related topics
@@ -84,11 +84,11 @@ You can use this procedure with the Administration and Monitoring Website (also
 
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md
index f4554d2b9d..9dec2442fb 100644
--- a/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md
@@ -21,15 +21,15 @@ This topic explains how to use the Administration and Monitoring Website (also r
 
 To get a recovery password, use the **Drive Recovery** area of the Administration and Monitoring Website. You must be assigned the MBAM Helpdesk Users role or the MBAM Advanced Helpdesk Users role to access this area of the website.
 
-**Note**  
+**Note**  
 You may have given these roles different names when you created them. For more information, see [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md#bkmk-helpdesk-roles).
 
- 
 
-**Important**  
+
+**Important**  
 Recovery passwords expire after a single use. On operating system drives and fixed data drives, the single-use rule is applied automatically. On removable drives, it is applied when the drive is removed and then reinserted and unlocked on a computer that has Group Policy settings activated to manage removable drives.
 
- 
+
 
 **To recover a drive in recovery mode**
 
@@ -39,10 +39,10 @@ Recovery passwords expire after a single use. On operating system drives and fix
 
 3.  Enter the end user’s Windows log-on domain and user name to view recovery information.
 
-    **Note**  
+    **Note**  
     If you are in the MBAM Advanced Helpdesk Users group, the user domain and user ID fields are not required.
 
-     
+
 
 4.  Enter the first eight digits of the recovery key ID to see a list of possible matching recovery keys, or enter the entire recovery key ID to get the exact recovery key.
 
@@ -56,16 +56,18 @@ Recovery passwords expire after a single use. On operating system drives and fix
 
     -   The recovery password and recovery package for the submitted user
 
-        **Note**  
+        **Note**  
         If you are recovering a damaged drive, the recovery package option provides BitLocker with critical information that it needs to recover the drive.
 
-         
 
-    After the recovery password and recovery package are retrieved, the recovery password is displayed.
 
-6.  To copy the password, click **Copy Key**, and then paste the recovery password into an email message. Alternatively, click **Save** to save the recovery password to a file.
+~~~
+After the recovery password and recovery package are retrieved, the recovery password is displayed.
+~~~
 
-    When the user types the recovery password into the system or uses the recovery package, the drive is unlocked.
+6. To copy the password, click **Copy Key**, and then paste the recovery password into an email message. Alternatively, click **Save** to save the recovery password to a file.
+
+   When the user types the recovery password into the system or uses the recovery package, the drive is unlocked.
 
 
 
@@ -74,11 +76,11 @@ Recovery passwords expire after a single use. On operating system drives and fix
 
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
index 1521bbef0a..59ee1c423d 100644
--- a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
@@ -27,7 +27,7 @@ To recover a moved drive, you must use the **Drive Recovery** area of the Admini
     **Note**  
     In some cases, you may be able to click **I forgot the PIN** during the startup process, and then enter the recovery mode to display the recovery key ID.
 
-     
+     
 
 3.  Use the recovery key ID to retrieve the recovery password and unlock the drive from the Administration and Monitoring Website. For instructions, see [How to Recover a Drive in Recovery Mode](how-to-recover-a-drive-in-recovery-mode-mbam-25.md).
 
@@ -44,7 +44,7 @@ To recover a moved drive, you must use the **Drive Recovery** area of the Admini
 
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md b/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md
index 3854e00a86..fc80c4324c 100644
--- a/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md
+++ b/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md
@@ -38,7 +38,7 @@ For information about MBAM and TPM ownership, see [MBAM 2.5 Security Considerati
     **Note**  
     If you are in the MBAM Advanced Helpdesk Users group, the user domain and user ID fields are not required.
 
-     
+     
 
 5.  From the **Reason for requesting TPM owner password file** list, select a reason for the request, and click **Submit**.
 
@@ -59,7 +59,7 @@ For information about MBAM and TPM ownership, see [MBAM 2.5 Security Considerati
     **Important**  
     Do not give the TPM hash value or TPM owner password file to end users. Because the TPM information does not change, giving the file to end users creates a security risk.
 
-     
+     
 
 
 
@@ -68,7 +68,7 @@ For information about MBAM and TPM ownership, see [MBAM 2.5 Security Considerati
 
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md b/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md
index 0fa092b0e6..67f433c862 100644
--- a/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md
+++ b/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md
@@ -19,15 +19,15 @@ ms.date: 06/16/2016
 
 After you configure the Self-Service Portal, you can brand it with your company name, Help Desk URL, and "notice" text. You can also change the Session Time-out setting to make the end user’s session expire after a specified period of inactivity.
 
-**Note**  
+**Note**  
 You can also brand the Self-Service Portal by using the **Enable-MbamWebApplication** Windows PowerShell cmdlet or the MBAM Server Configuration wizard. For instructions on using the wizard, see [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md).
 
- 
 
-**Note**  
+
+**Note**  
 In the following instructions, *SelfService* is the default virtual directory name for the Self-Service Portal. You might have used a different name when you configured the Self-Service Portal.
 
- 
+
 
 **To set the session time-out and branding for the Self-Service Portal**
 
@@ -41,102 +41,104 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 5.  In the **Name** column, select the item that you want to change, and change the default value to reflect the name that you want to use. The following table lists the values that you can set.
 
-    **Caution**  
+    **Caution**  
     Do not change the value in the Name column (CompanyName\*), as it will cause Self-Service Portal to stop working.
 
-     
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
            



            NameDefault value
            ClientValidationEnabled
            true
            CompanyName
            Contoso IT
            DisplayNotice
            true
            HelpdeskText
            Contact Helpdesk or IT Department
            HelpdeskUrl
            #
            
-    
            
-    Note  
-    
            In MBAM 2.5 SP1, the HelpdeskUrl default value is empty.
            
-    
            
-    
            
-     
-    
            jQueryPath
            [//go.microsoft.com/fwlink/?LinkID=390515](//go.microsoft.com/fwlink/?LinkID=390515)
            
-    
            
-    Note  
-    
            In MBAM 2.5 SP1, this has been changed to a local JavaScript file shipped with the product, located at ~/Scripts/jquery-1.10.2.min.js
            
-    
            
-    
            
-     
-    
            jQueryValidatePath
            [//go.microsoft.com/fwlink/?LinkID=390516](//go.microsoft.com/fwlink/?LinkID=390516)
            
-    
            
-    Note  
-    
            In MBAM 2.5 SP1, this has been changed to a local JavaScript file shipped with the product, located at ~/Scripts/jquery.validate.min.js
            
-    
            
-    
            
-     
-    
            jQueryValidateUnobtrusivePath
            [//go.microsoft.com/fwlink/?LinkID=390517](//go.microsoft.com/fwlink/?LinkID=390517)
            
-    
            
-    Note  
-    
            In MBAM 2.5 SP1, this has been changed to a local JavaScript file shipped with the product, located at ~/Scripts/jquery.validate.unobtrusive.min.js
            
-    
            
-    
            
-     
-    
            NoticeTextPath
            Notice.txt
            
-    
            
-    Note  
-    
            You can edit the notice text either by using the Internet Information Services (IIS) Manager or by opening and changing the Notice.txt file in the installation directory.
            
-    
            
-    
            
-     
-    
            UnobtrusiveJavaScriptEnabled
            true
            
 
-     
+~~~
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
            



            NameDefault value
            ClientValidationEnabled
            true
            CompanyName
            Contoso IT
            DisplayNotice
            true
            HelpdeskText
            Contact Helpdesk or IT Department
            HelpdeskUrl
            #
            
+
            
+Note  
+
            In MBAM 2.5 SP1, the HelpdeskUrl default value is empty.
            
+
            
+
            
+
+
            jQueryPath
            [//go.microsoft.com/fwlink/?LinkID=390515](//go.microsoft.com/fwlink/?LinkID=390515)
            
+
            
+Note  
+
            In MBAM 2.5 SP1, this has been changed to a local JavaScript file shipped with the product, located at ~/Scripts/jquery-1.10.2.min.js
            
+
            
+
            
+
+
            jQueryValidatePath
            [//go.microsoft.com/fwlink/?LinkID=390516](//go.microsoft.com/fwlink/?LinkID=390516)
            
+
            
+Note  
+
            In MBAM 2.5 SP1, this has been changed to a local JavaScript file shipped with the product, located at ~/Scripts/jquery.validate.min.js
            
+
            
+
            
+
+
            jQueryValidateUnobtrusivePath
            [//go.microsoft.com/fwlink/?LinkID=390517](//go.microsoft.com/fwlink/?LinkID=390517)
            
+
            
+Note  
+
            In MBAM 2.5 SP1, this has been changed to a local JavaScript file shipped with the product, located at ~/Scripts/jquery.validate.unobtrusive.min.js
            
+
            
+
            
+
+
            NoticeTextPath
            Notice.txt
            
+
            
+Note  
+
            You can edit the notice text either by using the Internet Information Services (IIS) Manager or by opening and changing the Notice.txt file in the installation directory.
            
+
            
+
            
+
+
            UnobtrusiveJavaScriptEnabled
            true
            
+~~~
+
+
 
 
 
@@ -145,11 +147,11 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md b/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md
index 0dbad3834d..015d00c47f 100644
--- a/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md
+++ b/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md
@@ -22,7 +22,7 @@ You can turn the Self-Service Portal notice text on or off. By default, the noti
 **Note**  
 In the following instructions, *SelfService* is the default virtual directory name for the Self-Service Portal. You might have used a different name when you configured the Self-Service Portal.
 
- 
+ 
 
 **To turn off the notice text**
 
@@ -37,9 +37,9 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md)
 
- 
+ 
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md b/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md
index 20c757f3dd..6999def5bb 100644
--- a/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md
+++ b/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md
@@ -22,7 +22,7 @@ The Administration and Monitoring Website, also referred to as the Help Desk, is
 **Note**  
 If you are using MBAM in the Stand-alone topology, you view all reports from the Administration and Monitoring Website. If you are using the Configuration Manager Integration topology, you view all reports in Configuration Manager, except the Recovery Audit report, which you continue to view from the Administration and Monitoring Website. For more information about reports, see [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md).
 
- 
+ 
 
 ## Required roles for using the Administration and Monitoring Website
 
@@ -58,7 +58,7 @@ To access specific areas of the Administration and Monitoring Website, you must
 
 
 
- 
+ 
 
 ## Tasks you can perform on the Administration and Monitoring Website
 
@@ -85,13 +85,13 @@ The following table summarizes the tasks you can perform on the Administration a
 
            View reports
            
 
            Reports
            
 
            Enables you to run reports to monitor BitLocker usage, compliance, and key recovery activity. Reports provide data about enterprise compliance, individual computers, and who requested recovery keys or the TPM OwnerAuth package for a specific computer.
            
-
            [Viewing MBAM 2.5 Reports for the Stand-alone Topology](viewing-mbam-25-reports-for-the-stand-alone-topology.md)
            
+
            Viewing MBAM 2.5 Reports for the Stand-alone Topology
            
 
 
 
            Determine the BitLocker encryption status of lost or stolen computers
            
 
            Reports
            
 
            Determine if a volume was encrypted if the computer is lost or stolen.
            
-
            [How to Determine BitLocker Encryption State of Lost Computers](how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md)
            
+
            How to Determine BitLocker Encryption State of Lost Computers
            
 
 
 
            Recover lost drives
            
@@ -103,21 +103,21 @@ The following table summarizes the tasks you can perform on the Administration a
 
          • Are corrupted
            • 
 
          
 
 
 
 
          Reset a TPM lockout
          
 
          Manage TPM
          
 
          Provides access to TPM data that has been collected by the MBAM Client. In a TPM lockout, use the Administration and Monitoring Website to retrieve the necessary password file to unlock the TPM.
          
-
          [How to Reset a TPM Lockout](how-to-reset-a-tpm-lockout-mbam-25.md)
          
+
          How to Reset a TPM Lockout
          
 
 
 
 
- 
+ 
 
 
 ## Related topics
@@ -125,7 +125,7 @@ The following table summarizes the tasks you can perform on the Administration a
 
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md b/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md
index 30f55c3323..3be2d5cf4a 100644
--- a/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md
+++ b/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md
@@ -24,7 +24,7 @@ The following instructions are written from the perspective of end users, but th
 **Important**  
 An end user must have physically logged on to the computer (not remotely) at least one time successfully to be able to recover their key using the Self-Service Portal. Otherwise, they must use the Helpdesk Portal for key recovery.
 
- 
+ 
 
 End users may experience lockouts if they:
 
@@ -35,7 +35,7 @@ End users may experience lockouts if they:
 **Note**  
 If the IT administrator configured an IIS Session State time-out, a message is displayed in the Self-Service Portal 60 seconds prior to the time-out.
 
- 
+ 
 
 **To use the Self-Service Portal to regain access to a computer**
 
@@ -54,11 +54,11 @@ If the IT administrator configured an IIS Session State time-out, a message is d
 
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
index 769e90d047..7d2a8d5f0e 100644
--- a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
+++ b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
@@ -23,10 +23,10 @@ This topic describes the individual features that make up a Microsoft BitLocker
 
 -   System Center Configuration Manager Integration
 
-**Important**  
+**Important**  
 These features do not represent the recommended architecture for deploying MBAM. Use this information only as a guide to understand the individual features that make up an MBAM deployment. See [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md) for the recommended architecture for MBAM.
 
- 
+
 
 For a list of the supported versions of the software mentioned in this topic, see [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md).
 
@@ -51,12 +51,12 @@ The following image and table explain the features in an MBAM Stand-alone topolo
 |Administration and Monitoring Server|||
 |Administration and Monitoring Web Service|The Monitoring Web Service is used by the MBAM Client and the websites to communicate to the databases.|This feature is installed on a computer running Windows Server.|
 
-**Important**  
+**Important**  
 The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
-**Important**  
+**Important**  
 The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
- 
+
 
 ## System Center Configuration Manager Integration topology
 
@@ -64,27 +64,28 @@ The following image and table explain the features in the System Center Configur
 
 ![mbam2\-5](images/mbam2-5-cmcomponents.png)
 
-**Important**  
+**Important**  
 The Self-Service Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1, in which the MBAM Client, the Administration and Monitoring Website, and the Self-Service Portal communicate directly with the Recovery Database.
 
-**Warning**  
+**Warning**  
 The Monitoring Web Service is no longer available in Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 SP1 since the MBAM Client and the websites communicate directly with the Recovery Database.
 
-|Feature type|Description|
-|-|-|
-|Self-Service Server|||
-|Self-Service Web Service|This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.|This feature is installed on a computer running Windows Server.|
-|Self-Service Website|This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.|This feature is configured on a computer running Windows Server.|
-|Administration and Monitoring Server/Recovery Audit Report|||
-|Administration and Monitoring Web Service|This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.|This feature is installed on a server running Windows Server.|
-|Administration and Monitoring Website|The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services.|This feature is configured on a server running Windows Server.|
-|Databases|||
-|Recovery Database|This database stores recovery data that is collected from MBAM client computers.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
-|Audit Database|This database stores audit information about recovery attempts and activity.|This feature is configured on a server running Windows Server and a supported SQL Server instance.|
-|Configuration Manager Features|||
-|Configuration Manager Management console|This console is built into Configuration Manager and is used to view reports.|For viewing reports only, this feature can be installed on any server or client computer.|
-|Configuration Manager Reports|Reports show compliance and recovery audit data for client computers in your enterprise.|The Reports feature is installed on a server running Windows Server and SSRS, and Reports run on a supported SQL Server instance. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
-|SQL Server Reporting Services|SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.|SSRS is installed on a server running Windows Server. A reporting services point must be defined in Configuration Manager on the server that is running SSRS.|
+
+|                        Feature type                        |                                                                                                    Description                                                                                                    |
+|------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                    Self-Service Server                     |                                                                                                                                                                                                                   |
+|                  Self-Service Web Service                  |                                                 This web service is used by the MBAM Client and the Self-Service Portal to communicate to the Recovery Database.                                                  |
+|                    Self-Service Website                    |                          This website enables end users on client computers to independently sign in to a website to get a recovery key if they lose or forget their BitLocker password.                          |
+| Administration and Monitoring Server/Recovery Audit Report |                                                                                                                                                                                                                   |
+|         Administration and Monitoring Web Service          |                               This web service enables communication between the Administration and Monitoring Website and the SQL Server databases where reporting data is stored.                               |
+|           Administration and Monitoring Website            | The Recovery Audit report is viewed from the Administration and Monitoring Website. Use the Configuration Manager console to view all other reports, or view reports directly from SQL Server Reporting Services. |
+|                         Databases                          |                                                                                                                                                                                                                   |
+|                     Recovery Database                      |                                                                 This database stores recovery data that is collected from MBAM client computers.                                                                  |
+|                       Audit Database                       |                                                                   This database stores audit information about recovery attempts and activity.                                                                    |
+|               Configuration Manager Features               |                                                                                                                                                                                                                   |
+|          Configuration Manager Management console          |                                                                   This console is built into Configuration Manager and is used to view reports.                                                                   |
+|               Configuration Manager Reports                |                                                             Reports show compliance and recovery audit data for client computers in your enterprise.                                                              |
+|               SQL Server Reporting Services                |                                                SSRS enables the MBAM Reports. Reports can be viewed directly from SSRS or from the Configuration Manager console.                                                 |
 
 ## Related topics
 
diff --git a/mdop/mbam-v25/installing-the-mbam-25-server-software.md b/mdop/mbam-v25/installing-the-mbam-25-server-software.md
index 742bb3517f..d238b982fe 100644
--- a/mdop/mbam-v25/installing-the-mbam-25-server-software.md
+++ b/mdop/mbam-v25/installing-the-mbam-25-server-software.md
@@ -34,9 +34,9 @@ This topic describes how to install the Microsoft BitLocker Administration and M
 
 
          Review the MBAM 2.5 planning information
          
 
 
 
@@ -47,7 +47,7 @@ This topic describes how to install the Microsoft BitLocker Administration and M
 
 
 
- 
+ 
 
 ## Installing the MBAM 2.5 Server software by using the Microsoft BitLocker Administration and Monitoring Setup wizard
 
@@ -127,7 +127,7 @@ The following table describes the command-line parameters for installing the MBA
 
 
 
- 
+ 
 
 
 
@@ -138,7 +138,7 @@ The following table describes the command-line parameters for installing the MBA
 
 [Configuring the MBAM 2.5 Server Features](configuring-the-mbam-25-server-features.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/mbam-25-deployment-checklist.md b/mdop/mbam-v25/mbam-25-deployment-checklist.md
index 2bf0ac83dd..660b1ebf79 100644
--- a/mdop/mbam-v25/mbam-25-deployment-checklist.md
+++ b/mdop/mbam-v25/mbam-25-deployment-checklist.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 You can use this checklist to help you during Microsoft BitLocker Administration and Monitoring (MBAM) deployment with a Stand-alone topology.
 
-**Note**  
+**Note**  
 This checklist outlines the recommended steps and a high-level list of items to consider when you deploy Microsoft BitLocker Administration and Monitoring features. We recommend that you copy this checklist into a spreadsheet program and customize it for your use.
 
- 
+
 
 @@ -43,19 +43,19 @@ This checklist outlines the recommended steps and a high-level list of items to
 
-
+
-
+
-
+
@@ -68,37 +68,36 @@ This checklist outlines the recommended steps and a high-level list of items to
 
        • Configuration Manager Integration topology (needed only if you are running MBAM with this topology)
          • 
-Note  
-
          Note the names of the servers on which you configure each feature. You will use this information throughout the configuration process.
          
+Note
          Note the names of the servers on which you configure each feature. You will use this information throughout the configuration process.
          
 
          
- 
+
 
          
-
+
-
+
-
+
-
+
          
 

          
 Checklist box
 
          Review and complete all planning steps to prepare your environment for MBAM deployment.
          [MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md)
          MBAM 2.5 Planning Checklist
          		
 
          		
 
          
 
          
 Checklist box
 
          Review the supported configurations information to ensure that MBAM supports the selected client and server computers.
          [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
          MBAM 2.5 Supported Configurations
          		
 
          		
 
          
 
          
 Checklist box
 
          Install the MBAM Server software.
          [Installing the MBAM 2.5 Server Software](installing-the-mbam-25-server-software.md)
          Installing the MBAM 2.5 Server Software
          		
 
          		
 
          
 
          
 
 
 
          [Configuring the MBAM 2.5 Server Features](configuring-the-mbam-25-server-features.md)
          Configuring the MBAM 2.5 Server Features
          		
 
          		
 
          
 
          
 Checklist box
 
          Validate the MBAM configuration.
          [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
          Validating the MBAM 2.5 Server Feature Configuration
          		
 
          		
 
          
 
          
 Checklist box
 
          Copy the MBAM Group Policy Template and edit the Group Policy settings.
          [Copying the MBAM 2.5 Group Policy Templates](copying-the-mbam-25-group-policy-templates.md) and [Editing the MBAM 2.5 Group Policy Settings](editing-the-mbam-25-group-policy-settings.md)
          Copying the MBAM 2.5 Group Policy Templates and Editing the MBAM 2.5 Group Policy Settings
          		
 
          		
 
          
 
          
 Checklist box
 
          Deploy the MBAM Client software.
          [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
          Deploying the MBAM 2.5 Client
          		
 
          		
 
          
           
 
          
 
- 
+
 
 
 ## Related topics
@@ -106,9 +105,9 @@ This checklist outlines the recommended steps and a high-level list of items to
 
 [Deploying MBAM 2.5](deploying-mbam-25.md)
 
- 
 
- 
+
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/mbam-25-planning-checklist.md b/mdop/mbam-v25/mbam-25-planning-checklist.md
index ff91d81f2b..015403224b 100644
--- a/mdop/mbam-v25/mbam-25-planning-checklist.md
+++ b/mdop/mbam-v25/mbam-25-planning-checklist.md
@@ -40,92 +40,92 @@ You can use the following checklists to help you prepare your computing environm
 
 Checklist box
 
          Review the "Getting started" information to understand the product before you start deployment planning.
          
-
          [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
          
+
          Getting Started with MBAM 2.5
          
 
          
 
 
 Checklist box
 
          Review the recommended high-level architecture for an MBAM deployment. You might also want to review an illustration and description of the individual parts (databases, websites, Reports) of an MBAM deployment.
          
-
          [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)
          
-
          [Illustrated Features of an MBAM 2.5 Deployment](illustrated-features-of-an-mbam-25-deployment.md)
          
+
          High-Level Architecture for MBAM 2.5
          
+
          Illustrated Features of an MBAM 2.5 Deployment
          
 
          
 
 
 Checklist box
 
          Review and complete the prerequisites for the MBAM Stand-alone and Configuration Manager Integration topologies.
          
-
          [MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies](mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md)
          
+
          MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies
          
 
          
 
 
 Checklist box
 
          If you plan to use the Configuration Manager Integration topology, complete the additional prerequisites that apply only to this topology.
          
-
          [MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology](mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md)
          
+
          MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology
          
 
          
 
 
 Checklist box
 
          Review and meet the MBAM 2.5 prerequisites for the MBAM Client.
          
-
          [Prerequisites for MBAM 2.5 Clients](prerequisites-for-mbam-25-clients.md)
          
+
          Prerequisites for MBAM 2.5 Clients
          
 
          
 
 
 Checklist box
 
          Plan for and configure MBAM Group Policy requirements.
          
-
          [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)
          
+
          Planning for MBAM 2.5 Group Policy Requirements
          
 
          
 
 
 Checklist box
 
          Plan for and create the necessary Active Directory Domain Services security groups.
          
-
          [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)
          
+
          Planning for MBAM 2.5 Groups and Accounts
          
 
          
 
 
 Checklist box
 
          Plan how you will secure the MBAM websites.
          
-
          [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)
          
+
          Planning How to Secure the MBAM Websites
          
 
          
 
 
 Checklist box
 
          Review the MBAM Supported Configurations to ensure that your hardware meets the installation system requirements.
          
-
          [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
          
+
          MBAM 2.5 Supported Configurations
          
 
          
 
 
 Checklist box
 
          Review the considerations for deploying the MBAM Server features.
          
-
          [Planning for MBAM 2.5 Server Deployment](planning-for-mbam-25-server-deployment.md)
          
+
          Planning for MBAM 2.5 Server Deployment
          
 
          
 
 
 Checklist box
 
          Review the considerations for deploying the MBAM Client.
          
-
          [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md)
          
+
          Planning for MBAM 2.5 Client Deployment
          
 
          
 
 
 Checklist box
 
          Review the requirements and steps to deploy MBAM in a highly available configuration.
          
-
          [Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)
          
+
          Planning for MBAM 2.5 High Availability
          
 
          
 
 
 Checklist box
 
          Review the MBAM security considerations that pertain to the Trusted Platform Module, log files, and transparent data encryption.
          
-
          [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)
          
+
          MBAM 2.5 Security Considerations
          
 
          
 
 
 Checklist box
 
          Optionally, review the steps to evaluate MBAM in a test environment.
          
-
          [Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)
          
+
          Evaluating MBAM 2.5 in a Test Environment
          
 
          
 
 
 
 
- 
+ 
 
 
 ## Related topics
@@ -133,9 +133,9 @@ You can use the following checklists to help you prepare your computing environm
 
 [Planning for MBAM 2.5](planning-for-mbam-25.md)
 
- 
+ 
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md
index bab666d38b..f87672362a 100644
--- a/mdop/mbam-v25/mbam-25-security-considerations.md
+++ b/mdop/mbam-v25/mbam-25-security-considerations.md
@@ -72,14 +72,14 @@ To enable MBAM to escrow and then store TPM OwnerAuth passwords, you must config
 
 
 
- 
+ 
 
 The location of these Group Policy settings is **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services**.
 
 **Note**  
 Windows removes the OwnerAuth locally after MBAM successfully escrows it with these settings.
 
- 
+ 
 
 ### Escrowing TPM OwnerAuth in Windows 7
 
@@ -120,7 +120,7 @@ To create user-to-computer associations after you have installed the MBAM server
 **Note**  
 The MBAM agent will override user-to-computer associations when that computer begins reporting up to the server.
 
- 
+ 
 
 **Prerequisites:** The Read-AD\* cmdlets can retrieve information from AD only if they are either run as a highly privileged user account, such as a Domain Administrator, or run as an account in a custom security group granted read access to the information (recommended).
 
@@ -171,7 +171,7 @@ The Read-AD\* cmdlets do not have the ability to discover the user accounts that
 
 -   Users who are not in the MBAM Advanced Helpdesk Users security group as defined during installation, recovering on behalf of other users
 
- 
+ 
 
 ## Configure MBAM to automatically unlock the TPM after a lockout
 
@@ -181,7 +181,7 @@ You can configure MBAM 2.5 SP1 to automatically unlock the TPM in case of a lock
 **Important**  
 To enable TPM lockout auto reset, you must configure this feature on both the server side and in Group Policy on the client side.
 
- 
+ 
 
 -   To enable TPM lockout auto reset on the client side, configure the Group Policy setting "Configure TPM lockout auto reset" located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDOP MBAM** > **Client Management**.
 
@@ -196,7 +196,7 @@ TPM lockout auto reset is disabled by default.
 **Note**  
 TPM lockout auto reset is only supported on computers running TPM version 1.2. TPM 2.0 provides built-in lockout auto reset functionality.
 
- 
+ 
 
 **The Recovery Audit Report** includes events related to TPM lockout auto reset. If a request is made from the MBAM client to retrieve a TPM OwnerAuth password, an event is logged to indicate recovery. Audit entries will include the following events:
 
@@ -227,7 +227,7 @@ TPM lockout auto reset is only supported on computers running TPM version 1.2. T
 
 
 
- 
+ 
 
 ## Secure connections to SQL Server
 
@@ -305,11 +305,11 @@ For an example of how to enable TDE for MBAM database instances, see [Understand
 
 [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
index 58250c385a..e6b0faca0c 100644
--- a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
+++ b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
@@ -23,10 +23,10 @@ If you are deploying MBAM with System Center Configuration Manager, you must com
 
 For a list of the supported hardware and operating systems for MBAM, see [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md).
 
-**Important**  
+**Important**  
 If BitLocker was used without MBAM, you must decrypt the drive and then clear TPM using tpm.msc. MBAM cannot take ownership of TPM if the client PC is already encrypted and the TPM owner password created.
 
- 
+
 
 ## Required MBAM roles and accounts
 
@@ -45,12 +45,12 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
 
          Groups created in Active Directory Domain Services (AD DS)
          
-
          See [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md) for a description of these groups and accounts.
          
+
          See Planning for MBAM 2.5 Groups and Accounts for a description of these groups and accounts.
          
 
 
 
 
- 
+
 
 ## Prerequisites for the Recovery Database
 
@@ -70,7 +70,7 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
          Supported version of SQL Server
          
 
          Install Microsoft SQL Server with SQL_Latin1_General_CP1_CI_AS collation.
          
-
          See [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md) for supported versions.
          
+
          See MBAM 2.5 Supported Configurations for supported versions.
          
 
 
 
          Required SQL Server permissions
          
@@ -90,13 +90,12 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
 
          Optional - Install the Transparent Data Encryption (TDE) feature available in SQL Server
          
-
          The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.
          
+
          The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.
          
 
          
-Note  
-
          TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md).
          
+Note
          TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations.
          
 
          
 
          
- 
+
 
          
 
 
@@ -110,7 +109,7 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
 
- 
+
 
 ## Prerequisites for the Compliance and Audit Database
 
@@ -130,7 +129,7 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
          Supported version of SQL Server
          
 
          Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation.
          
-
          See [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md) for supported versions.
          
+
          See MBAM 2.5 Supported Configurations for supported versions.
          
 
 
 
          Required SQL Server permissions
          
@@ -150,8 +149,8 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
 
          Optional - Install the Transparent Data Encryption (TDE) feature in SQL Server
          
-
          The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.
          
-
          TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md).
          
+
          The TDE SQL Server feature performs real-time I/O encryption and decryption of the data and log files, which can help you to comply with laws, regulations, and guidelines that apply to various industries.
          
+
          TDE performs real-time decryption of database information. This means that, if you are viewing recovery key information in the SQL Server database and you are logged on under an account that has permissions to the database, the recovery key information is visible. To read more about TDE, see MBAM 2.5 Security Considerations.
          
 
 
 
          SQL Server Database Engine Services
          
@@ -164,7 +163,7 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
 
- 
+
 
 ## Prerequisites for the Reports
 
@@ -184,7 +183,7 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
          Supported version of SQL Server
          
 
          Install SQL Server with SQL_Latin1_General_CP1_CI_AS collation.
          
-
          See [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md) for supported versions.
          
+
          See MBAM 2.5 Supported Configurations for supported versions.
          
 
 
 
          SQL Server Reporting Services (SSRS)
          
@@ -206,7 +205,7 @@ If BitLocker was used without MBAM, you must decrypt the drive and then clear TP
 
 
 
- 
+
 
 ## Prerequisites for the Administration and Monitoring Server
 
@@ -264,13 +263,12 @@ The following table lists the installation prerequisites for the MBAM Administra
 
        • .NET Framework 4.5
          
 
            
 
          • Windows Server 2012 or Windows Server 2012 R2 - .NET Framework 4.5 is already installed for these versions of Windows Server, but you must enable it.
            • 
-
          • Windows Server 2008 R2 - .NET Framework 4.5 is not included with Windows Server 2008 R2, so you must [download Microsoft .NET Framework 4.5](https://go.microsoft.com/fwlink/?LinkId=392318) and install it separately.
            
+
          • Windows Server 2008 R2 - .NET Framework 4.5 is not included with Windows Server 2008 R2, so you must download Microsoft .NET Framework 4.5 and install it separately.
            
 
            
-Note  
-
            If you are upgrading from MBAM 2.0 or MBAM 2.0 SP1 and need to install .NET Framework 4.5, see [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md) for an additional required step to make the websites work.
            
+Note
            If you are upgrading from MBAM 2.0 or MBAM 2.0 SP1 and need to install .NET Framework 4.5, see Release Notes for MBAM 2.5 for an additional required step to make the websites work.
            
 
            
 
            
- 
+
 
            • 
 
          • 
 
        • WCF Activation
          
@@ -289,30 +287,29 @@ The following table lists the installation prerequisites for the MBAM Administra
 
        
 
 
-
        ASP.NET MVC 4.0
        
-
        [ASP.NET MVC 4 download](https://go.microsoft.com/fwlink/?LinkId=392271)
        
+
        ASP.NET MVC 4.0
        
+
        ASP.NET MVC 4 download
        
 
 
 
        Service Principal Name (SPN)
        
 
        The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.
        
-
        If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](https://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.
        
+
        If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs.
        
 
        If you do not have administrative rights to create SPNs, you must ask the Active Directory administrators in your organization to create the SPN for you by using the following command.
        
 
        Setspn -s http/mbamvirtual contoso\mbamapppooluser
 Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
        
 
        In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser.
        
 
        
-Note  
-
        If you are setting up Load Balancing, use the same application pool account on all servers.
        
+Note
        If you are setting up Load Balancing, use the same application pool account on all servers.
        
 
        
 
        
- 
+
 
        
-
        For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md).
        
+
        For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites.
        
 
 
 
 
- 
+
 
 ## Prerequisites for the Self-Service Portal
 
@@ -331,11 +328,11 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
    
 
 
 
    Supported version of Windows Server
    
-
    See [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md) for supported versions.
    
+
    See MBAM 2.5 Supported Configurations for supported versions.
    
 
 
-
    ASP.NET MVC 4.0
    
-
    [ASP.NET MVC 4 download](https://go.microsoft.com/fwlink/?LinkId=392271)
    
+
    ASP.NET MVC 4.0
    
+
    ASP.NET MVC 4 download
    
 
 
 
    Web Service IIS Management Tools
    
@@ -344,24 +341,23 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
    
 
 
    Service Principal Name (SPN)
    
 
    The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.
    
-
    If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](https://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.
    
+
    If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See Setspn for information about the rights required to create SPNs.
    
 
    If you do not have administrative rights to create SPNs, you must ask the Active Directory administrators in your organization administrators in your organization to create the SPN for you by using the following command.
    
 
    Setspn -s http/mbamvirtual contoso\mbamapppooluser
 Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
    
 
    In the code example, the virtual host name is mbamvirtual.contoso.com, and the domain account used for the web application pools is contoso\mbamapppooluser.
    
 
    
-Note  
-
    If you are setting up Load Balancing, use the same application pool account on all servers.
    
+Note
    If you are setting up Load Balancing, use the same application pool account on all servers.
    
 
    
 
    
- 
+
 
    
-
    For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md).
    
+
    For more information about registering SPNs for fully qualified, NetBIOS, and custom host names, see Planning How to Secure the MBAM Websites.
    
 
 
 
 
- 
+
 
 ## Prerequisites for the Management Workstation
 
@@ -379,7 +375,7 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
    
 
 
 
-
    Before installing the MBAM Client, download the MBAM Group Policy Templates from [How to Get MDOP Group Policy (.admx) Templates](https://go.microsoft.com/fwlink/p/?LinkId=393941) and configure them with the settings that you want to implement in your enterprise for BitLocker Drive Encryption.
    
+
    Before installing the MBAM Client, download the MBAM Group Policy Templates from How to Get MDOP Group Policy (.admx) Templates and configure them with the settings that you want to implement in your enterprise for BitLocker Drive Encryption.
    
 
    Before installing the MBAM Client, do the following:
    
 @@ -395,20 +391,20 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
-
+
-
+
    
 

 
 
    
 
    Copy the MBAM Group Policy Templates
    [Copying the MBAM 2.5 Group Policy Templates](copying-the-mbam-25-group-policy-templates.md)
    Copying the MBAM 2.5 Group Policy Templates
    		
 
    
 
    
 
    Edit the Group Policy settings
    [Editing the MBAM 2.5 Group Policy Settings](editing-the-mbam-25-group-policy-settings.md)
    Editing the MBAM 2.5 Group Policy Settings
    		
 
    
     
 
    
-
     
    
+
     
    
 
 
 
 
- 
+
 
 
 
@@ -421,9 +417,9 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser
    
 
 [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
 
- 
 
- 
+
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 107559edc8..970711d8a8 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -21,10 +21,10 @@ You can run Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 in a St
 
 For additional configurations that are specific to the Configuration Manager Integration topology, see [Versions of Configuration Manager that MBAM supports](#bkmk-cm-ramreqs).
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+
 
 ## MBAM Supported Languages
 
@@ -87,7 +87,7 @@ The following tables show the languages that are supported for the MBAM Client (
 
 
 
- 
+
 
 **Supported Languages in MBAM 2.5:**
 
@@ -134,14 +134,14 @@ The following tables show the languages that are supported for the MBAM Client (
 
 
 
- 
+
 
 ##  MBAM Server system requirements
 
 
 ### MBAM Server operating system requirements
 
-We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
+We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
 
 The following table lists the operating systems that are supported for the MBAM Server installation.
 
@@ -162,7 +162,7 @@ The following table lists the operating systems that are supported for the MBAM
 
 
 
-
    Windows Server 2016
    
+
    Windows Server 2016
    
 
    Standard or Datacenter
    
 
 
    64-bit
    
@@ -180,7 +180,7 @@ The following table lists the operating systems that are supported for the MBAM
 
    64-bit
    
 
 
-
    Windows Server 2008 R2
    
+
    Windows Server 2008 R2
    
 
    Standard, Enterprise, or Datacenter
    
 
    SP1
    
 
    64-bit
    
@@ -188,7 +188,7 @@ The following table lists the operating systems that are supported for the MBAM
 
 
 
- 
+
 
 The enterprise domain must contain at least one Windows Server 2008 (or later) domain controller.
 
@@ -228,7 +228,7 @@ These requirements are for the MBAM Stand-alone topology. For the requirements f
 
 
 
- 
+
 
 ### MBAM Server processor, RAM, and disk space requirements - Configuration Manager Integration topology
 
@@ -266,7 +266,7 @@ The following table lists the server processor, RAM, and disk space requirements
 
 
 
- 
+
 
 ### Versions of Configuration Manager that MBAM supports
 
@@ -303,7 +303,7 @@ MBAM supports the following versions of Configuration Manager.
 
    64-bit
    
 
 
-
    Microsoft System Center 2012 Configuration Manager
    
+
    Microsoft System Center 2012 Configuration Manager
    
 
    SP1
    
 
    64-bit
    
 
@@ -312,21 +312,21 @@ MBAM supports the following versions of Configuration Manager.
 
    
 
    64-bit
    
 
->**Note** Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.
+>Note Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.
 
 
 
 
 
- 
+
 
 For a list of supported configurations for the Configuration Manager Server, see the appropriate TechNet documentation for the version of Configuration Manager that you are using. MBAM has no additional system requirements for the Configuration Manager Server.
 
-### SQL Server database requirements
+### SQL Server database requirements
 
 The following table lists the Microsoft SQL Server versions that are supported for the MBAM Server features, which include the Recovery Database, Compliance and Audit Database, and the Reports feature. The required versions apply to the Stand-alone or the Configuration Manager Integration topologies.
 
-You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** collation.
+You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** collation.
 
 @@ -348,24 +348,23 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll
 
-    
-
+
    
-https://www.microsoft.com/en-us/download/details.aspx?id=54967
+https://www.microsoft.com/en-us/download/details.aspx?id=54967
-
+
-
+
@@ -375,7 +374,7 @@ https://www.microsoft.com/en-us/download/details.aspx?id=54967
    
 

    Microsoft SQL Server 2017
    		
 
    Standard, Enterprise, or Datacenter
    		
 
    64-bit
    64-bit
    
 
    Microsoft SQL Server 2016
    		
 
    Standard, Enterprise, or Datacenter
    		
 
    SP1
    64-bit
    64-bit
    		
 
    
 
    Microsoft SQL Server 2014
    		
 
    Standard, Enterprise, or Datacenter
    		
 
    SP1, SP2
    		
 
    64-bit
    		
 
    Microsoft SQL Server 2012
    Microsoft SQL Server 2012
    		
 
    Standard, Enterprise, or Datacenter
    		
 
    SP3
    		
 
    64-bit
    		
 
    Microsoft SQL Server 2008 R2
    Microsoft SQL Server 2008 R2
    		
 
    Standard or Enterprise
    		
 
    SP3
    		
 
    64-bit
    		<
 
 **Note**  
 In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967  and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.
- 
+
 
 ### SQL Server processor, RAM, and disk space requirements – Stand-alone topology
 
@@ -413,7 +412,7 @@ The following table lists the recommended server processor, RAM, and disk space
 
    
 
    
 
- 
+
 
 ### SQL Server processor, RAM, and disk space requirements - Configuration Manager Integration topology
 
@@ -451,14 +450,14 @@ The following table lists the server processor, RAM, and disk space requirements
 
 
 
- 
+
 
 ##  MBAM Client system requirements
 
 
 ### Client operating system requirements
 
-We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
+We strongly recommend that you run the MBAM Client and MBAM Server on the same line of operating systems. For example, Windows 10 with Windows Server 2016, Windows 8.1 with Windows Server 2012 R2, and so on.
 
 The following table lists the operating systems that are supported for MBAM Client installation. The same requirements apply to the Stand-alone and the Configuration Manager Integration topologies.
 
@@ -483,8 +482,7 @@ The following table lists the operating systems that are supported for MBAM Clie
     
    Enterprise
    
     
    
     
    32-bit or 64-bit
    
-  
-
+
    
 
    Windows 10
    
 
    Enterprise
    
 
    
@@ -497,7 +495,7 @@ The following table lists the operating systems that are supported for MBAM Clie
 
    32-bit or 64-bit
    
 
 
-
    Windows 7
    
+
    Windows 7
    
 
    Enterprise or Ultimate
    
 
    SP1
    
 
    32-bit or 64-bit
    
@@ -511,7 +509,7 @@ The following table lists the operating systems that are supported for MBAM Clie
 
 
 
- 
+
 
 ### Client RAM requirements
 
@@ -557,7 +555,7 @@ The following table lists the operating systems that are supported for MBAM Grou
 
    32-bit or 64-bit
    
 
 
-
    Windows 7
    
+
    Windows 7
    
 
    Enterprise, or Ultimate
    
 
    SP1
    
 
    32-bit or 64-bit
    
@@ -575,7 +573,7 @@ The following table lists the operating systems that are supported for MBAM Grou
 
    64-bit
    
 
 
-
    Windows Server 2008 R2
    
+
    Windows Server 2008 R2
    
 
    Standard, Enterprise, or Datacenter
    
 
    SP1
    
 
    64-bit
    
@@ -608,9 +606,9 @@ The MBAM client is not supported on virtual machines and is also not supported o
 
 [Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)
 
- 
 
- 
+
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md b/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md
index 663b146718..6fce394daa 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md
@@ -26,7 +26,7 @@ If you deploy MBAM with the Configuration Manager Integration topology, you can
 **Note**  
 Windows To Go is not supported for the Configuration Manager Integration topology installation when you are using Configuration Manager 2007.
 
- 
+ 
 
 ## Deploying the MBAM Client to enable BitLocker Drive Encryption after computer distribution to end users
 
@@ -36,14 +36,14 @@ After you configure Group Policy, you can use an enterprise software deployment
 **Note**  
 Beginning in MBAM 2.5 SP1, a separate MSI is no longer included with the MBAM product. However, you can extract the MSI from the executable file (.exe) that is included with the product.
 
- 
+ 
 
 When you deploy the MBAM Client after you distribute computers to client computers, end users are prompted to encrypt their computer. This action enables MBAM to collect the data, which includes the PIN and password (if required by policy), and then to begin the encryption process.
 
 **Note**  
 In this approach, end users who have computers with a TPM chip are prompted to activate and initialize the TPM chip if the chip has not been previously activated.
 
- 
+ 
 
 ## Using the MBAM Client to enable BitLocker Drive Encryption before computer distribution to end users
 
@@ -55,7 +55,7 @@ If your organization wants to use the TPM chip to encrypt computers, the adminis
 **Note**  
 The TPM protector option requires the administrator to accept the BIOS prompt to activate and initialize the TPM before the computer is delivered to the end user.
 
- 
+ 
 
 ## MBAM Client support for Encrypted Hard Drives
 
@@ -70,9 +70,9 @@ MBAM supports BitLocker on Encrypted Hard Drives that meet TCG specification req
 
 [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
 
- 
+ 
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
diff --git a/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md b/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md
index 82a51d17cb..9003490cee 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md
@@ -44,7 +44,7 @@ MBAM supports the following types of BitLocker protectors.
 
  • TPM + USB key – supported only when the operating system volume is encrypted before MBAM is installed
    • 
 
  • TPM + PIN + USB key - supported only when the operating system volume is encrypted before MBAM is installed
    • 
 
  • Password - supported only for Windows To Go devices, fixed data drives, and Windows 8, Windows 8.1, and Windows 10 devices that do not have a TPM
    • 
-
  • Numerical password - applied automatically as part of volume encryption and does not need to be configured except in FIPS mode on Windows 7
    • 
+
  • Numerical password - applied automatically as part of volume encryption and does not need to be configured except in FIPS mode on Windows 7
    • 
 
  • Data recovery agent (DRA)
    • 
 
 
@@ -53,7 +53,7 @@ MBAM supports the following types of BitLocker protectors.
 
      
 
    • Password
      • 
 
    • Auto-unlock
      • 
-
    • Numerical password - applied automatically as part of volume encryption and does not need to be configured except in FIPS mode on Windows 7
      • 
+
    • Numerical password - applied automatically as part of volume encryption and does not need to be configured except in FIPS mode on Windows 7
      • 
 
    • Data recovery agent (DRA)
      • 
 
    
 
@@ -69,7 +69,7 @@ MBAM supports the following types of BitLocker protectors.
 
 
 
- 
+
 
 ### Support for the Used Space Encryption BitLocker policy
 
@@ -95,27 +95,27 @@ When you are ready to configure the MBAM Group Policy settings you want, do the
 
 
 
-
    Copy the MBAM Group Policy Templates from [How to Get MDOP Group Policy (.admx) Templates](https://go.microsoft.com/fwlink/p/?LinkId=393941) and install them on a computer that is capable of running the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM).
    
-
    [Copying the MBAM 2.5 Group Policy Templates](copying-the-mbam-25-group-policy-templates.md)
    
+
    Copy the MBAM Group Policy Templates from How to Get MDOP Group Policy (.admx) Templates and install them on a computer that is capable of running the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM).
    
+
    Copying the MBAM 2.5 Group Policy Templates
    
 
 
 
    Configure the Group Policy settings that you want to use in your enterprise.
    
-
    [Editing the MBAM 2.5 Group Policy Settings](editing-the-mbam-25-group-policy-settings.md)
    
+
    Editing the MBAM 2.5 Group Policy Settings
    
 
 
 
 
- 
+
 
 ## Descriptions of the MBAM Group Policy settings
 
 
 The **MDOP MBAM (BitLocker Management)** GPO node contains four global policy settings and four child GPO nodes: **Client Management**, **Fixed Drive**, **Operating System Drive**, and **Removable Drive**. The following sections describe and suggest settings for the MBAM Group Policy settings.
 
-**Important**  
+**Important**  
 Do not change the Group Policy settings in the **BitLocker Drive Encryption** node, or MBAM will not work correctly. MBAM automatically configures the settings in this node for you when you configure the settings in the **MDOP MBAM (BitLocker Management)** node.
 
- 
+
 
 ### Global Group Policy definitions
 
@@ -139,14 +139,13 @@ This section describes MBAM Global Group Policy definitions at the following GPO
 
    Configure this policy to use a specific encryption method and cipher strength.
    
 
    When this policy is not configured, BitLocker uses the default encryption method: AES 128-bit with Diffuser.
    
 
    
-Note  
-
    An issue with the BitLocker Computer Compliance report causes it to display "unknown" for the cipher strength, even if you are using the default value. To work around this issue, make sure you enable this setting and set a value for cipher strength.
    
+Note
    An issue with the BitLocker Computer Compliance report causes it to display "unknown" for the cipher strength, even if you are using the default value. To work around this issue, make sure you enable this setting and set a value for cipher strength.
    
 
    
 
    
- 
+
 
    
 
      
-
    • AES 128-bit with Diffuser – for Windows 7 only
      • 
+
    • AES 128-bit with Diffuser – for Windows 7 only
      • 
 
    • AES 128 for Windows 8, Windows 8.1, and Windows 10
      • 
 
    
 
@@ -172,7 +171,7 @@ This section describes MBAM Global Group Policy definitions at the following GPO
 
 
 
- 
+
 
 ### Client Management Group Policy definitions
 
@@ -212,14 +211,13 @@ You can set the same Group Policy settings for the Stand-alone and System Center
 
    Configure user exemption policy
    
 
    Suggested configuration: Not Configured
    
 
    This policy setting lets you configure a website address, email address, or phone number that instructs a user to request an exemption from BitLocker encryption.
    
-
    If you enable this policy setting and provide a website address, email address, or phone number, users see a dialog box with instructions on how to apply for an exemption from BitLocker protection. For more information about enabling BitLocker encryption exemptions for users, see [How to Manage User BitLocker Encryption Exemptions](how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md).
    
+
    If you enable this policy setting and provide a website address, email address, or phone number, users see a dialog box with instructions on how to apply for an exemption from BitLocker protection. For more information about enabling BitLocker encryption exemptions for users, see How to Manage User BitLocker Encryption Exemptions.
    
 
    If you either disable or do not configure this policy setting, the exemption request instructions are not displayed to users.
    
 
    
-Note  
-
    User exemption is managed per user, not per computer. If multiple users log on to the same computer and any one user is not exempt, the computer is encrypted.
    
+Note
    User exemption is managed per user, not per computer. If multiple users log on to the same computer and any one user is not exempt, the computer is encrypted.
    
 
    
 
    
- 
+
 
    
 
 
@@ -240,7 +238,7 @@ You can set the same Group Policy settings for the Stand-alone and System Center
 
 
 
- 
+
 
 ### Fixed Drive Group Policy definitions
 
@@ -278,9 +276,9 @@ This section describes Fixed Drive policy definitions for Microsoft BitLocker Ad
 
 
    Allow access to BitLocker-protected fixed drives from earlier versions of Windows
    
 
    Suggested configuration: Not Configured
    
-
    Enable this policy so that fixed drives with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
-
    When the policy is enabled or not configured, fixed drives that are formatted with the FAT file system can be unlocked and their content can be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. These operating systems have read-only permission to BitLocker-protected drives.
    
-
    When the policy is disabled, fixed drives that are formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
+
    Enable this policy so that fixed drives with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
+
    When the policy is enabled or not configured, fixed drives that are formatted with the FAT file system can be unlocked and their content can be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. These operating systems have read-only permission to BitLocker-protected drives.
    
+
    When the policy is disabled, fixed drives that are formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
 
 
 
    Configure use of password for fixed drives
    
@@ -312,7 +310,7 @@ This section describes Fixed Drive policy definitions for Microsoft BitLocker Ad
 
 
 
- 
+
 
 ### Operating System Drive Group Policy definitions
 
@@ -339,7 +337,7 @@ This section describes Operating System Drive policy definitions for Microsoft B
 
  • Allow Standby States (S1-S3) When Sleeping (Plugged In)
    • 
 
  • Allow Standby States (S1-S3) When Sleeping (On Battery)
    • 
 
-
    If you are running Microsoft Windows 8 or later, and you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.
    
+
    If you are running Microsoft Windows 8 or later, and you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.
    
 
    On a computer with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN).
    
 
    If you enable this policy setting, users have to put the operating system drive under BitLocker protection, and the drive is then encrypted.
    
 
    If you disable this policy, users cannot put the operating system drive under BitLocker protection. If you apply this policy after the operating system drive is encrypted, the drive is then decrypted.
    
@@ -365,24 +363,22 @@ This section describes Operating System Drive policy definitions for Microsoft B
 
    Suggested configuration: Not Configured
    
 
    Use this policy setting to set the constraints for passwords that are used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, you must also enable the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
    
 
    
-Note  
-
    These settings are enforced when you turn on BitLocker, not when you unlock a volume. BitLocker lets you unlock a drive with any of the protectors that are available on the drive.
    
+Note
    These settings are enforced when you turn on BitLocker, not when you unlock a volume. BitLocker lets you unlock a drive with any of the protectors that are available on the drive.
    
 
    
 
    
- 
+
 
    
 
    If you enable this policy setting, users can configure a password that meets the requirements that you define. To enforce complexity requirements on the password, click Require password complexity.
    
 
 
 
    Configure TPM platform validation profile for BIOS-based firmware configurations
    
 
    Suggested configuration: Not Configured
    
-
    This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
    
+
    This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
    
 
    
-Important  
-
    This Group Policy setting applies only to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers that use a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmware configurations" Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
    
+Important
    This Group Policy setting applies only to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers that use a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmware configurations" Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
    
 
    
 
    
- 
+
 
    
 
    If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before you unlock access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive.
    
 
    If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the Setup script.
    
@@ -390,20 +386,19 @@ This section describes Operating System Drive policy definitions for Microsoft B
 
 
    Configure TPM platform validation profile
    
 
    Suggested configuration: Not Configured
    
-
    This policy setting enables you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
    
+
    This policy setting enables you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
    
 
    If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before you unlock access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive.
    
 
    If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.
    
 
 
 
    Configure TPM platform validation profile for native UEFI firmware configurations
    
 
    Suggested configuration: Not Configured
    
-
    This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
    
+
    This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
    
 
    
-Important  
-
    This Group Policy setting applies only to computers with a native UEFI firmware configuration.
    
+Important
    This Group Policy setting applies only to computers with a native UEFI firmware configuration.
    
 
    
 
    
- 
+
 
    
 
    If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive.
    
 
    If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.
    
@@ -418,13 +413,12 @@ This section describes Operating System Drive policy definitions for Microsoft B
 
    Use enhanced Boot Configuration Data validation profile
    
 
    Suggested configuration: Not Configured
    
 
    This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation.
    
-
    If you enable this policy setting, you can add additional settings, remove the default settings, or both. If you disable this policy setting, the computer reverts to a BCD profile similar to the default BCD profile that is used by Windows 7. If you do not configure this policy setting, the computer verifies the default Windows BCD settings.
    
+
    If you enable this policy setting, you can add additional settings, remove the default settings, or both. If you disable this policy setting, the computer reverts to a BCD profile similar to the default BCD profile that is used by Windows 7. If you do not configure this policy setting, the computer verifies the default Windows BCD settings.
    
 
    
-Note  
-
    When BitLocker uses Secure Boot for platform and Boot Configuration Data (BCD) integrity validation, as defined by the "Allow Secure Boot for integrity validation" policy, the "Use enhanced Boot Configuration Data validation profile" policy is ignored.
    
+Note
    When BitLocker uses Secure Boot for platform and Boot Configuration Data (BCD) integrity validation, as defined by the "Allow Secure Boot for integrity validation" policy, the "Use enhanced Boot Configuration Data validation profile" policy is ignored.
    
 
    
 
    
- 
+
 
    
 
    The setting that controls boot debugging (0x16000010) is always validated and has no effect if it is included in the provided fields.
    
 
@@ -447,17 +441,16 @@ This section describes Operating System Drive policy definitions for Microsoft B
 
  • Use default recovery message and URL: Select this option to display the default BitLocker recovery message and URL in the pre-boot BitLocker recovery screen. If you previously configured a custom recovery message or URL and want to revert to the default message, you must enable this policy and select the Use default recovery message and URL option.
    • 
 
 
    
-Note  
-
    Not all characters and languages are supported in pre-boot. We recommend that you test that the characters you use for the custom message or URL appear correctly on the pre-boot BitLocker recovery screen.
    
+Note
    Not all characters and languages are supported in pre-boot. We recommend that you test that the characters you use for the custom message or URL appear correctly on the pre-boot BitLocker recovery screen.
    
 
    
 
    
- 
+
 
    
 
 
 
 
- 
+
 
 ### Removable Drive Group Policy definitions
 
@@ -492,9 +485,9 @@ This section describes Removable Drive Group Policy definitions for Microsoft Bi
 
 
    Allow access to BitLocker-protected removable drives from earlier versions of Windows
    
 
    Suggested configuration: Not Configured
    
-
    Enable this policy to allow fixed drives with the FAT file system to be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
-
    When this policy is not configured, removable drives that are formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only permission to BitLocker-protected drives.
    
-
    When the policy is disabled, removable drives formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
+
    Enable this policy to allow fixed drives with the FAT file system to be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
+
    When this policy is not configured, removable drives that are formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only permission to BitLocker-protected drives.
    
+
    When the policy is disabled, removable drives formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.
    
 
 
 
    Configure use of password for removable data drives
    
@@ -513,7 +506,7 @@ This section describes Removable Drive Group Policy definitions for Microsoft Bi
 
 
 
- 
+
 
 
 ## Related topics
@@ -523,11 +516,11 @@ This section describes Removable Drive Group Policy definitions for Microsoft Bi
 
 [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)
 
- 
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+
 
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md b/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
index 0f01cc6965..7f91892a01 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
@@ -17,12 +17,12 @@ ms.date: 11/02/2016
 # Planning for MBAM 2.5 Groups and Accounts
 
 
-This topic lists the roles and accounts that you must create in Active Directory Domain Services (AD DS) to provide security and access rights for the Microsoft BitLocker Administration and Monitoring (MBAM) databases, reports, and web applications. For each role and account, the corresponding field in the MBAM Server Configuration wizard is provided. For a list of Windows PowerShell cmdlets and parameters that correspond to these accounts, see [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md#bkmk-reqd-posh-accts).
+This topic lists the roles and accounts that you must create in Active Directory Domain Services (AD DS) to provide security and access rights for the Microsoft BitLocker Administration and Monitoring (MBAM) databases, reports, and web applications. For each role and account, the corresponding field in the MBAM Server Configuration wizard is provided. For a list of Windows PowerShell cmdlets and parameters that correspond to these accounts, see [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md#bkmk-reqd-posh-accts).
 
-**Note**  
+**Note**  
 MBAM does not support the use of managed service accounts.
 
- 
+
 
 ## Database accounts
 
@@ -64,7 +64,7 @@ Create the following accounts for the Compliance and Audit Database and the Reco
 
 
 
- 
+
 
 ## Reporting accounts
 
@@ -105,7 +105,7 @@ Create the following accounts for the Reports feature.
 
 
 
- 
+
 
 ## Administration and Monitoring Website (Help Desk) accounts
 
@@ -137,11 +137,10 @@ Create the following accounts for the Administration and Monitoring Website.
 
    If you enter a group name in the Read/write access domain user or group field on the Configure Databases page, the value you enter in this field must be a member of that group.
    
 
    If you do not specify credentials, the credentials that were specified for any previously enabled web application will be used. All web applications must use the same application pool credentials. If you specify different credentials for different web applications, the most recently specified value will be used.
    
 
    
-Important  
-
    For improved security, set the account that is specified in the credentials to have limited user rights.
    
+Important
    For improved security, set the account that is specified in the credentials to have limited user rights.
    
 
    
 
    
- 
+
 
    
 
 
@@ -168,12 +167,12 @@ Create the following accounts for the Administration and Monitoring Website.
 
    Group
    
 
    MBAM Data Migration Users
    
 
    Optional domain user group whose members have permissions to write data to MBAM by using the MBAM Recovery and Hardware Service running on the MBAM server. This account is generally used with the Write-Mbam* cmdlets to write recovery and TPM data from Active Directory into the MBAM database.
    
-
    For more information, see [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md).
    
+
    For more information, see MBAM 2.5 Security Considerations.
    
 
 
 
 
- 
+
 
 
 ## Related topics
@@ -183,11 +182,11 @@ Create the following accounts for the Administration and Monitoring Website.
 
 [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md b/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md
index 0d0bdeae03..41ccde26df 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md
@@ -37,8 +37,8 @@ This topic lists the features that you deploy for the MBAM Stand-alone and Confi
 
 
    Review the following before you start the deployment:
    
 
 
    Each MBAM feature has specific prerequisites that must be met before you start the MBAM installation.
    
 
@@ -48,7 +48,7 @@ This topic lists the features that you deploy for the MBAM Stand-alone and Confi
 
 
 
    Keep track of the names of the computers on which you configure each feature. You will use this information throughout the configuration process.
    
-
    You may want to use the [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md) for this purpose.
    
+
    You may want to use the MBAM 2.5 Deployment Checklist for this purpose.
    
 
 
 
    Configure only the Group Policy settings in the MDOP MBAM (BitLocker Management) node. Do not change the Group Policy settings in the BitLocker Drive Encryption node.
    
@@ -57,7 +57,7 @@ This topic lists the features that you deploy for the MBAM Stand-alone and Confi
 
 
 
- 
+ 
 
 ## Planning for MBAM Server deployment – Stand-alone topology
 
@@ -108,7 +108,7 @@ For a description of these features, see [High-Level Architecture of MBAM 2.5 wi
 
 [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
index 72487aa0e1..56e258088e 100644
--- a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
+++ b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
@@ -42,7 +42,7 @@ This topic describes the following methods for securing the Microsoft BitLocker
 
 
 
- 
+
 
 For more information about how to secure your MBAM deployment, see [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md).
 
@@ -57,10 +57,10 @@ We recommend that you use a certificate to secure the communication between the:
 
 For information about requesting and installing a certificate, see [Configuring Internet Server Certificates](https://technet.microsoft.com/library/cc731977.aspx).
 
-**Note**  
+**Note**  
 You can configure the websites and web services on different servers only if you are using Windows PowerShell. If you use the MBAM Server Configuration wizard to configure the websites, you must configure the websites and the web services on the same server.
 
- 
+
 
 To secure the communication between the web services and the databases, we also recommend that you force encryption in SQL Server. For information about securing all connections to SQL Server, including communication between the web services and SQL Server, see [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md#bkmk-secure-databases).
 
@@ -94,14 +94,13 @@ Review the information in the following table before you start creating SPNs.
 
 
 
-
    Create a service account in Active Directory Domain Services (AD DS).
    
+
    Create a service account in Active Directory Domain Services (AD DS).
    
 
    The service account is a user account that you create in AD DS to provide security for the MBAM websites. The MBAM websites run under an application pool, whose identity is the name of the service account. The SPNs are then registered in the application pool account.
    
 
    
-Note  
-
    You must use the same application pool account for all web servers.
    
+Note
    You must use the same application pool account for all web servers.
    
 
    
 
    
- 
+
 
    
 
 
@@ -119,7 +118,7 @@ Review the information in the following table before you start creating SPNs.
 
 
 
- 
+
 
 ### Registering SPNs when you use a fully qualified domain host name
 
@@ -144,13 +143,13 @@ If you use a fully qualified domain host name when you configure MBAM, you have
 
 
 
    Configure constrained delegation for the SPN that you are registering for the application pool account.
    
-
    [Configuring Constrained Delegation](https://go.microsoft.com/fwlink/?LinkId=394335)
    
+
    Configuring Constrained Delegation
    
 
    This requirement only applies to MBAM 2.5; it is not necessary in MBAM 2.5 SP1.
    
 
 
 
 
- 
+
 
 ### Registering SPNs when you use a NetBIOS host name
 
@@ -180,13 +179,13 @@ If you use a NetBIOS host name when you configure MBAM, register one SPN for the
 
 
 
    Configure constrained delegation for the SPNs that you are registering for the application pool account.
    
-
    [Configuring Constrained Delegation](https://go.microsoft.com/fwlink/?LinkId=394335)
    
+
    Configuring Constrained Delegation
    
 
    This requirement only applies to MBAM 2.5; it is not necessary in MBAM 2.5 SP1.
    
 
 
 
 
- 
+
 
 ### Registering SPNs when you use a virtual host name
 
@@ -221,18 +220,18 @@ If you configure MBAM with a virtual host name that is a fully qualified domain
 
 
 
    On the Domain Name Server (DNS) server, create an “A record” for the custom host name and point it to a web server or a load balancer.
    
-
    See the “To configure DNS Host A Records” section in [Configure DNS Host Records](https://go.microsoft.com/fwlink/?LinkId=394337).
    
+
    See the “To configure DNS Host A Records” section in Configure DNS Host Records.
    
 
    We recommend that you use A records instead of CNAMES. If you use CNAMES to point to the domain address, you must also register SPNs for the web server name in the application pool account.
    
 
 
 
    Configure constrained delegation for the SPNs that you are registering for the application pool account.
    
-
    [Configuring Constrained Delegation](https://go.microsoft.com/fwlink/?LinkId=394335)
    
+
    Configuring Constrained Delegation
    
 
    This requirement only applies to MBAM 2.5; it is not necessary in MBAM 2.5 SP1.
    
 
 
 
 
- 
+
 
 ### Registering an SPN when you upgrade from previous versions of MBAM
 
@@ -240,7 +239,7 @@ Complete the steps in this section only if you want to:
 
 -   Upgrade from a previous version of MBAM.
 
--   Run the websites in MBAM 2.5 in a load-balanced or distributed configuration, and you are currently running in a configuration that is not load balanced.
+-   Run the websites in MBAM 2.5 in a load-balanced or distributed configuration, and you are currently running in a configuration that is not load balanced.
 
 If you already registered SPNs on the machine account rather than in an application pool account, MBAM uses the existing SPNs, and you cannot configure the websites in a load-balanced or distributed configuration.
 
@@ -257,12 +256,12 @@ If you already registered SPNs on the machine account rather than in an applicat
 
 
 
-
    Create an application pool account in Active Directory Domain Services (AD DS).
    
+
    Create an application pool account in Active Directory Domain Services (AD DS).
    
 
    
 
 
 
    Remove the currently installed websites and web services.
    
-
    [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md)
    
+
    Removing MBAM Server Features or Software
    
 
 
 
    Remove SPNs from the machine account.
    
@@ -271,11 +270,11 @@ If you already registered SPNs on the machine account rather than in an applicat
 
 
 
    Register SPNs in the application pool account.
    
-
    Follow the steps for [Registering SPNs when you use a virtual host name](#bkmk-regvirtualspn).
    
+
    Follow the steps for Registering SPNs when you use a virtual host name.
    
 
 
 
    Reconfigure the web applications and web services.
    
-
    [How to Configure the MBAM 2.5 Web Applications](how-to-configure-the-mbam-25-web-applications.md)
    
+
    How to Configure the MBAM 2.5 Web Applications
    
 
 
 
    Do one of the following, depending on the method you use for the configuration:
    
@@ -301,13 +300,12 @@ If you already registered SPNs on the machine account rather than in an applicat
 
 
 
-
     
    
+
     
    
 
    
-Important  
-
    The host name that you enter must be the same name as the virtual host name for which you are creating the SPNs. Also, in your web farm, the host names and the application pool credentials must be the same on every server that you are configuring.
    
+Important
    The host name that you enter must be the same name as the virtual host name for which you are creating the SPNs. Also, in your web farm, the host names and the application pool credentials must be the same on every server that you are configuring.
    
 
    
 
    
- 
+
 
    
 
    When MBAM configures the web applications, it will try to register the SPNs for you, but it can do so only if you have Domain Admin rights on the server on which you are installing MBAM. If you do not have these rights, you can complete the configuration, but you will have to set the SPNs before or after you configure MBAM.
    
 
@@ -315,7 +313,7 @@ If you already registered SPNs on the machine account rather than in an applicat
 
 
 ## Required Request Filtering Settings
- 
+
  'Allow unlisted file name extensions' is required for the application to operate as expected.  This can be found by navigating to the 'Microsoft BitLocker Administration and Monitoring' -> Request Filtering -> Edit Feature Settings.
 
 
@@ -326,9 +324,9 @@ If you already registered SPNs on the machine account rather than in an applicat
 
 [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)
 
- 
 
- 
+
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
diff --git a/mdop/mbam-v25/planning-to-deploy-mbam-25.md b/mdop/mbam-v25/planning-to-deploy-mbam-25.md
index 6a58576de0..e0e73d9033 100644
--- a/mdop/mbam-v25/planning-to-deploy-mbam-25.md
+++ b/mdop/mbam-v25/planning-to-deploy-mbam-25.md
@@ -34,7 +34,7 @@ The MBAM Server infrastructure depends on a set of server features that can be c
 **Note**  
 An MBAM installation on a single server is recommended only for lab environments.
 
- 
+ 
 
 The MBAM Client enables administrators to enforce and monitor BitLocker drive encryption on computers in the enterprise. The BitLocker client can be integrated into an organization by deploying the client through an enterprise software delivery system or by installing the Client on client computers as part of the initial imaging process.
 
@@ -53,9 +53,9 @@ With MBAM, you can encrypt a computer in your organization either before the end
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
index 73cc4413af..2329a20a37 100644
--- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
+++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
@@ -40,19 +40,19 @@ Before you install the MBAM Client software on end users' computers, ensure that
 
    
 
 
-
    For Windows 7 client computers only: Each client must have Trusted Platform Module (TPM) capability (TPM 1.2 or later).
    
+
    For Windows 7 client computers only: Each client must have Trusted Platform Module (TPM) capability (TPM 1.2 or later).
    
 
    
 
 
 
    For Windows 8.1, Windows 10 RTM or Windows 10 version 1511 client computers only: If you want MBAM to be able to store and manage the TPM recovery keys, TPM auto-provisioning must be turned off, and MBAM must be set as the owner of the TPM before you deploy MBAM.
    
 
    In MBAM 2.5 SP1 only, you no longer need to turn off TPM auto-provisioning, but you must make sure that the TPM Group Policy Objects are set to not escrow TPM OwnerAuth to Active Directory.
    
-
    [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md#bkmk-tpm)
    
+
    MBAM 2.5 Security Considerations
    
 
 
 
    For Windows 10, version 1607 or later, only Windows can take ownership of the TPM. In addiiton, Windows will not retain the TPM owner password when provisioning the TPM.
    
 
    In MBAM 2.5 SP1, you must turn on auto-provisioning.
    
 
    
-
    See [TPM owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) for further details.
+
    See TPM owner password for further details.
 
    
 
 
@@ -66,11 +66,10 @@ Before you install the MBAM Client software on end users' computers, ensure that
 
 
    The computer’s hard disk must have a BIOS that is compatible with TPM and that supports USB devices during computer startup.
    
 
    
-Note  
-
    Ensure that the keyboard, video, or mouse are directly connected and not managed through a keyboard, video, or mouse (KVM) switch. A KVM switch can interfere with the ability of the computer to detect the physical presence of hardware.
    
+Note
    Ensure that the keyboard, video, or mouse are directly connected and not managed through a keyboard, video, or mouse (KVM) switch. A KVM switch can interfere with the ability of the computer to detect the physical presence of hardware.
    
 
    
 
    
- 
+
 
    
 
 
@@ -80,11 +79,11 @@ Before you install the MBAM Client software on end users' computers, ensure that
 
 
 
- 
 
-**Important**  
+
+**Important**  
 If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.
- 
+
 
 
 
@@ -95,11 +94,11 @@ If BitLocker was used without MBAM, MBAM can be installed and utilize the existi
 
 [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)
 
- 
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+
 
 
 
diff --git a/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md b/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md
index f51b855674..f7ff13527a 100644
--- a/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md
+++ b/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md
@@ -19,10 +19,10 @@ ms.date: 08/30/2016
 
 If you deploy MBAM with the System Center Configuration Manager Integration topology, we recommend a three-server architecture, as described in [High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology](high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md). This architecture can support 500,000 client computers.
 
-**Important**  
+**Important**  
 Windows To Go is not supported for the Configuration Manager Integration topology installation when you are using Configuration Manager 2007.
 
- 
+
 
 ## General prerequisites for the Configuration Manager Integration feature
 
@@ -47,38 +47,37 @@ When you install MBAM with Configuration Manager, the following additional prere
 
 
 
    The Hardware Inventory Client Agent is on the Configuration Manager Server.
    
-
    For System Center 2012 Configuration Manager, see [How to Configure Hardware Inventory in Configuration Manager](https://go.microsoft.com/fwlink/?LinkId=301685).
    
-
    For Configuration Manager 2007, see [How to Configure Hardware Inventory for a Site](https://go.microsoft.com/fwlink/?LinkId=301656).
    
+
    For System Center 2012 Configuration Manager, see How to Configure Hardware Inventory in Configuration Manager.
    
+
    For Configuration Manager 2007, see How to Configure Hardware Inventory for a Site.
    
 
 
 
    One of the following is enabled, depending on the version of Configuration Manager that you are using:
    
 
      
-
    • Compliance Settings - (System Center 2012 Configuration Manager)
      • 
+
    • Compliance Settings - (System Center 2012 Configuration Manager)
      • 
 
    • Desired Configuration Management (DCM) Client Agent – (Configuration Manager 2007)
      • 
 
    
-
    For System Center 2012 Configuration Manager, see [Configuring Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/?LinkId=301687).
    
-
    For Configuration Manager 2007, see [Desired Configuration Management Client Agent Properties](https://go.microsoft.com/fwlink/?LinkId=301686).
    
+
    For System Center 2012 Configuration Manager, see Configuring Compliance Settings in Configuration Manager.
    
+
    For Configuration Manager 2007, see Desired Configuration Management Client Agent Properties.
    
 
 
 
    A reporting services point is defined in Configuration Manager. Required for SQL Server Reporting Services (SSRS).
    
-
    For System Center 2012 Configuration Manager, see [Prerequisites for Reporting in Configuration Manager](https://go.microsoft.com/fwlink/?LinkId=301689).
    
-
    For Configuration Manager 2007, see [How to Create a Reporting Services Point for SQL Reporting Services](https://go.microsoft.com/fwlink/?LinkId=301688).
    
+
    For System Center 2012 Configuration Manager, see Prerequisites for Reporting in Configuration Manager.
    
+
    For Configuration Manager 2007, see How to Create a Reporting Services Point for SQL Reporting Services.
    
 
 
 
    Configuration Manager 2007 requires Microsoft .NET Framework 2.0
    
 
    The Desired Configuration Management (DCM) Client Agent in Configuration Manager 2007 requires .NET Framework 2.0 to report compliance.
    
 
    
-Note  
-
    Installing .NET Framework 3.5 automatically installs .NET Framework 2.0.
    
+Note
    Installing .NET Framework 3.5 automatically installs .NET Framework 2.0.
    
 
    
 
    
- 
+
 
    
 
 
 
 
- 
+
 
 ## Required permissions to install MBAM with Configuration Manager
 
@@ -110,9 +109,9 @@ To install MBAM with Configuration Manager, you must have an administrative user
 
 
 
- 
 
-**System Center 2012 Configuration Manager**
+
+**System Center 2012 Configuration Manager**
 
 @@ -141,7 +140,7 @@ To install MBAM with Configuration Manager, you must have an administrative user
 
    
 

 
    
 
- 
+
 
 **Configuration Manager 2007**
 
@@ -172,12 +171,12 @@ To install MBAM with Configuration Manager, you must have an administrative user
 
 
 
- 
+
 
 ## Required changes for the .mof files
 
 
-To enable the client computers to report BitLocker compliance details through the MBAM Configuration Manager reports, you have to edit the Configuration.mof file and Sms\_def.mof file for System Center 2012 Configuration Manager and Microsoft System Center Configuration Manager 2007. For instructions, see [MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology](mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md).
+To enable the client computers to report BitLocker compliance details through the MBAM Configuration Manager reports, you have to edit the Configuration.mof file and Sms\_def.mof file for System Center 2012 Configuration Manager and Microsoft System Center Configuration Manager 2007. For instructions, see [MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology](mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md).
 
 
 
@@ -188,11 +187,11 @@ To enable the client computers to report BitLocker compliance details through th
 
 [MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology](mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/release-notes-for-mbam-25.md b/mdop/mbam-v25/release-notes-for-mbam-25.md
index d15c01a5e2..ca65e45a7a 100644
--- a/mdop/mbam-v25/release-notes-for-mbam-25.md
+++ b/mdop/mbam-v25/release-notes-for-mbam-25.md
@@ -35,7 +35,7 @@ Help links in the MBAM Server Configuration tool can cause browser windows to op
 **Note**  
 This is fixed in MBAM 2.5 SP1.
 
- 
+ 
 
 ###  MBAM reports as noncompliant a client encrypted with AES 256-bit encryption keys and Diffuser
 
@@ -131,42 +131,42 @@ This table lists the hotfixes and KB articles for MBAM 2.5.
 
 
    2975636
    
 
    Hotfix Package 1 for Microsoft BitLocker Administration and Monitoring 2.5
    
-
    [support.microsoft.com/kb/2975636/EN-US](https://support.microsoft.com/kb/2975636/EN-US)
    
+
    support.microsoft.com/kb/2975636/EN-US
    
 
 
 
    3015477
    
 
    Hotfix Package 2 for BitLocker Administration and Monitoring 2.5
    
-
    [support.microsoft.com/kb/3015477](https://support.microsoft.com/kb/3015477)
    
+
    support.microsoft.com/kb/3015477
    
 
 
 
    3011022
    
 
    MBAM 2.5 installation or Configuration Manager reporting fails if the name of SSRS instance contains an underscore
    
-
    [support.microsoft.com/kb/3011022/EN-US](https://support.microsoft.com/kb/3011022/EN-US)
    
+
    support.microsoft.com/kb/3011022/EN-US
    
 
 
 
    2756402
    
 
    MBAM client would fail with Event ID 4 and error code 0x8004100E in the Event description
    
-
    [support.microsoft.com/kb/2756402/EN-US](https://support.microsoft.com/kb/2756402/EN-US)
    
+
    support.microsoft.com/kb/2756402/EN-US
    
 
 
 
    2639518
    
 
    Error opening Enterprise or Computer Compliance Reports in MBAM
    
-
    [support.microsoft.com/kb/2639518/EN-US](https://support.microsoft.com/kb/2639518/EN-US)
    
+
    support.microsoft.com/kb/2639518/EN-US
    
 
 
 
    2870842
    
 
    MBAM 2.0 Setup fails during Configuration Manager Integration Scenario with SQL Server 2008
    
-
    [support.microsoft.com/kb/2870842/EN-US](https://support.microsoft.com/kb/2870842/EN-US)
    
+
    support.microsoft.com/kb/2870842/EN-US
    
 
 
 
    2975472
    
 
    SQL deadlocks when many MBAM clients connect to the MBAM recovery database
    
-
    [support.microsoft.com/kb/2975472/EN-US](https://support.microsoft.com/kb/2975472/EN-US)
    
+
    support.microsoft.com/kb/2975472/EN-US
    
 
 
 
 
- 
+ 
 
 
 ## Related topics
@@ -174,7 +174,7 @@ This table lists the hotfixes and KB articles for MBAM 2.5.
 
 [About MBAM 2.5](about-mbam-25.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
diff --git a/mdop/mbam-v25/removing-mbam-server-features-or-software.md b/mdop/mbam-v25/removing-mbam-server-features-or-software.md
index 18aca40519..640588cc30 100644
--- a/mdop/mbam-v25/removing-mbam-server-features-or-software.md
+++ b/mdop/mbam-v25/removing-mbam-server-features-or-software.md
@@ -22,7 +22,7 @@ These instructions explain how to remove software and features from Microsoft Bi
 **Note**  
 To prevent the accidental removal of data, MBAM provides no mechanism for removing the databases; you must do that manually.
 
- 
+ 
 
 ## Removing MBAM Server features
 
@@ -81,9 +81,9 @@ Use the following steps to remove the MBAM Server software and any MBAM Server f
 
 [Deploying MBAM 2.5](deploying-mbam-25.md)
 
- 
+ 
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/server-event-logs.md b/mdop/mbam-v25/server-event-logs.md
index e3d3595c22..b02ad84d6d 100644
--- a/mdop/mbam-v25/server-event-logs.md
+++ b/mdop/mbam-v25/server-event-logs.md
@@ -304,10 +304,10 @@ The following table contains messages and troubleshooting information for event
 
    ReportProviderUnexpectedError
    
 
    Report provider unexpected error.
    
 
    Report provider unexpected error. {Description} {exceptionDetails} These are some of the possible exception details:
    
-
    An error occurred while getting the name of directory '{directoryName}'
    
-
    An exception occurred while getting files for directory '{directoryName}'
    
-
    An exception occurred while enumerating directories in directory '{directoryName}'
    
-
    An exception occurred while reading all bytes for file '{fileName}'
    
+
    An error occurred while getting the name of directory '{directoryName}'
    
+
    An exception occurred while getting files for directory '{directoryName}'
    
+
    An exception occurred while enumerating directories in directory '{directoryName}'
    
+
    An exception occurred while reading all bytes for file '{fileName}'
    
 
    During MBAM installation, MBAM setup unzips all the report files to the specified installation path. As a part of report installation, install module tries to access the unzipped report files at installation path and communicates with SQL Reporting services to publish the report files. The above errors occur when MBAM cannot access the files/folders at unzipped Installation path. These are some tips to troubleshoot this issue:
    
 
      
 
    • Verify that MBAM is installed.
      • 
@@ -323,7 +323,7 @@ The following table contains messages and troubleshooting information for event
 
    • Using SSRS console verify that SSRS is enabled and running.
      • 
 
    • Verify that user running the setup is authorized to access SSRS.
      • 
 
    
-
    Failed to remove the MBAM Reports using Reporting Services instance URL '{SSRSInstanceUrl}'.Make sure the SSRS instance required for MBAM Reports is running and configured correctly.
    
+
    Failed to remove the MBAM Reports using Reporting Services instance URL '{SSRSInstanceUrl}'.Make sure the SSRS instance required for MBAM Reports is running and configured correctly.
    
 
    When MBAM installation fails or When user disables MBAM Reporting features, setup module removes SSRS reports. The above message indicates that MBAM failed to remove SSRS reports. These are some tips to troubleshoot this issue:
    
 
      
 
    • Verify that SSRS is installed on the specified machine.
      • 
@@ -336,8 +336,8 @@ The following table contains messages and troubleshooting information for event
 
    • Using SSRS console verify that SSRS is enabled and running.
      • 
 
    • Verify that the user running the setup is authorized to access/publish reports to SSRS.
      • 
 
    
-
    A policy for group user name '{userName}' already exists. In case this is not correct, manually revise the Reporting Service for duplicate or invalid policies.
    
-
    After Publishing MBAM reports, MBAM setup tries to create a MBAM Report Users roles (if it does not exist already) and sets corresponding user policy. The above error indicates that SSRS web service threw an exception while setting up report user role policy. Follow the instructions in the event message and refer to "https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=SQL+Server+Reporting+Services&ProdVer=8.00&EvtID=rsInvalidPolicyDefinition&EvtSrc=Microsoft.ReportingServices.Diagnostics.ErrorStrings.resources.Strings&LCID=1033" for more help.
    
+
    A policy for group user name '{userName}' already exists. In case this is not correct, manually revise the Reporting Service for duplicate or invalid policies.
    
+
    After Publishing MBAM reports, MBAM setup tries to create a MBAM Report Users roles (if it does not exist already) and sets corresponding user policy. The above error indicates that SSRS web service threw an exception while setting up report user role policy. Follow the instructions in the event message and refer to "https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=SQL+Server+Reporting+Services&ProdVer=8.00&EvtID=rsInvalidPolicyDefinition&EvtSrc=Microsoft.ReportingServices.Diagnostics.ErrorStrings.resources.Strings&LCID=1033"; for more help.
    
 
    An error occurred while validating access to SSRS {exceptionDetails}.
    
 
    As part of prerequisite check, MBAM setup verifies if the user has necessary permissions to access/create folder under SSRS. The error message indicates that an exception has occurred while verifying access to SSRS. Refer to the exception details for debugging tips.
    
 
    A SOAP error occurred while checking the SSRS URL.{exceptionDetails}
    
@@ -357,12 +357,12 @@ The following table contains messages and troubleshooting information for event
 
  • Using SSRS console verify that SSRS is enabled and running.
    • 
 
  • Verify that the user executing the setup is authorized to query SSRS class under WMI namespace.
    • 
 
-
    The current user is not authorized to access the WMI namespace '{ssrsWMINamespace}'.
    
-
    An error occurred while enumerating the namespace '{ssrsWMINamespace}'. RPC server for SSRS WMI provider on the local host is not found.
    
-
    An error occurred while enumerating the namespace '{ssrsNamespace}'. Unable to find an instance of SSRS on the local host.
    
-
    An error occurred while accessing WMI. RPC server for instance '{ssrsInstance}' was not found.
    
-
    An error occurred while accessing WMI. Instance name '{ssrsInstanceName}' is not correct.
    
-
    An error occurred while accessing WMI. Unable to find instance '{ssrsInstanceName}' on the local host.
    
+
    The current user is not authorized to access the WMI namespace '{ssrsWMINamespace}'.
    
+
    An error occurred while enumerating the namespace '{ssrsWMINamespace}'. RPC server for SSRS WMI provider on the local host is not found.
    
+
    An error occurred while enumerating the namespace '{ssrsNamespace}'. Unable to find an instance of SSRS on the local host.
    
+
    An error occurred while accessing WMI. RPC server for instance '{ssrsInstance}' was not found.
    
+
    An error occurred while accessing WMI. Instance name '{ssrsInstanceName}' is not correct.
    
+
    An error occurred while accessing WMI. Unable to find instance '{ssrsInstanceName}' on the local host.
    
 
    As part of prerequisite check, MBAM setup queries WMI to retrieve WMI namespace associated to given instance. The above error message indicates that and exception was occurred while querying WMI. Refer to exceptionDetails for more information. These are some checks you can perform:
    
 
      
 
    • Verify that SSRS with given instance name is installed on the specified machine.
      • 
@@ -446,7 +446,7 @@ The following table contains messages and troubleshooting information for event
 
 
 
- 
+ 
 
 ## Operation
 
@@ -475,9 +475,9 @@ The following table contains messages and troubleshooting information for event
 
      1
      
 
      Microsoft-Windows-MBAM-Web/Admin
      
 
      WebAppSpnError
      
-
      Application: {SiteName}\{VirtualDirectory} is missing the following Service Principal Names (SPNs):{ListOfSpns} Register the required SPNs on the account: {ExecutionAccount}.
      
+
      Application: {SiteName}{VirtualDirectory} is missing the following Service Principal Names (SPNs):{ListOfSpns} Register the required SPNs on the account: {ExecutionAccount}.
      
 
      For Integrated Windows Authentication to succeed, necessary SPNs needs to be in place. This message indicates that the SPN required for MBAM application has not been correctly configured. Details contained in this event should provide more information.
      
-
      See “Service Principal Name (SPN)” in [MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies](mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md#bkmk-prereqsams) for more information.
      
+
      See “Service Principal Name (SPN)” in MBAM 2.5 Server Prerequisites for Stand-alone and Configuration Manager Integration Topologies for more information.
      
 
 
 
      4
      
@@ -513,7 +513,7 @@ The following table contains messages and troubleshooting information for event
 
      QueryRecoveryKeyIdsForUser: An error occurred while getting recovery key Ids from the database. Message:{message} -or-
      
 
      QueryVolumeUsers: An error occurred while getting user information from the database.
      
 
      This message is logged whenever there is an exception while communicating with the MBAM recovery database. Read through the information contained in the trace to get specific details about the exception.
      
-
      For detailed troubleshooting steps, see the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
      
+
      For detailed troubleshooting steps, see the TechNet article How to Troubleshoot Connecting to the SQL Server Database Engine.
      
 
 
 
      101
      
@@ -525,7 +525,7 @@ The following table contains messages and troubleshooting information for event
 
      QueryRecoveryKeyIdsForUser: An error occurred while logging an audit event to the compliance database. Message:{message} -or-
      
 
      QueryDriveRecoveryData: An error occurred while logging an audit event to the compliance database. Message:{message}
      
 
      This message is logged whenever there is an exception while communicating the MBAM compliance database. Read through the information contained in the trace to get specific details about the exception.
      
-
      For detailed troubleshooting steps, see the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx).
      
+
      For detailed troubleshooting steps, see the TechNet article How to Troubleshoot Connecting to the SQL Server Database Engine.
      
 
 
 
      102
      
@@ -533,7 +533,7 @@ The following table contains messages and troubleshooting information for event
 
      AgentServiceRecoveryDbError
      
 
      
 
      This message indicates an exception when MBAM Agent service tries to communicate with the recovery database. Read through the message contained in the event to get specific information about the exception.
      
-
      See the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether the MBAM app pool account has required permissions in place to connect or execute on MBAM recovery database.
      
+
      See the TechNet article How to Troubleshoot Connecting to the SQL Server Database Engine to verify whether the MBAM app pool account has required permissions in place to connect or execute on MBAM recovery database.
      
 
 
 
      103
      
@@ -558,7 +558,7 @@ The following table contains messages and troubleshooting information for event
 
      StatusServiceComplianceDbError
      
 
      
 
      This error indicates that MBAM websites/web services were unable to connect to the MBAMCompliance database.
      
-
      See the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify that the IIS app pool account could connect to the MBAM compliance database.
      
+
      See the TechNet article How to Troubleshoot Connecting to the SQL Server Database Engine to verify that the IIS app pool account could connect to the MBAM compliance database.
      
 
 
 
      106
      
@@ -601,7 +601,7 @@ The following table contains messages and troubleshooting information for event
 
      QueryRecoveryKeyIdsForUser: an error occurred while getting recovery key Ids for a user. Message:{message} -or-
      
 
      An error occurred while getting TPM password hash from the Recovery database. EventDetails:{ExceptionMessage}
      
 
      This message indicates that recovery database connection string information at "HKLM\Software\Microsoft\MBAM Server\Web\RecoveryDBConnectionString" is invalid. Verify the given registry key value. –or-
      
-
      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether a connection could be made to the MBAM Recovery database from IIS server using app pool credentials.
      
+
      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article How to Troubleshoot Connecting to the SQL Server Database Engine to verify whether a connection could be made to the MBAM Recovery database from IIS server using app pool credentials.
      
 
 
 
      110
      
@@ -612,7 +612,7 @@ The following table contains messages and troubleshooting information for event
 
      QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to the Compliance database. Message:{message} -or-
      
 
      QueryRecoveryKeyIdsForUser: an error occurred while logging an audit event to the compliance database. Message:{message}
      
 
      This message indicates that compliance db connection string information at "HKLM\Software\Microsoft\MBAM Server\Web\ComplianceDBConnectionString" is invalid. Verify the value corresponding to above registry key. –or-
      
-
      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify whether a connection could be made to the MBAM Compliance database from IIS server using app pool credentials.
      
+
      If any of the remaining messages are logged, refer to the troubleshooting steps listed at the TechNet article How to Troubleshoot Connecting to the SQL Server Database Engine to verify whether a connection could be made to the MBAM Compliance database from IIS server using app pool credentials.
      
 
 
 
      111
      
@@ -625,7 +625,7 @@ The following table contains messages and troubleshooting information for event
 
    • MBAM websites/webservices execution account(app pool account) could not run the GetVersion stored procedure on MBAMCompliance OR MBAMRecovery database
      • 
 
    
 
    The message contained in the event will provide more details about the exception.
    
-
    Refer to the troubleshooting steps listed at the TechNet article [How to Troubleshoot Connecting to the SQL Server Database Engine](https://social.technet.microsoft.com/wiki/contents/articles/2102.how-to-troubleshoot-connecting-to-the-sql-server-database-engine.aspx) to verify that the MBAM execution account (app pool account) could connect to MBAM compliance/recovery database and it has permissions in place to execute GetVersion stored procedure.
    
+
    Refer to the troubleshooting steps listed at the TechNet article How to Troubleshoot Connecting to the SQL Server Database Engine to verify that the MBAM execution account (app pool account) could connect to MBAM compliance/recovery database and it has permissions in place to execute GetVersion stored procedure.
    
 
 
 
    112
    
@@ -661,7 +661,7 @@ The following table contains messages and troubleshooting information for event
 
 
 
- 
+ 
 
 
 ## Related topics
@@ -671,11 +671,11 @@ The following table contains messages and troubleshooting information for event
 
 [Client Event Logs](client-event-logs.md)
 
- 
+ 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+ 
 
 
 
diff --git a/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md b/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md
index 0e3f042e39..5f546b0f97 100644
--- a/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md
+++ b/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 This topic describes the reports that are available when you are running Microsoft BitLocker Administration and Monitoring (MBAM) in the Stand-alone topology.
 
-**Note**  
+**Note**  
 If you are running MBAM with the Configuration Manager Integration topology, you generate reports from Configuration Manager rather than from MBAM. See [Viewing MBAM 2.5 Reports for the Configuration Manager Integration Topology](viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md) for more information about these reports.
 
- 
+
 
 ## Understanding the MBAM Stand-alone topology reports
 
@@ -94,7 +94,7 @@ Use this report type to collect information about overall BitLocker compliance i
 
 
 
- 
+
 
 **Enterprise Compliance Computer Details**
 
@@ -137,7 +137,7 @@ Use this report type to collect information about overall BitLocker compliance i
 
 
 
- 
+
 
 ### Computer Compliance Report
 
@@ -145,10 +145,10 @@ Use this report type to collect information that is specific to a computer or us
 
 View this report by clicking the computer name in the Enterprise Compliance Report, or by typing the computer name in the Computer Compliance Report. This report shows detailed encryption information about each drive (operating system and fixed data drives) on a computer. It also indicates the policy that is applied to each drive type on the computer. To view the details of each drive, expand the Computer Name entry.
 
-**Note**  
+**Note**  
 Removable Data Volume encryption status is not shown in this report.
 
- 
+
 
 **Computer Compliance Report Fields**
 
@@ -228,7 +228,7 @@ Removable Data Volume encryption status is not shown in this report.
 
 
 
- 
+
 
 **Computer Compliance Report Drive Fields**
 
@@ -279,7 +279,7 @@ Removable Data Volume encryption status is not shown in this report.
 
 
 
- 
+
 
 ### Recovery Audit Report
 
@@ -315,12 +315,11 @@ Use this report type to audit users who have requested access to BitLocker recov
 
    Helpdesk User
    
 
    Help Desk user who initiated the request for key retrieval.
    
 
    
-Note  
-
    If an Advanced Helpdesk User recovers the key without specifying the end user, the End User field will be blank. A standard Helpdesk User must specify the end user, and that user will appear in this field.
    
+Note
    If an Advanced Helpdesk User recovers the key without specifying the end user, the End User field will be blank. A standard Helpdesk User must specify the end user, and that user will appear in this field.
    
 
    A recovery via the Self-Service Portal will list the requesting end user both in this field and in the End User field.
    
 
    
 
    
- 
+
 
    
 
 
@@ -362,12 +361,12 @@ Use this report type to audit users who have requested access to BitLocker recov
 
 
 
- 
 
-**Note**  
+
+**Note**  
 Report results can be saved to a file by clicking the **Export** button on the **Reports** menu bar.
 
- 
+
 
 
 ## Related topics
@@ -377,11 +376,11 @@ Report results can be saved to a file by clicking the **Export** button on the *
 
 [Generating MBAM 2.5 Stand-alone Reports](generating-mbam-25-stand-alone-reports.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md b/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md
index 7eed6c4298..39cd813d57 100644
--- a/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md
+++ b/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md
@@ -66,19 +66,18 @@ The following table lists the tasks you can perform from each Control Panel item
 
    How the Control Panel item is created
    
 
    Created in Control Panel when you install the MBAM Client. This item cannot be hidden.
    
 
    
-Note  
-
    This item appears in addition to, but does not replace, the default BitLocker Drive Encryption Control Panel item.
    
+Note
    This item appears in addition to, but does not replace, the default BitLocker Drive Encryption Control Panel item.
    
 
    
 
    
- 
+
 
    
 
    Appears by default in Control Panel as part of the Windows operating system, but you can hide it.
    
-
    To hide it, see [Hiding the Default BitLocker Drive Encryption Item in Control Panel](hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md).
    
+
    To hide it, see Hiding the Default BitLocker Drive Encryption Item in Control Panel.
    
 
 
 
 
- 
+
 
 ## “Manage BitLocker” shortcut menu
 
@@ -114,7 +113,7 @@ The following table describes how the **Manage BitLocker** shortcut menu differs
 
 
 
- 
+
 
 
 ## Related topics
@@ -122,11 +121,11 @@ The following table describes how the **Manage BitLocker** shortcut menu differs
 
 [Administering MBAM 2.5 Features](administering-mbam-25-features.md)
 
- 
+
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
-- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md
index d754c329b9..eb867b9ba1 100644
--- a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md
+++ b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md
@@ -22,7 +22,7 @@ This topic describes the process for upgrading the Microsoft BitLocker Administr
 **Note**  
 You can upgrade directly to MBAM 2.5 or MBAM 2.5 SP1 from any previous version of MBAM.
 
- 
+ 
 
 ## Before you start the upgrade
 
@@ -52,7 +52,7 @@ Review the following information before you start the upgrade.
 
    To resolve this issue:
    
 
    Run aspnet_regiis –i from the following location:
    
 
    C:\windows\microsoft.net\Framework\v4.0.30319
    
-
    For more information, see: [ASP.NET IIS Registration Tool](https://go.microsoft.com/fwlink/?LinkId=393272).
    
+
    For more information, see: ASP.NET IIS Registration Tool.
    
 
 
 
    Register an SPN on the application pool account if all of the following are true:
    
@@ -60,7 +60,7 @@ Review the following information before you start the upgrade.
 
  • You are upgrading from a previous version of MBAM.
    • 
 
  • Currently, you are not running the MBAM websites in a load-balanced or distributed configuration, but you would like to do so when you upgrade to MBAM 2.5 or 2.5 SP1.
    • 
 
-
    For instructions, see [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md#bkmk-registerspn).
    
+
    For instructions, see Planning How to Secure the MBAM Websites.
    
 @@ -86,7 +86,7 @@ Review the following information before you start the upgrade.
 
    
 
 

 
    
 
- 
+ 
 
 ## Steps to upgrade the MBAM Server infrastructure
 
@@ -104,7 +104,7 @@ Use the steps in the following sections to upgrade MBAM for the Stand-alone topo
     **Note**  
     The databases will not be removed, and all compliance and recovery data is maintained in the database.
 
-     
+     
 
 4.  Install and configure the MBAM 2.5 or 2.5 SP1 databases, reports, and web applications, in that order. The databases are upgraded in place.
 
@@ -127,7 +127,7 @@ Use the steps in the following sections to upgrade MBAM for the Stand-alone topo
     **Note**  
     The databases and the Configuration Manager objects (baseline, MBAM supported computers collection, and Reports) will not be removed, and all compliance and recovery data is maintained in the database.
 
-     
+     
 
 5.  Update the .mof files.
 
@@ -161,7 +161,7 @@ MBAM supports upgrades to the MBAM 2.5 Client from any earlier version of the M
 
 [Configuring the MBAM 2.5 Server Features](configuring-the-mbam-25-server-features.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
index f4159c1f1f..d71c2b2b2a 100644
--- a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
+++ b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
@@ -26,15 +26,15 @@ Verify you have a current documentation of your MBAM environment, including all
 ### Upgrade steps
 #### Steps to upgrade the MBAM Database (SQL Server)
 1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one.
-Note: You will not see an option to remove the Databases; this is expected.  
+   Note: You will not see an option to remove the Databases; this is expected.  
 2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site:  
 3. Do not configure it at this time 
 4. Install the July 2018 Rollup: https://www.microsoft.com/download/details.aspx?id=57157
 5. Using the MBAM Configurator; re-add the Reports role
 6. This will configure the SSRS connection using the latest MBAM code from the rollup 
 7. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server.
-- At the end, you will be warned that the DBs already exist and  weren’t created, but this is expected.
-- This process updates the existing databases to the current version  being installed                  
+8. At the end, you will be warned that the DBs already exist and  weren’t created, but this is expected.
+9. This process updates the existing databases to the current version  being installed                  
 
 #### Steps to upgrade the MBAM Server (Running MBAM and IIS)
 1. Using the MBAM Configurator; remove the Admin and Self Service Portals from  the IIS server
@@ -43,7 +43,7 @@ Note: You will not see an option to remove the Databases; this is expected.  
 4. Install the July 2018 Rollup on the IIS server(https://www.microsoft.com/download/details.aspx?id=57157)
 5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server 
 6. This will configure the sites using the latest MBAM code from the July 2018 Rollup
-- Open an elevated command prompt, Type: **IISRESET** and Hit Enter.
+7. Open an elevated command prompt, Type: **IISRESET** and Hit Enter.
  
 #### Steps to upgrade the MBAM Clients/Endpoints
 1. Uninstall the 2.5 Agent from client endpoints
diff --git a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
index 5db48f8690..33509cf80e 100644
--- a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
+++ b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
@@ -49,7 +49,7 @@ Use the following Windows PowerShell cmdlets to recover computers or drives that
 
 
 
- 
+ 
 
 ##  MBAM cmdlet Help
 
@@ -70,24 +70,24 @@ Windows PowerShell Help for MBAM cmdlets is available in the following formats:
 
 
 
    At a Windows PowerShell command prompt, type Get-Help <cmdlet>
    
-
    To upload the latest Windows PowerShell cmdlets, follow the instructions in [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
    
+
    To upload the latest Windows PowerShell cmdlets, follow the instructions in Configuring MBAM 2.5 Server Features by Using Windows PowerShell
    
 
 
 
    On TechNet as webpages
    
-
    https://go.microsoft.com/fwlink/?LinkId=393498
    
+
    https://go.microsoft.com/fwlink/?LinkId=393498
    
 
 
 
    On the Download Center as a Word .docx file
    
-
    https://go.microsoft.com/fwlink/?LinkId=393497
    
+
    https://go.microsoft.com/fwlink/?LinkId=393497
    
 
 
 
    On the Download Center as a .pdf file
    
-
    https://go.microsoft.com/fwlink/?LinkId=393499
    
+
    https://go.microsoft.com/fwlink/?LinkId=393499
    
 
 
 
 
- 
+ 
 
 
 
@@ -98,7 +98,7 @@ Windows PowerShell Help for MBAM cmdlets is available in the following formats:
 
 [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
index 3e6a07d7c5..4c7082ea57 100644
--- a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
+++ b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
@@ -28,10 +28,10 @@ Use the following steps to validate your MBAM Server deployment with the Stand-a
 
 1.  On each server where an MBAM feature is deployed, click **Control Panel** > **Programs** > **Programs and Features**. Verify that **Microsoft BitLocker Administration and Monitoring** appears in the **Programs and Features** list.
 
-    **Note**  
+    **Note**  
     To do the validation, you must use a domain account that has local computer administrative credentials on each server.
 
-     
+
 
 2.  On the server where the Recovery Database is configured, open SQL Server Management Studio and verify that the **MBAM Recovery and Hardware** database is configured.
 
@@ -47,72 +47,74 @@ Use the following steps to validate your MBAM Server deployment with the Stand-a
 
 5.  Confirm that a reports folder named **Microsoft BitLocker Administration and Monitoring** contains a data source called **MaltaDataSource** as well as the language folders. The data source contains folders with names that represent languages (for example, en-us). The reports are in the language folders.
 
-    **Note**  
+    **Note**  
     If SQL Server Reporting Services (SSRS) was configured as a named instance, the URL should resemble the following: http(s)://< *MBAMReportsServerName*>:<*port*>/Reports\_<*SSRSInstanceName*>
 
-     
 
-    **Note**  
-    If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then go to the Administration and Monitoring Website (also known as Help Desk) and select a report, the following message appears: "Only Secure Content is Displayed." To show the report, click **Show All Content**.
 
-     
+~~~
+**Note**  
+If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the reports will be set to HTTP instead of HTTPS when you install the MBAM Server. If you then go to the Administration and Monitoring Website (also known as Help Desk) and select a report, the following message appears: "Only Secure Content is Displayed." To show the report, click **Show All Content**.
+~~~
 
-6.  On the server where the Administration and Monitoring Website feature is configured, run **Server Manager**, browse to **Roles**, and then select **Web Server (IIS)** > **Internet Information Services (IIS) Manager**.
 
-7.  In **Connections**, browse to *<computer name>* and select **Sites** > **Microsoft BitLocker Administration and Monitoring**. Verify that the following are listed:
 
-    -   **MBAMAdministrationService**
+6. On the server where the Administration and Monitoring Website feature is configured, run **Server Manager**, browse to **Roles**, and then select **Web Server (IIS)** > **Internet Information Services (IIS) Manager**.
 
-    -   **MBAMComplianceStatusService**
+7. In **Connections**, browse to *<computer name>* and select **Sites** > **Microsoft BitLocker Administration and Monitoring**. Verify that the following are listed:
 
-    -   **MBAMRecoveryAndHardwareService**
+   -   **MBAMAdministrationService**
 
-8.  On the server where the Administration and Monitoring Website and Self-Service Portal are configured, open a web browser with administrative credentials.
+   -   **MBAMComplianceStatusService**
 
-9.  Browse to the following websites to verify that they load successfully:
+   -   **MBAMRecoveryAndHardwareService**
 
-    -   https(s)://<*MBAMAdministrationServerName*>:<*port*>/HelpDesk/ - confirm each of the links for navigation and reports
+8. On the server where the Administration and Monitoring Website and Self-Service Portal are configured, open a web browser with administrative credentials.
 
-    -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/SelfService/
+9. Browse to the following websites to verify that they load successfully:
 
-    **Note**  
-    It is assumed that you configured the server features on the default port without network encryption. If you configured the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example:
+   -   https(s)://<*MBAMAdministrationServerName*>:<*port*>/HelpDesk/ - confirm each of the links for navigation and reports
 
-    http(s)://< *host name*>:<*port*>/HelpDesk/
+   -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/SelfService/
 
-    http(s)://< *host name*>:<*port*>/<*virtualdirectory*>/
+   **Note**  
+   It is assumed that you configured the server features on the default port without network encryption. If you configured the server features on a different port or virtual directory, change the URLs to include the appropriate port, for example:
+
+   http(s)://< *host name*>:<*port*>/HelpDesk/
+
+   http(s)://< *host name*>:<*port*>/<*virtualdirectory*>/
+
+   If the server features were configured with network encryption, change http:// to https://.
 
-    If the server features were configured with network encryption, change http:// to https://.
 
-     
 
 10. Browse to the following web services to verify that they load successfully. A page opens to indicate that the service is running, but the page does not display any metadata.
 
-    -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc
+   -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc
 
-    -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc
+   -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc
 
-    -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc
+   -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc
 
-    -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc
+   -   http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc
 
 ## Validating the MBAM Server deployment with the Configuration Manager Integration topology
 
 
 Use the following steps to validate your MBAM deployment with the Configuration Manager Integration topology. Complete the validation steps that match the version of Configuration Manager that you are using.
 
-### Validating the MBAM Server deployment with System Center 2012 Configuration Manager
+### Validating the MBAM Server deployment with System Center 2012 Configuration Manager
 
-Use these steps to validate your MBAM Server deployment when you are using MBAM with System Center 2012 Configuration Manager.
+Use these steps to validate your MBAM Server deployment when you are using MBAM with System Center 2012 Configuration Manager.
 
-**To validate a Configuration Manager Integration MBAM Server deployment – System Center 2012 Configuration Manager**
+**To validate a Configuration Manager Integration MBAM Server deployment – System Center 2012 Configuration Manager**
 
-1.  On the server where System Center 2012 Configuration Manager is deployed, open **Programs and Features** in **Control Panel**, and verify that **Microsoft BitLocker Administration and Monitoring** appears.
+1.  On the server where System Center 2012 Configuration Manager is deployed, open **Programs and Features** in **Control Panel**, and verify that **Microsoft BitLocker Administration and Monitoring** appears.
 
-    **Note**  
+    **Note**  
     To validate the configuration, you must use a domain account that has local computer administrative credentials on each server.
 
-     
+
 
 2.  In the Configuration Manager console, click the **Assets and Compliance** workspace > **Device Collections**, and confirm that a new collection called **MBAM Supported Computers** is displayed.
 
@@ -144,10 +146,10 @@ Use these steps to validate your MBAM Server deployment when you are using MBAM
 
 1.  On the server where Configuration Manager 2007 is deployed, open **Programs and Features** on **Control Panel** , and verify that **Microsoft BitLocker Administration and Monitoring** appears.
 
-    **Note**  
+    **Note**  
     To validate the configuration, you must use a domain account that has local computer administrative credentials on each server.
 
-     
+
 
 2.  In the Configuration Manager console, click **Site Database <SiteCode> - <ServerName>, <SiteName>), Computer Management**, and confirm that a new collection called **MBAM Supported Computers** is displayed.
 
@@ -178,11 +180,11 @@ Use these steps to validate your MBAM Server deployment when you are using MBAM
 
 [Configuring the MBAM 2.5 Server Features](configuring-the-mbam-25-server-features.md)
 
- 
+
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
- 
+
 
 
 
diff --git a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md
index 4b1fa3c79f..66de3b12f9 100644
--- a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md
@@ -58,7 +58,7 @@ To access the Reports feature in Configuration Manager:
 
 
 
- 
+ 
 
 ## Description of reports in Configuration Manager
 
@@ -186,7 +186,7 @@ This report shows information about the overall BitLocker compliance across your
 
 
 
- 
+ 
 
 **BitLocker Enterprise Compliance Details States**
 
@@ -217,7 +217,7 @@ This report shows information about the overall BitLocker compliance across your
 
 
 
- 
+ 
 
 ### BitLocker Enterprise Compliance Summary
 
@@ -284,7 +284,7 @@ Use this report type to show information about the overall BitLocker compliance
 
 
 
- 
+ 
 
 **BitLocker Enterprise Compliance Summary Computer Details**
 
@@ -331,7 +331,7 @@ Use this report type to show information about the overall BitLocker compliance
 
 
 
- 
+ 
 
 ### BitLocker Computer Compliance Report
 
@@ -340,7 +340,7 @@ Use this report type to collect information that is specific to a computer. The
 **Note**  
 The Removable Data Volume encryption status is not shown in this report.
 
- 
+ 
 
 **BitLocker Computer Compliance Report: Computer Details Fields**
 
@@ -431,7 +431,7 @@ The Removable Data Volume encryption status is not shown in this report.
 
 
 
- 
+ 
 
 **BitLocker Computer Compliance Report: Computer Volume Fields**
 
@@ -474,14 +474,14 @@ The Removable Data Volume encryption status is not shown in this report.
 
 
 
- 
+ 
 
 ## Related topics
 
 
 [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md
index cf92142b88..9de3997194 100644
--- a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md
+++ b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md
@@ -35,21 +35,21 @@ See the following topics for information about Stand-alone reports:
 
 
 
    Report descriptions - MBAM Stand-alone topology
    
-
    [Understanding MBAM 2.5 Stand-alone Reports](understanding-mbam-25-stand-alone-reports.md)
    
+
    Understanding MBAM 2.5 Stand-alone Reports
    
 
 
 
    Instructions for generating reports - MBAM Stand-alone topology
    
-
    [Generating MBAM 2.5 Stand-alone Reports](generating-mbam-25-stand-alone-reports.md)
    
+
    Generating MBAM 2.5 Stand-alone Reports
    
 
 
 
 
- 
+ 
 
 **Note**  
 If you are using the Configuration Manager Integration topology, most reports are generated from Configuration Manager rather than from MBAM. See [Viewing MBAM 2.5 Reports for the Configuration Manager Integration Topology](viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md).
 
- 
+ 
 
 
 ## Related topics
@@ -57,9 +57,9 @@ If you are using the Configuration Manager Integration topology, most reports ar
 
 [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)
 
- 
+ 
 
- 
+ 
 
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
diff --git a/mdop/medv-v1/client-installation-command-line-reference.md b/mdop/medv-v1/client-installation-command-line-reference.md
index ef0c80aec9..2556d5ec09 100644
--- a/mdop/medv-v1/client-installation-command-line-reference.md
+++ b/mdop/medv-v1/client-installation-command-line-reference.md
@@ -93,11 +93,10 @@ ms.date: 06/16/2016
 
    Default: 1
    
 
    Starts MED-V at the completion of the MED-V installation.
    
 
    
-Note  
-
    It is recommended to set START_MEDV=0 in case MED-V is installed by the system.
    
+Note
    It is recommended to set START_MEDV=0 in case MED-V is installed by the system.
    
 
    
 
    
- 
+
 
    
 
 
@@ -119,11 +118,11 @@ ms.date: 06/16/2016
 
 
 
- 
-
- 
-
- 
+
+
+
+
+
 
 
 
diff --git a/mdop/medv-v1/configuring-med-v-for-remote-networks.md b/mdop/medv-v1/configuring-med-v-for-remote-networks.md
index 175aa86669..a7a19283f2 100644
--- a/mdop/medv-v1/configuring-med-v-for-remote-networks.md
+++ b/mdop/medv-v1/configuring-med-v-for-remote-networks.md
@@ -49,7 +49,7 @@ You can configure MED-V to work from inside a network, remotely, or both from in
 **Note**  
 When applying new settings, the service must be restarted.
 
- 
+ 
 
 -   You can change the IIS authentication scheme to one of the following: BASIC, DIGEST, NTLM, or NEGOTIATE. The default is NEGOTIATE and uses the following entry:
 
@@ -72,9 +72,9 @@ When applying new settings, the service must be restarted.
 
 [MED-V Infrastructure Planning and Design](med-v-infrastructure-planning-and-design.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md b/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md
index c89487daee..711eae625b 100644
--- a/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md
+++ b/mdop/medv-v1/configuring-med-v-server-for-cluster-mode.md
@@ -45,16 +45,16 @@ You can configure the MED-V server in cluster mode. In cluster mode, two servers
 **Note**  
 If all servers have the same local settings (such as listening ports, IIS server, management permissions, report database, and so on), the *<InstallDir>/Servers/ServerSettings.xml* can be shared by all servers as well.
 
- 
+ 
 
 ## Related topics
 
 
 [MED-V Infrastructure Planning and Design](med-v-infrastructure-planning-and-design.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/configuring-med-v-workspace-policies.md b/mdop/medv-v1/configuring-med-v-workspace-policies.md
index e15f07c802..d870b70e1c 100644
--- a/mdop/medv-v1/configuring-med-v-workspace-policies.md
+++ b/mdop/medv-v1/configuring-med-v-workspace-policies.md
@@ -30,7 +30,7 @@ It is important to decide on the type of MED-V workspace you are creating before
 **Note**  
 When configuring a policy, a warning symbol appears next to mandatory fields that are not filled in. If a mandatory field is not filled in, the symbol appears on the tab as well.
 
- 
+ 
 
 ## In This Section
 
@@ -62,9 +62,9 @@ Describes the performance settings of a MED-V workspace, and how to apply them t
 [How to Import and Export a Policy](how-to-import-and-export-a-policy.md)  
 Describes how to import and export a policy.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/creating-a-med-v-image.md b/mdop/medv-v1/creating-a-med-v-image.md
index fe9a642941..c784d59836 100644
--- a/mdop/medv-v1/creating-a-med-v-image.md
+++ b/mdop/medv-v1/creating-a-med-v-image.md
@@ -43,11 +43,11 @@ Describes how to delete a MED-V image.
 **Note**  
 After the MED-V image is configured, the computer should not be part of a domain because the join domain procedure should be performed on the client after the deployment, as part of the MED-V workspace setup.
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md b/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md
index ea099b5c0c..d04425394e 100644
--- a/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v1/creating-a-virtual-pc-image-for-med-v.md
@@ -57,98 +57,102 @@ After the Virtual PC image is created, install the MED-V workspace .msi package
 
 2.  Double-click the MED-V workspace .msi package, and follow the installation wizard instructions.
 
-    **Note**  
+    **Note**  
     When a new MED-V version is released, and an existing Virtual PC image is updated, uninstall the existing MED-V workspace .msi package, reboot the computer, and install the new MED-V workspace .msi package.
 
-     
 
-    **Note**  
-    After the MED-V workspace .msi package is installed, other products that replace GINA cannot be installed.
 
-     
+~~~
+**Note**  
+After the MED-V workspace .msi package is installed, other products that replace GINA cannot be installed.
+~~~
+
+
 
 ## How to Run the Virtual Machine Prerequisites Tool
 
 
 The virtual machine (VM) prerequisites tool is a wizard that automates several of the prerequisites.
 
-**Note**  
+**Note**  
 Although many parameters are configurable in the wizard, the properties required for the proper functioning of MED-V are not configurable.
 
- 
+
 
 **To run the virtual machine prerequisites tool**
 
 1.  After the MED-V workspace .msi package is installed, on the Windows **Start** menu, select **All Programs > MED-V > VM Prerequisites Tool**.
 
-    **Note**  
+    **Note**  
     The user running the virtual machine prerequisites tool must have local administrator rights and must be the only user logged in.
 
-     
 
-    The **MED-V VM Prerequisite Wizard Welcome** page appears.
 
-2.  Click **Next**.
+~~~
+The **MED-V VM Prerequisite Wizard Welcome** page appears.
+~~~
 
-3.  On the **Windows Settings** page, from the following configurable properties, select the ones to be configured:
+2. Click **Next**.
 
-    -   **Clear users’ personal history information**
+3. On the **Windows Settings** page, from the following configurable properties, select the ones to be configured:
 
-    -   **Clear local profiles temp directory**
+   -   **Clear users’ personal history information**
 
-    -   **Disable sounds on following Windows events: start, logon, logoff**
+   -   **Clear local profiles temp directory**
 
-    **Note**  
-    Do not enable Windows page saver in a group policy.
+   -   **Disable sounds on following Windows events: start, logon, logoff**
 
-     
+   **Note**  
+   Do not enable Windows page saver in a group policy.
 
-4.  Click **Next**.
 
-5.  On the **Internet Explorer Settings** page, from the following configurable properties, select the ones to be configured:
 
-    -   **Don't use auto complete features**
+4. Click **Next**.
 
-    -   **Disable reuse of windows for launching shortcuts**
+5. On the **Internet Explorer Settings** page, from the following configurable properties, select the ones to be configured:
 
-    -   **Clear browsing history**
+   -   **Don't use auto complete features**
 
-    -   **Enable tabbed browsing in Internet Explorer 7**
+   -   **Disable reuse of windows for launching shortcuts**
 
-6.  Click **Next**.
+   -   **Clear browsing history**
 
-7.  On the **Windows Services** page, from the following configurable properties, select the ones to be configured:
+   -   **Enable tabbed browsing in Internet Explorer 7**
 
-    -   **Security center service**
+6. Click **Next**.
 
-    -   **Task scheduler service**
+7. On the **Windows Services** page, from the following configurable properties, select the ones to be configured:
 
-    -   **Automatic updates service**
+   -   **Security center service**
 
-    -   **System restore service**
+   -   **Task scheduler service**
 
-    -   **Indexing service**
+   -   **Automatic updates service**
 
-    -   **Wireless Zero Configuration**
+   -   **System restore service**
 
-    -   **Fast User Switching Compatibility**
+   -   **Indexing service**
 
-8.  Click **Next**.
+   -   **Wireless Zero Configuration**
 
-9.  On the **Windows Auto Logon** page, do the following:
+   -   **Fast User Switching Compatibility**
 
-    1.  Select the **Enable Windows Auto Logon** check box.
+8. Click **Next**.
 
-    2.  Assign a **User name** and **Password**.
+9. On the **Windows Auto Logon** page, do the following:
+
+   1.  Select the **Enable Windows Auto Logon** check box.
+
+   2.  Assign a **User name** and **Password**.
 
 10. Click **Apply**, and in the confirmation box that appears, click **Yes**.
 
 11. On the **Summary** page, click **Finish** to quit the wizard
 
-**Note**  
+**Note**  
 Verify that group policies do not overwrite the mandatory settings set in the prerequisites tool.
 
- 
+
 
 ## How to Configure MED-V Virtual Machine Manual Installation Prerequisites
 
@@ -196,10 +200,10 @@ Several of the configurations cannot be configured through the virtual machine p
 
 In a MED-V workspace, Sysprep can be configured in order to assign unique security ID (SID), particularly when multiple MED-V workspaces are run on a single computer. It is not recommended to use Sysprep to join a domain; instead, use the MED-V join domain script action as described in [How to Set Up Script Actions](how-to-set-up-script-actions.md).
 
-**Note**  
+**Note**  
 Sysprep is Microsoft's system preparation utility for the Windows operating system.
 
- 
+
 
 **To configure Sysprep in a MED-V workspace**
 
@@ -207,9 +211,9 @@ Sysprep is Microsoft's system preparation utility for the Windows operating syst
 
 2.  From the Windows installation CD, extract *deploy.cab* to the root of the system drive, or download the latest Deployment Tools update from the Microsoft Web site.
 
-    -   For Windows 2000, see [Deployment Tools update for Windows 2000](https://go.microsoft.com/fwlink/?LinkId=143001).
+    -   For Windows 2000, see [Deployment Tools update for Windows 2000](https://go.microsoft.com/fwlink/?LinkId=143001).
 
-    -   For Windows XP, see [Deployment Tools update for Windows XP](https://go.microsoft.com/fwlink/?LinkId=143000).
+    -   For Windows XP, see [Deployment Tools update for Windows XP](https://go.microsoft.com/fwlink/?LinkId=143000).
 
 3.  Run **Setup Manager** (setupmgr.exe).
 
@@ -242,9 +246,9 @@ After all the components are installed and configured, close Microsoft Virtual P
 Creating a MED-V Image
 [How to Set Up Script Actions](how-to-set-up-script-actions.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md b/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md
index ddf064612e..2002a545dc 100644
--- a/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md
+++ b/mdop/medv-v1/deploying-a-med-v-workspace-using-a-deployment-package.md
@@ -40,15 +40,15 @@ If the image will be included in the package, no other configurations are necess
 **Note**  
 If you are using image pre-staging, it is important to configure the image pre-stage folder prior to creating the deployment package. The folder path needs to be included in the deployment package.
 
- 
+ 
 
 Finally, create the deployment package. For more information on creating a deployment package, see [How to Configure a Deployment Package](how-to-configure-a-deployment-package.md). After the package is complete, distribute it for deployment.
 
 After the deployment package is distributed, MED-V client can be installed and the image deployed. For more information on installing MED-V client, see [How to Install MED-V Client](how-to-install-med-v-clientdeployment-package.md). For more information on deploying the image, see [How to Deploy a Workspace Image](how-to-deploy-a-workspace-imagedeployment-package.md).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md b/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md
index 9c53f57a14..e30f9def62 100644
--- a/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md
+++ b/mdop/medv-v1/deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md
@@ -22,7 +22,7 @@ MED-V client can be distributed using an enterprise software distribution system
 **Note**  
 If MED-V is installed by using Microsoft System Center Configuration Manager, when creating a package for MED-V, set the run mode to administrative rights.
 
- 
+ 
 
 Before deploying MED-V using an enterprise software distribution system, ensure that you have created a MED-V image ready for deployment. For more information on creating a MED-V image, see [Creating a MED-V Image](creating-a-med-v-image.md).
 
@@ -45,13 +45,13 @@ If you are deploying the image via image pre-staging, configure the pre-stage fo
 **Note**  
 If you are using image pre-staging, it is important to configure the image pre-stage folder prior to pushing the client .msi package. The folder path needs to be included in the client .msi package.
 
- 
+ 
 
 Finally, push the client .msi package using your enterprise software distribution center. MED-V can then be installed and the image deployed. For more information on installing MED-V client, see [How to Install MED-V Client](how-to-install-med-v-clientesds.md). For more information on deploying the image, see [How to Deploy a Workspace Image](how-to-deploy-a-workspace-imageesds.md).
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md b/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md
index 845f5f500d..07a5fcee07 100644
--- a/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md
+++ b/mdop/medv-v1/examples-of-virtual-machine-configurationsv2.md
@@ -22,7 +22,7 @@ The following are examples of typical virtual machine configurations: one in a p
 **Note**  
 These examples are not intended for use in all environments. Adjust the configuration according to your environment.
 
- 
+ 
 
 **To configure a typical domain setup in a persistent MED-V workspace**
 
@@ -65,9 +65,9 @@ These examples are not intended for use in all environments. Adjust the configur
 
 [How to Set Up Script Actions](how-to-set-up-script-actions.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md
index 1cac2cf350..5940eccaee 100644
--- a/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-apply-general-settings-to-a-med-v-workspace.md
@@ -42,7 +42,7 @@ The name of the MED-V workspace.
 **Warning**  
 Do not rename an existing MED-V workspace while it is running on a client computer.
 
- 
+ 
 
 Description
 
@@ -51,7 +51,7 @@ Description of the MED-V workspace, which can include the content or status of t
 **Note**  
 The description is for administrator use and has no impact on the policy.
 
- 
+ 
 
 Support contact info
 
@@ -81,7 +81,7 @@ Do not start the Workspace if the verification fails (exit code is not '0')
 
 Select this check box if you are using a command line and want to start the MED-V workspace only if the script is completed successfully.
 
- 
+ 
 
 A command line can be run on the host prior to starting the MED-V workspace.
 
@@ -98,9 +98,9 @@ A command line can be run on the host prior to starting the MED-V workspace.
 
 [Creating a MED-V Workspace](creating-a-med-v-workspacemedv-10-sp1.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md b/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md
index d9db530718..966dd20f1e 100644
--- a/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-apply-virtual-machine-settings-to-a-med-v-workspace.md
@@ -50,7 +50,7 @@ The actual Microsoft Virtual PC image assigned to the MED-V workspace. The menu
     **Note**  
     Each MED-V workspace image can only be used by one Windows user.
 
-     
+     
 
 Workspace is persistent
 
@@ -61,7 +61,7 @@ For a Domain MED-V workspace, this option must be selected.
 **Note**  
 This setting should not be changed after a MED-V workspace is deployed to users.
 
- 
+ 
 
 Shut down the VM when stopping the Workspace
 
@@ -70,7 +70,7 @@ Select this check box to shut down the virtual machine when stopping the MED-V w
 **Note**  
 This property is enabled only if **Workspace is persistent** is selected.
 
- 
+ 
 
 Logon to Windows in VM using MED-V credentials (SSO)
 
@@ -79,7 +79,7 @@ Select this check box to log in to Windows on the virtual machine by using the M
 **Note**  
 This property is enabled only when **Workspace is persistent** is selected.
 
- 
+ 
 
 Workspace is revertible
 
@@ -88,7 +88,7 @@ Select this check box to configure the MED-V workspace as revertible. In a rever
 **Note**  
 This setting should not be changed after a MED-V workspace is deployed to users.
 
- 
+ 
 
 Synchronize Workspace time zone with host
 
@@ -113,7 +113,7 @@ Select this check box to lock the MED-V workspace when the MED-V workspace is id
 **Note**  
 The idle time refers to the MED-V workspace applications (not the host applications).
 
- 
+ 
 
 *Image Update Settings*
 
@@ -134,9 +134,9 @@ Select this check box to enable Trim Transfer (for more information, see [MED-V
 **Note**  
 Trim Transfer requires indexing the hard drive, which might take a considerable amount of time. It is recommended to use Trim Transfer when indexing the hard drive is more efficient than downloading the new image version, such as when downloading an image version that is similar to the existing version.
 
- 
+ 
 
- 
+ 
 
 ## Related topics
 
@@ -147,9 +147,9 @@ Trim Transfer requires indexing the hard drive, which might take a considerable
 
 [Creating a MED-V Workspace](creating-a-med-v-workspacemedv-10-sp1.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md b/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md
index 184504870e..0e617603d1 100644
--- a/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md
+++ b/mdop/medv-v1/how-to-back-up-and-restore-a-med-v-server.md
@@ -26,7 +26,7 @@ XML files located on the server can be backed up and then restored in case of lo
     **Note**  
     If the configuration has been changed from the default, the files might be stored in a different location.
 
-     
+     
 
     -   ClientPolicy.xml
 
@@ -41,7 +41,7 @@ XML files located on the server can be backed up and then restored in case of lo
     **Note**  
     The ServerSettings.xml file can be backed up as well. However, if a specific configuration has been changed (for example, on the original server, the MED-V VMS directory is located in "*C:\\Vms*" and such a directory does not exist on the new server), it can cause an error.
 
-     
+     
 
 **To restore a MED-V server**
 
@@ -53,9 +53,9 @@ XML files located on the server can be backed up and then restored in case of lo
 
 3.  Restart the MED-V service.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-configure-a-deployment-package.md b/mdop/medv-v1/how-to-configure-a-deployment-package.md
index fcb4e7012a..191960b228 100644
--- a/mdop/medv-v1/how-to-configure-a-deployment-package.md
+++ b/mdop/medv-v1/how-to-configure-a-deployment-package.md
@@ -19,49 +19,49 @@ ms.date: 06/16/2016
 
 The Packaging wizard walks you through the creation of a package by creating a folder on your local computer and transferring all the required installation files to the single folder. The contents of the folder can then be moved to multiple removable media drives for distribution.
 
-**Note**  
+**Note**  
 A single package cannot contain installation files for both x86 and x64 systems.
 
- 
+
 
 ## How to Create a Deployment Package
 
 
 **To create a deployment package**
 
-1.  Verify in the **Images** module that you have created at least one local packed image.
+1. Verify in the **Images** module that you have created at least one local packed image.
 
-2.  On the **Tools** menu, select **Packaging wizard**.
+2. On the **Tools** menu, select **Packaging wizard**.
 
-3.  On the **Packaging wizard** welcome page, click **Next**.
+3. On the **Packaging wizard** welcome page, click **Next**.
 
-4.  On the **Workspace Image** page, select the **Include image in the package** check box to include an image in the package.
+4. On the **Workspace Image** page, select the **Include image in the package** check box to include an image in the package.
 
-    The **Image** field is enabled.
+   The **Image** field is enabled.
 
-    **Note**  
-    An image is not required in a MED-V package; the package can be created without an image. In such a case, the image should be uploaded to the server so that it can later be downloaded over the network to the client, or pushed to an image pre-stage folder.
+   **Note**  
+   An image is not required in a MED-V package; the package can be created without an image. In such a case, the image should be uploaded to the server so that it can later be downloaded over the network to the client, or pushed to an image pre-stage folder.
 
-     
 
-5.  Click the **Image** list to view all available images. Select the image to be copied to the package. Click **Refresh** to refresh the list of available images.
 
-6.  Click **Next**.
+5. Click the **Image** list to view all available images. Select the image to be copied to the package. Click **Refresh** to refresh the list of available images.
 
-7.  On the **MED-V Installation Settings** page, select the MED-V installation file by doing one of the following:
+6. Click **Next**.
 
-    -   In the **MED-V installation file** field, type the full path to the directory where the installation file is located.
+7. On the **MED-V Installation Settings** page, select the MED-V installation file by doing one of the following:
 
-    -   Click **...** to browse to the directory where the installation file is located.
+   -   In the **MED-V installation file** field, type the full path to the directory where the installation file is located.
 
-    **Note**  
-    This field is mandatory, and the wizard will not continue without a valid file name.
+   -   Click **...** to browse to the directory where the installation file is located.
 
-     
+   **Note**  
+   This field is mandatory, and the wizard will not continue without a valid file name.
 
-8.  In the **Server address** field, type the server name or IP address.
 
-9.  In the **Server port** field, type the server port.
+
+8. In the **Server address** field, type the server name or IP address.
+
+9. In the **Server port** field, type the server port.
 
 10. Select the **Server is accessed using https** check box to require an https connection to connect to the server.
 
@@ -73,29 +73,31 @@ A single package cannot contain installation files for both x86 and x64 systems.
 
         1.  On the **MED-V Installation Custom Settings** page, in the **Installation folder** field, type the path of the folder where the MED-V files will be installed on the host computer.
 
-            **Note**  
+            **Note**  
             It is recommended to use variables in the path rather than constants, which might vary from computer to computer.
 
             For example, use *%ProgramFiles%\\MED-V* instead of *c:\\MED-V*.
 
-             
 
-        2.  In the **Virtual machines images folder** field, type the path of the folder where the virtual images files will be installed on the host computer.
 
-            **Note**  
-            If you are using image pre-staging, this is the image pre-stage folder where the image is located.
+    ~~~
+    2.  In the **Virtual machines images folder** field, type the path of the folder where the virtual images files will be installed on the host computer.
 
-             
+        **Note**  
+        If you are using image pre-staging, this is the image pre-stage folder where the image is located.
 
-        3.  In the **Minimal required RAM** field, enter the RAM required to install a MED-V package. If the user installing the MED-V package does not have the minimal required RAM, the installation will fail.
 
-        4.  Select the **Install the MED-V management application** check box to include the MED-V management console application in the installation.
 
-        5.  Select the **Create a shortcut to MED-V on the desktop** check box to create a shortcut to MED-V on the host's desktop.
+    3.  In the **Minimal required RAM** field, enter the RAM required to install a MED-V package. If the user installing the MED-V package does not have the minimal required RAM, the installation will fail.
 
-        6.  Select the **Start automatically on computer startup** check box to start MED-V automatically on startup.
+    4.  Select the **Install the MED-V management application** check box to include the MED-V management console application in the installation.
 
-        7.  Click **Next**.
+    5.  Select the **Create a shortcut to MED-V on the desktop** check box to create a shortcut to MED-V on the host's desktop.
+
+    6.  Select the **Start automatically on computer startup** check box to start MED-V automatically on startup.
+
+    7.  Click **Next**.
+    ~~~
 
 12. On the **Additional Installations** page, select the **Include installation of virtualization software** check box to include the Virtual PC installation in the package.
 
@@ -105,9 +107,9 @@ A single package cannot contain installation files for both x86 and x64 systems.
 
     The **Installation file** field is enabled. Type the full path of the Virtual PC update installation file, or click **...** to browse to the directory.
 
-14. Select the **Include installation of Microsoft .NET Framework 2.0** check box to include the Microsoft .NET Framework 2.0 installation in the package.
+14. Select the **Include installation of Microsoft .NET Framework 2.0** check box to include the Microsoft .NET Framework 2.0 installation in the package.
 
-    The **Installation file** field is enabled. Type the full path of the Microsoft .NET Framework 2.0 installation file, or click **...** to browse to the directory.
+    The **Installation file** field is enabled. Type the full path of the Microsoft .NET Framework 2.0 installation file, or click **...** to browse to the directory.
 
 15. Click **Next**.
 
@@ -117,10 +119,10 @@ A single package cannot contain installation files for both x86 and x64 systems.
 
     -   Click **...** to browse to the directory where the installation files should be saved.
 
-    **Note**  
+    **Note**  
     Building the package might consume more space than the actual package size. It is therefore recommended to build the package on the hard drive. After the package is created, it can then be copied to the USB.
 
-     
+
 
 17. In the **Package name** field, enter a name for the package.
 
@@ -130,29 +132,29 @@ A single package cannot contain installation files for both x86 and x64 systems.
 
     After the package is created, a message appears notifying you that it has been completed successfully.
 
-**Note**  
+**Note**  
 If you saved all the files locally, and not directly on the removable media, ensure that you copy only the contents of the folder and not the folder itself to the removable media.
 
- 
 
-**Note**  
+
+**Note**  
 The removable media must be large enough so that the package contents consume a maximum of only three-quarters of the removable media's memory.
 
- 
 
-**Note**  
+
+**Note**  
 When creating the package, up to double the size of the actual package size might be required when the build is complete.
 
- 
+
 
 ## Related topics
 
 
 [Creating a MED-V Image](creating-a-med-v-image.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md b/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md
index 0ac177cc39..ce0b36eae2 100644
--- a/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md
+++ b/mdop/medv-v1/how-to-configure-a-domain-user-or-groupmedvv2.md
@@ -40,15 +40,17 @@ To allow users to utilize the MED-V workspace, you must first add domain users o
 
     The domain users or groups are added.
 
-    **Note**  
+    **Note**  
     Users from trusted domains should be added manually.
 
-     
 
-    **Warning**  
-    Do not run the management application from a computer that is part of a domain that is not trusted by the domain the server is installed on.
 
-     
+~~~
+**Warning**  
+Do not run the management application from a computer that is part of a domain that is not trusted by the domain the server is installed on.
+~~~
+
+
 
 ## How to Remove a Domain User or Group
 
@@ -112,17 +114,17 @@ Select this check box to enable transferring files between the host and MED-V wo
 
 -   **Workspace to Host**—Enable transferring files from the MED-V workspace to the host.
 
-**Note**  
+**Note**  
 If a user without permissions attempts to transfer files, a window will appear prompting him to enter the credentials of a user with permissions to perform the file transfer.
 
- 
 
-**Important**  
-To support file transfer in Windows XP SP3, you must disable offline file synchronization by editing the registry as follows:
+
+**Important**  
+To support file transfer in Windows XP SP3, you must disable offline file synchronization by editing the registry as follows:
 
 `REG ADD HKLM\software\microsoft\windows\currentversion\netcache /V Enabled /T REG_DWORD /F /D 0`
 
- 
+
 
 Advanced
 
@@ -134,16 +136,16 @@ Enable printing to printers connected to the host
 
 Select this check box to enable users to print from the MED-V workspace using the host printer.
 
-**Note**  
+**Note**  
 The printing is performed by the printers defined on the host.
 
- 
+
 
 Enable access to CD / DVD
 
 Select this check box to allow access to a CD or DVD drive from this MED-V workspace.
 
- 
+
 
 **Multiple Memberships**
 
@@ -162,9 +164,9 @@ Select this check box to allow access to a CD or DVD drive from this MED-V works
 
 [How to Set Advanced File Transfer Options](how-to-set-advanced-file-transfer-options.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-configure-image-pre-staging.md b/mdop/medv-v1/how-to-configure-image-pre-staging.md
index 05b5ddb581..5d736b92b9 100644
--- a/mdop/medv-v1/how-to-configure-image-pre-staging.md
+++ b/mdop/medv-v1/how-to-configure-image-pre-staging.md
@@ -20,7 +20,7 @@ ms.date: 06/16/2016
 **Note**  
 Image pre-staging is useful only for the initial image download. It is not supported for image update.
 
- 
+ 
 
 ## How to Configure Image Pre-staging
 
@@ -32,32 +32,32 @@ Image pre-staging is useful only for the initial image download. It is not suppo
     **Note**  
     This folder must be called *MED-V Images*.
 
-     
+     
 
 2.  Inside the MED-V Images folder, create a subfolder and name it *PrestagedImages*.
 
     **Note**  
     This folder must be called *PrestagedImages*.
 
-     
+     
 
 3.  To apply Access Control Lists (ACL) security to the *MED-V Images* folder, set the following ACL:
 
     **NT AUTHORITY\\Authenticated Users:(OI)(CI)(special access:)**
 
-                                             **READ\_CONTROL**
+                                             **READ\_CONTROL**
 
-                                    **SYNCHRONIZE**
+                                    **SYNCHRONIZE**
 
-                                    **FILE\_GENERIC\_READ**
+                                    **FILE\_GENERIC\_READ**
 
-                                    **FILE\_READ\_DATA**
+                                    **FILE\_READ\_DATA**
 
     **                                 FILE\_APPEND\_DATA**
 
-                                    **FILE\_READ\_EA**
+                                    **FILE\_READ\_EA**
 
-                                    **FILE\_READ\_ATTRIBUTES**
+                                    **FILE\_READ\_ATTRIBUTES**
 
     **NT AUTHORITY\\SYSTEM:(OI)(CI)F**
 
@@ -66,7 +66,7 @@ Image pre-staging is useful only for the initial image download. It is not suppo
     **Note**  
     It is recommended to apply ACL security to the *MED-V Images* folder.
 
-     
+     
 
 4.  To apply ACL security to the *PrestagedImages* folder, set the following ACL:
 
@@ -91,14 +91,14 @@ Image pre-staging is useful only for the initial image download. It is not suppo
     **Note**  
     It is recommended to apply ACL security to the *PrestagedImages* folder.
 
-     
+     
 
 5.  Push the image files (CKM and INDEX files) to the *PrestagedImages* folder.
 
     **Note**  
     After the image files have been pushed to the pre-stage folder, it is recommended to run a data integrity check and to mark the files as read-only.
 
-     
+     
 
 6.  Include the following parameter in the MED-V client installation: *Client.MSI VMSFOLDER=”C:\\MED-V Images”*.
 
@@ -115,9 +115,9 @@ Image pre-staging is useful only for the initial image download. It is not suppo
 
 2.  If the image is in a different location, change the path.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md b/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md
index 110ea7ab26..91f9055689 100644
--- a/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md
+++ b/mdop/medv-v1/how-to-configure-published-applicationsmedvv2.md
@@ -38,10 +38,10 @@ An application can be published in one of the following ways:
 
 4.  On the **Policy** menu, select **Commit**.
 
-    **Note**  
+    **Note**  
     If you are setting Internet Explorer as a published application to ensure that Web redirection works properly, make certain that any parameters are not in parentheses.
 
-     
+
 
 **Published Application Properties**
 
@@ -63,30 +63,28 @@ An application can be published in one of the following ways:
 
 
 
    Display name
    
-
    The name of the shortcut in the user's Windows Start menu.
    
+
    The name of the shortcut in the user's Windows Start menu.
    
 
    
-Note  
-
    The display name is not case sensitive.
    
+Note
    The display name is not case sensitive.
    
 
    
 
    
- 
+
 
    
 
 
 
    Description
    
-
    A description of the published application, which appears as a tooltip when the user's mouse hovers over the shortcut.
    
+
    A description of the published application, which appears as a tooltip when the user's mouse hovers over the shortcut.
    
 
 
 
    Command line
    
 
    The command used to run the application from within the MED-V workspace. The full path is required, and the parameters can be passed to the application in a similar fashion as in any other Windows command.
    
-
    In a revertible MED-V workspace, you can map a network drive with MapNetworkDrive syntax: "MapNetworkDrive <drive> <path>"—for example, "MapNetworkDrive t: \\tux\date".
    
-
    For example, to publish Windows Explorer, use the following syntax: "c:\" or "c:\windows."
    
+
    In a revertible MED-V workspace, you can map a network drive with MapNetworkDrive syntax: "MapNetworkDrive <drive> <path>"—for example, "MapNetworkDrive t: \tux\date".
    
+
    For example, to publish Windows Explorer, use the following syntax: "c:</em>" or "c:\windows."
    
 
    
-Note  
-
    To have a name resolution, you need to perform one of the following:
    
+Note
    To have a name resolution, you need to perform one of the following:
    
 
    
 
    
- 
+
 
    
 
      
 
    • Configure the DNS in the base MED-V workspace image.
      • 
@@ -94,28 +92,26 @@ An application can be published in one of the following ways:
 
    • Use the IP for defining the network drive.
      • 
 
    
 
    
-Note  
-
    If the path includes spaces, the entire path must be inside quotation marks.
    
+Note
    If the path includes spaces, the entire path must be inside quotation marks.
    
 
    
 
    
- 
+
 
    
 
    
-Note  
-
    The path should not end with a backslash ().
    
+Note
    The path should not end with a backslash ().
    
 
    
 
    
- 
+
 
    
 
 
 
    Start menu
    
-
    Select this check box to create a shortcut for the application in the user's Windows Start menu.
    
+
    Select this check box to create a shortcut for the application in the user's Windows Start menu.
    
 
 
 
 
- 
+
 
 All published applications appear as shortcuts in the Windows **Start** menu (**Start >All Programs> MED-V Applications**).
 
@@ -167,35 +163,34 @@ All published applications appear as shortcuts in the Windows **Start** menu (**
 
 
 
    Display name
    
-
    The name of the shortcut in the user's Windows Start menu.
    
+
    The name of the shortcut in the user's Windows Start menu.
    
 
 
 
    Description
    
-
    The description, which appears as a tooltip when the user's mouse hovers over the shortcut.
    
+
    The description, which appears as a tooltip when the user's mouse hovers over the shortcut.
    
 
 
 
    Folder in workspace
    
 
    Select the folder to publish as a menu containing all the applications within the folder.
    
 
    The text displayed is a relative path from the Programs folder.
    
 
    
-Note  
-
    If left blank, all programs on the host will be published as a menu.
    
+Note
    If left blank, all programs on the host will be published as a menu.
    
 
    
 
    
- 
+
 
    
 
 
 
 
- 
+
 
 All published menus appear as shortcuts in the Windows **Start** menu (**Start >All Programs> MED-V Applications**). You can change the name of the shortcut in the **Start-menu shortcuts folder** field.
 
-**Note**  
+**Note**  
 When configuring two MED-V workspaces, it is recommended to configure a different name for the Start menu shortcuts folder.
 
- 
+
 
 ## How to Remove a Published Menu from a MED-V Workspace
 
@@ -221,10 +216,10 @@ The administrator can run published applications from any location, such as a de
 "\Manager\KidaroCommands.exe" /run "" ""
 ```
 
-**Note**  
+**Note**  
 The MED-V workspace in which the published application is defined must be running.
 
- 
+
 
 ## Related topics
 
@@ -235,9 +230,9 @@ The MED-V workspace in which the published application is defined must be runnin
 
 [Creating a MED-V Workspace](creating-a-med-v-workspacemedv-10-sp1.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md
index 3108c58d7c..938c998f17 100644
--- a/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md
+++ b/mdop/medv-v1/how-to-configure-the-virtual-machine-setup-for-a-med-v-workspacemedvv2.md
@@ -28,10 +28,10 @@ All virtual machine setup configuration settings are configured in the **Policy*
 
 2.  In the **Persistent VM Setup** section, configure the properties as described in the following table.
 
-    **Note**  
+    **Note**  
     The persistent VM setup properties are enabled only for a persistent MED-V workspace.
 
-     
+
 
 3.  On the **Policy** menu, select **Commit**.
 
@@ -55,30 +55,28 @@ All virtual machine setup configuration settings are configured in the **Policy*
 
 
 
    Script Editor
    
-
    Click to configure the setup script. For more information, see [How to Set Up Script Actions](how-to-set-up-script-actions.md).
    
+
    Click to configure the setup script. For more information, see How to Set Up Script Actions.
    
 
    
-Note  
-
    This button is enabled only when Run VM Setup script is selected.
    
+Note
    This button is enabled only when Run VM Setup script is selected.
    
 
    
 
    
- 
+
 
    
 
 
 
    Message displayed when script is running
    
 
    A message to be displayed while the script is running. If left blank, the default message is displayed.
    
 
    
-Note  
-
    This field is enabled only when Run VM Setup script is checked.
    
+Note
    This field is enabled only when Run VM Setup script is checked.
    
 
    
 
    
- 
+
 
    
 
 
 
 
- 
+
 
 ## How to Configure the Virtual Machine Setup for a Revertible MED-V Workspace
 
@@ -89,10 +87,10 @@ All virtual machine setup configuration settings are configured in the **Policy*
 
 2.  In the **Revertible VM Setup** section, configure the properties as described in the following table.
 
-    **Note**  
+    **Note**  
     The revertible VM setup properties are enabled only for a revertible MED-V workspace.
 
-     
+
 
 3.  On the **Policy** menu, select **Commit**.
 
@@ -113,12 +111,12 @@ All virtual machine setup configuration settings are configured in the **Policy*
 
 
    Rename the VM based on the computer name pattern
    
 
    Select this check box to assign a unique name to each computer using the MED-V workspace so that you can differentiate between multiple computers using the same MED-V workspace.
    
-
    For more information on configuring computer image names, see [How to Configure VM Computer Name Pattern Properties](how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md).
    
+
    For more information on configuring computer image names, see How to Configure VM Computer Name Pattern Properties.
    
 
 
 
 
- 
+
 
 ## Related topics
 
@@ -129,9 +127,9 @@ All virtual machine setup configuration settings are configured in the **Policy*
 
 [Examples of Virtual Machine Configurations](examples-of-virtual-machine-configurationsv2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md b/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md
index a946709bc0..d37e201c72 100644
--- a/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md
+++ b/mdop/medv-v1/how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md
@@ -52,22 +52,24 @@ A virtual machine computer name pattern can be assigned both for revertible and
 
     -   **Random characters**—Enter “\#” for each random character to include in the pattern. Each computer using the MED-V workspace will have a suffix of the length specified, which is generated randomly.
 
-    **Note**  
+    **Note**  
     The computer name has a limit of 15 characters. If the pattern exceeds the limit, it will be truncated.
 
-     
+
 
 4.  On the **Policy** menu, select **Commit**.
 
-    **Note**  
+    **Note**  
     A revertible VM computer name pattern can be assigned only when **Rename the VM based on the computer name patterns** (in the **Revertible VM Setup** section) is checked.
 
-     
 
-    **Note**  
-    A unique computer name can be assigned only if it is configured prior to MED-V workspace setup. Changing the name will not affect MED-V workspaces that were already set up.
 
-     
+~~~
+**Note**  
+A unique computer name can be assigned only if it is configured prior to MED-V workspace setup. Changing the name will not affect MED-V workspaces that were already set up.
+~~~
+
+
 
 ## How to Assign a Virtual Machine Computer Name Pattern to a Persistent MED-V Workspace
 
@@ -102,17 +104,17 @@ A virtual machine computer name pattern can be assigned both for revertible and
 
     -   **Random characters**— Enter “\#” for each random character to include in the pattern. The computer will have a suffix of the length specified, which is generated randomly.
 
-    **Note**  
+    **Note**  
     The computer name has a limit of 15 characters. If the pattern exceeds the limit, it will be truncated.
 
-     
+
 
 6.  On the **Policy** menu, select **Commit**.
 
-    **Note**  
+    **Note**  
     The computer will be renamed only if it is set as an action in the **Script Actions** dialog box. For detailed information, see [How to Set Up Script Actions](how-to-set-up-script-actions.md).
 
-     
+
 
 ## Related topics
 
@@ -125,9 +127,9 @@ A virtual machine computer name pattern can be assigned both for revertible and
 
 [Examples of Virtual Machine Configurations](examples-of-virtual-machine-configurationsv2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md b/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md
index d1dfc15034..258a58f9b0 100644
--- a/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-configure-web-settings-for-a-med-v-workspace.md
@@ -21,10 +21,10 @@ Web sites that can only be displayed in older versions of Internet Explorer and
 
 The following procedures describe how you can set a list of Web browsing rules for a MED-V workspace. All sites included in the rules can be browsed either in the MED-V workspace or on the host, as defined by the administrator. All sites not defined within the rules are browsed from the environment in which they were requested. However, you can configure them as a group as well, to be browsed in the MED-V workspace or the host.
 
-**Note**  
+**Note**  
 Web settings are applied only to Internet Explorer and to no other browsers.
 
- 
+
 
 All Web settings are configured in the **Policy** module, on the **Web** tab.
 
@@ -87,7 +87,7 @@ All Web settings are configured in the **Policy** module, on the **Web** tab.
 
      
 
    • Domain suffix—Access to any host address ending with the suffix specified in the Value property and is set according to the option set in Web Browsing.
      • 
 
    • IP Prefix—Access to any full or partial IP address in the range of the prefix specified in the Value property and is set according to the option set in Web Browsing.
      • 
-
    • All Local Addresses—Access to all addresses without a '.' and is set according to the option set in Web Browsing.
      • 
+
    • All Local Addresses—Access to all addresses without a '.' and is set according to the option set in Web Browsing.
      • 
 
    
 
 
@@ -95,14 +95,13 @@ All Web settings are configured in the **Policy** module, on the **Web** tab.
 
      
 
    • If Domain suffix is selected in the Type property, enter a domain suffix.
      
 
      
-Note  
-
        
+Note
          
 
        • Do not enter "*" before the suffix.
          • 
 
        • Domain suffixes support aliases as well.
          • 
 
        
 
      
 
      
- 
+
 
      • 
 
    • If IP Prefix is selected in the Type property, enter a full or partial IP address.
      • 
 
    
@@ -110,7 +109,7 @@ All Web settings are configured in the **Policy** module, on the **Web** tab.
 
 
 
- 
+
 
 ## How to Delete a Web Rule
 
@@ -130,9 +129,9 @@ All Web settings are configured in the **Policy** module, on the **Web** tab.
 
 [Creating a MED-V Workspace](creating-a-med-v-workspacemedv-10-sp1.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md b/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md
index 7f2cd80715..81edc52790 100644
--- a/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-create-and-test-a-med-v-image.md
@@ -59,7 +59,7 @@ When creating a MED-V image, it goes through the following stages:
     **Note**  
     The following characters cannot be included in the image name: space " < > | \\ / : \* ?
 
-     
+     
 
 5.  Click **OK**.
 
@@ -96,7 +96,7 @@ When creating a MED-V image, it goes through the following stages:
 
 
 
- 
+ 
 
 ## How to Test a MED-V Image from the MED-V Client
 
@@ -128,12 +128,12 @@ After a MED-V test image is created, use the following procedure to test the ima
 **Note**  
 While testing an image, do not open VPC and make changes to the image.
 
- 
+ 
 
 **Note**  
 When testing an image, no changes are saved to the image between sessions; instead, they are saved in a separate, temporary file. This is to ensure that when the image is packed and run on the production environment, it is the original, clean image.
 
- 
+ 
 
 ## Related topics
 
@@ -146,9 +146,9 @@ When testing an image, no changes are saved to the image between sessions; inste
 
 [MED-V Client Operations](med-v-client-operations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md b/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md
index 237737477b..269980cf59 100644
--- a/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md
+++ b/mdop/medv-v1/how-to-edit-a-published-application-with-advanced-settings.md
@@ -49,13 +49,12 @@ After a published application has been added and configured, the published appli
 
 
 
    Display name
    
-
    The name of the shortcut in the user's Windows Start menu.
    
+
    The name of the shortcut in the user's Windows Start menu.
    
 
    
-Note  
-
    The display name is not case sensitive.
    
+Note
    The display name is not case sensitive.
    
 
    
 
    
- 
+
 
    
 
 
@@ -66,11 +65,10 @@ After a published application has been added and configured, the published appli
 
    Start in
    
 
    The directory from which to start the application.
    
 
    
-Note  
-
    The path does not need to include quotation marks.
    
+Note
    The path does not need to include quotation marks.
    
 
    
 
    
- 
+
 
    
 
 
@@ -78,14 +76,13 @@ After a published application has been added and configured, the published appli
 
    The command with which to run the application from within the MED-V workspace.
    
 
    The full path is required, and the parameters can be passed to the application in a similar fashion as in any other Windows command.
    
 
    In a domain configuration, a shared drive usually exists on the server where all domain computers map to. The directory should be mapped here, and if it is a folder that requires user authentication, the Use MED-V credentials to run this application check box must be selected.
    
-
    In a revertible MED-V workspace, you can map a network drive with MapNetworkDrive syntax: "MapNetworkDrive <drive> <path>"—for example, "MapNetworkDrive t: \\tux\data".
    
-
    For example, to publish Windows Explorer, use the following syntax: "c:\" or "c:\windows".
    
+
    In a revertible MED-V workspace, you can map a network drive with MapNetworkDrive syntax: "MapNetworkDrive <drive> <path>"—for example, "MapNetworkDrive t: \tux\data".
    
+
    For example, to publish Windows Explorer, use the following syntax: "c:&quot; or "c:\windows".
    
 
    
-Note  
-
    To have a name resolution, you need to perform one of the following:
    
+Note
    To have a name resolution, you need to perform one of the following:
    
 
    
 
    
- 
+
 
    
 
      
 
    • Configure the DNS in the base MED-V workspace image.
      • 
@@ -93,23 +90,21 @@ After a published application has been added and configured, the published appli
 
    • Use the IP for defining the network drive.
      • 
 
    
 
    
-Note  
-
    If the path includes spaces, the entire path must be inside quotation marks.
    
+Note
    If the path includes spaces, the entire path must be inside quotation marks.
    
 
    
 
    
- 
+
 
    
 
    
-Note  
-
    The path should not end with a backslash ().
    
+Note
    The path should not end with a backslash ().
    
 
    
 
    
- 
+
 
    
 
 
 
    Add a shortcut in the host Windows Start menu
    
-
    Select this check box to create a shortcut for the application in the user's Windows Start menu.
    
+
    Select this check box to create a shortcut for the application in the user's Windows Start menu.
    
 
 
 
    Launch this application when the Workspace is started
    
@@ -119,26 +114,25 @@ After a published application has been added and configured, the published appli
 
    Use MED-V credentials to run this application
    
 
    Select this check box to authenticate applications that request a user name and password using the MED-V credentials instead of the credentials set for the application.
    
 
    
-Note  
-
    When using SSO, the command line should be C:\Windows\Explorer.exe "folder path". When not using SSO, the command line should be "folder path".
    
+Note
    When using SSO, the command line should be C:\Windows\Explorer.exe "folder path". When not using SSO, the command line should be "folder path".
    
 
    
 
    
- 
+
 
    
 
 
 
 
- 
+
 
 ## Related topics
 
 
 [How to Configure Published Applications](how-to-configure-published-applicationsmedvv2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-generate-reports-medvv2.md b/mdop/medv-v1/how-to-generate-reports-medvv2.md
index 60eee274ea..082e4a4e13 100644
--- a/mdop/medv-v1/how-to-generate-reports-medvv2.md
+++ b/mdop/medv-v1/how-to-generate-reports-medvv2.md
@@ -62,22 +62,20 @@ The report results can be grouped by dragging a column header to the top of the
 
    Time
    
 
    The date and time the event occurred.
    
 
    
-Note  
-
    By default, the events are displayed in descending date order. However, it can be changed by clicking the Time Received column.
    
+Note
    By default, the events are displayed in descending date order. However, it can be changed by clicking the Time Received column.
    
 
    
 
    
- 
+
 
    
 
 
 
    User Name
    
 
    The user who initiated the event.
    
 
    
-Note  
-
    If the event occurred before a user logged on, the user name is SYSTEM.
    
+Note
    If the event occurred before a user logged on, the user name is SYSTEM.
    
 
    
 
    
- 
+
 
    
 
 
@@ -116,17 +114,16 @@ The report results can be grouped by dragging a column header to the top of the
 
    Image Version
    
 
    The image version that the MED-V workspace is currently using.
    
 
    
-Note  
-
    MED-V workspace version can be Unknown if it has not yet been downloaded onto a computer.
    
+Note
    MED-V workspace version can be Unknown if it has not yet been downloaded onto a computer.
    
 
    
 
    
- 
+
 
    
 
 
 
 
- 
+
 
 ## How to Generate an Activity Log Report
 
@@ -185,18 +182,16 @@ The report results can be grouped by dragging a column header to the top of the
 
    Time Received
    
 
    The date and time the event was received on the server.
    
 
    
-Note  
-
    If the client is working offline, the server receives the reports when the client is online.
    
+Note
    If the client is working offline, the server receives the reports when the client is online.
    
 
    
 
    
- 
+
 
    
 
    
-Note  
-
    By default, the events are displayed in descending date order. However, it can be changed by clicking the Time Received column.
    
+Note
    By default, the events are displayed in descending date order. However, it can be changed by clicking the Time Received column.
    
 
    
 
    
- 
+
 
    
 
 
@@ -222,7 +217,7 @@ The report results can be grouped by dragging a column header to the top of the
 
 
 
- 
+
 
 ## How to Generate an Error Log Report
 
@@ -275,18 +270,16 @@ The report results can be grouped by dragging a column header to the top of the
 
    Time Received
    
 
    The date and time the event was received on the server.
    
 
    
-Note  
-
    If the client is working offline, the server receives the reports when the client is online.
    
+Note
    If the client is working offline, the server receives the reports when the client is online.
    
 
    
 
    
- 
+
 
    
 
    
-Note  
-
    By default, the events are displayed in descending date order. However, it can be changed by clicking the Time Received column.
    
+Note
    By default, the events are displayed in descending date order. However, it can be changed by clicking the Time Received column.
    
 
    
 
    
- 
+
 
    
 
 
@@ -308,11 +301,11 @@ The report results can be grouped by dragging a column header to the top of the
 
 
 
- 
-
- 
-
- 
+
+
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md
index c554dd0360..e21097b997 100644
--- a/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md
+++ b/mdop/medv-v1/how-to-install-and-configure-the-med-v-server-component.md
@@ -48,10 +48,10 @@ This section explains how to [install](#bkmk-howtoinstallthemedvserver) and [con
 
 6.  When the **InstallShield Wizard Completed** screen appears, click **Finish** to complete the wizard.
 
-**Note**  
+**Note**  
 If you are installing the MED-V server via Microsoft Remote Desktop, use the following syntax: **mstsc/admin**. Ensure that your RDP session is directed to the console.
 
- 
+
 
 ## How to Configure the MED-V Server
 
@@ -72,32 +72,34 @@ The following server settings can be configured:
 
 1.  On the Windows Start menu, select **All Programs > MED-V > MED-V Server Configuration Manager**.
 
-    **Note**  
+    **Note**  
     Note: If you selected the **Launch MED-V Server Configuration Manager** check box during the server installation, the MED-V server configuration manager starts automatically after the server installation is complete.
 
-     
 
-    The MED-V Server Configuration Manager appears.
 
-2.  On the **Connections** tab, configure the following client connections settings:
+~~~
+The MED-V Server Configuration Manager appears.
+~~~
 
-    -   **Enable unencrypted connections (http), using port**—Select this check box to enable unencrypted connections using a specified port. In the port box, enter the server port on which to accept unencrypted connections (http).
+2. On the **Connections** tab, configure the following client connections settings:
 
-    -   **Enable encrypted connections (https), using port**—Select this check box to enable encrypted connections using a specified port. In the port box, enter the server port on which to accept encrypted connections (https).
+   -   **Enable unencrypted connections (http), using port**—Select this check box to enable unencrypted connections using a specified port. In the port box, enter the server port on which to accept unencrypted connections (http).
 
-        Https is an optional configuration which can be set to ensure secure transactions between the MED-V server and MED-V clients. To configure https, you must perform the following procedures:
+   -   **Enable encrypted connections (https), using port**—Select this check box to enable encrypted connections using a specified port. In the port box, enter the server port on which to accept encrypted connections (https).
 
-        -   Configure a certificate on the server.
+       Https is an optional configuration which can be set to ensure secure transactions between the MED-V server and MED-V clients. To configure https, you must perform the following procedures:
 
-        -   Associate the server certificate with the port specified using netsh. For information, see the following:
+       -   Configure a certificate on the server.
 
-            -   [Netsh Commands for Hypertext Transfer Protocol (HTTP)](https://go.microsoft.com/fwlink/?LinkId=183314)
+       -   Associate the server certificate with the port specified using netsh. For information, see the following:
 
-            -   [How to: Configure a Port with an SSL Certificate](https://go.microsoft.com/fwlink/?LinkID=183315)
+           -   [Netsh Commands for Hypertext Transfer Protocol (HTTP)](https://go.microsoft.com/fwlink/?LinkId=183314)
 
-            -   [How to: Configure a Port with an SSL Certificate](https://msdn.microsoft.com/library/ms733791.aspx)
+           -   [How to: Configure a Port with an SSL Certificate](https://go.microsoft.com/fwlink/?LinkID=183315)
 
-3.  Click **OK**.
+           -   [How to: Configure a Port with an SSL Certificate](https://msdn.microsoft.com/library/ms733791.aspx)
+
+3. Click **OK**.
 
 ### Configuring Images
 
@@ -151,10 +153,10 @@ The following server settings can be configured:
 
         `Data Source=;Initial Catalog=;uid=sa;pwd=;`
 
-        **Note**  
+        **Note**  
         Note: To connect to SQL Express, use: `Data Source=\sqlexpress.`
 
-         
+
 
 4.  To create the database, click **Create Database**.
 
@@ -185,9 +187,9 @@ The following server settings can be configured:
 
 [Design the MED-V Server Infrastructure](design-the-med-v-server-infrastructure.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md b/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md
index 23bdf51823..e84a2751f0 100644
--- a/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md
+++ b/mdop/medv-v1/how-to-install-med-v-client-and-med-v-management-console.md
@@ -25,15 +25,15 @@ The following MED-V components are included in the client .msi package:
 
 The MED-V management console and the MED-V client are both installed from the MED-V client .msi package. The MED-V client, however, can be installed independently without the MED-V management console by clearing the **Install the MED-V Management application** check box during installation.
 
-**Note**  
-The MED-V client and MED-V management console can only be installed on Windows 7-, Windows Vista-, and Windows XP-based computers. They cannot be installed on server products.
+**Note**  
+The MED-V client and MED-V management console can only be installed on Windows 7-, Windows Vista-, and Windows XP-based computers. They cannot be installed on server products.
 
- 
 
-**Note**  
+
+**Note**  
 Do not install the MED-V client using the Windows **runas** command.
 
- 
+
 
 **To install the MED-V client**
 
@@ -61,32 +61,34 @@ Do not install the MED-V client using the Windows **runas** command.
 
     -   Select the **Install the MED-V management application** check box to include the management component in the installation.
 
-        **Note**  
+        **Note**  
         Enterprise Desktop Virtualization administrators should install the MED-V management application. This application is required for configuring desktop images and MED-V workspaces.
 
-         
 
-    -   Select the **Load MED-V when Windows starts** check box to start MED-V automatically on startup.
 
-    -   Select the **Add a MED-V shortcut to my desktop** check box to create a MED-V shortcut on your desktop.
+~~~
+-   Select the **Load MED-V when Windows starts** check box to start MED-V automatically on startup.
 
-    -   In the **Server address** field, type the server address.
+-   Select the **Add a MED-V shortcut to my desktop** check box to create a MED-V shortcut on your desktop.
 
-    -   In the **Server port** field, type the server's port.
+-   In the **Server address** field, type the server address.
 
-    -   Select the **Server requires encrypted connections (https)** check box to work with https.
+-   In the **Server port** field, type the server's port.
 
-    -   The default virtual machine images folder is displayed. The default installation folder is *%systemdrive%\\MED-V Images\\*. To change the folder where MED-V should be installed, click **Change**, and browse to an existing folder.
+-   Select the **Server requires encrypted connections (https)** check box to work with https.
 
-7.  Click **Next**.
+-   The default virtual machine images folder is displayed. The default installation folder is *%systemdrive%\\MED-V Images\\*. To change the folder where MED-V should be installed, click **Change**, and browse to an existing folder.
+~~~
 
-8.  On the **Ready to Install the Program** screen, click **Install**.
+7. Click **Next**.
 
-    The MED-V client installation starts. This can take several minutes, and the screen might not display text. During installation, several progress screens appear. If a message appears, follow the instructions provided.
+8. On the **Ready to Install the Program** screen, click **Install**.
 
-    Upon successful installation, the **InstallShield Wizard Completed** screen appears.
+   The MED-V client installation starts. This can take several minutes, and the screen might not display text. During installation, several progress screens appear. If a message appears, follow the instructions provided.
 
-9.  Click **Finish** to close the wizard.
+   Upon successful installation, the **InstallShield Wizard Completed** screen appears.
+
+9. Click **Finish** to close the wizard.
 
 ## Related topics
 
@@ -95,9 +97,9 @@ Do not install the MED-V client using the Windows **runas** command.
 
 [Installation and Upgrade Checklists](installation-and-upgrade-checklists.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md b/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md
index bbdb89fcdd..90bf368d23 100644
--- a/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md
+++ b/mdop/medv-v1/how-to-install-med-v-clientdeployment-package.md
@@ -19,10 +19,10 @@ ms.date: 06/16/2016
 
 In a deployment package-based scenario, the MED-V client installation is included in the deployment package and installed directly from the package.
 
-**Important**  
+**Important**  
 When using a deployment package that does not include an image, ensure that the image is uploaded to the Web or pushed to the pre-stage folder prior to installing the deployment package.
 
- 
+
 
 **To install a deployment package**
 
@@ -36,27 +36,29 @@ When using a deployment package that does not include an image, ensure that the
 
     A dialog box appears listing the components that are already installed and those that are currently being installed.
 
-    **Note**  
+    **Note**  
     If a version of the Microsoft Virtual PC that is not supported exists on the host computer, a message will appear telling you to uninstall the existing version and run the installer again.
 
-     
 
-    **Note**  
-    If an older version of the MED-V client exists, it will prompt you asking whether you want to upgrade.
 
-     
+~~~
+**Note**  
+If an older version of the MED-V client exists, it will prompt you asking whether you want to upgrade.
 
-    Depending on the components that have been installed, you might need to reboot. If rebooting is necessary, a message appears notifying you that you must reboot.
 
-3.  If necessary, reboot the computer.
 
-    When the installation is complete, MED-V starts and a message appears notifying you that the installation is complete.
+Depending on the components that have been installed, you might need to reboot. If rebooting is necessary, a message appears notifying you that you must reboot.
+~~~
 
-4.  Log in to MED-V using the following user name and password:
+3. If necessary, reboot the computer.
 
-    -   Type in the domain name and user name followed by the password of the domain user who is permitted to work with MED-V.
+   When the installation is complete, MED-V starts and a message appears notifying you that the installation is complete.
 
-        Example: "domain\_name\\user\_name", "password"
+4. Log in to MED-V using the following user name and password:
+
+   -   Type in the domain name and user name followed by the password of the domain user who is permitted to work with MED-V.
+
+       Example: "domain\_name\\user\_name", "password"
 
 ## Related topics
 
@@ -67,9 +69,9 @@ When using a deployment package that does not include an image, ensure that the
 
 [Client Installation Command Line Reference](client-installation-command-line-reference.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-localize-a-med-v-image.md b/mdop/medv-v1/how-to-localize-a-med-v-image.md
index 452c21687b..e118ce3dc9 100644
--- a/mdop/medv-v1/how-to-localize-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-localize-a-med-v-image.md
@@ -46,7 +46,7 @@ A packed image can be unpacked to the local repository by extracting it. It then
     **Note**  
     The downloaded image will not appear in the **Local Images** pane until you refresh the page. Click Refresh to see the downloaded image in the **Local Images** pane.
 
-     
+     
 
 ## Related topics
 
@@ -57,9 +57,9 @@ A packed image can be unpacked to the local repository by extracting it. It then
 
 [How to Upload a MED-V Image to the Server](how-to-upload-a-med-v-image-to-the-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-pack-a-med-v-image.md b/mdop/medv-v1/how-to-pack-a-med-v-image.md
index e446fa6ccb..613b801c36 100644
--- a/mdop/medv-v1/how-to-pack-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-pack-a-med-v-image.md
@@ -35,25 +35,27 @@ A MED-V image must be packed before it can be added to a deployment package or u
 
     -   In the **Image name** field, type the desired name.
 
-        **Note**  
+        **Note**  
         The following characters cannot be included in the image name: space " < > | \\ / : \* ?
 
-         
 
-        A new packed image will be created.
 
-    -   From the drop-down list, select an existing name.
+~~~
+    A new packed image will be created.
 
-        A new version of the existing image will be created.
+-   From the drop-down list, select an existing name.
 
-5.  Click **OK**.
+    A new version of the existing image will be created.
+~~~
 
-    A new MED-V packed image is created on your host computer with the properties defined in the following table.
+5. Click **OK**.
 
-**Note**  
+   A new MED-V packed image is created on your host computer with the properties defined in the following table.
+
+**Note**  
 In the **Local Packed Images** and **Packed Images on Server** panes, the most recent version of each image is displayed as the parent node. Click the parent node to view all other existing versions of the image.
 
- 
+
 
 **Local Packed Images Properties**
 
@@ -77,11 +79,10 @@ In the **Local Packed Images** and **Packed Images on Server** panes, the most r
 
    Version
    
 
    The version of the displayed image.
    
 
    
-Note  
-
    All previous versions are kept unless deleted.
    
+Note
    All previous versions are kept unless deleted.
    
 
    
 
    
- 
+
 
    
 
 
@@ -95,7 +96,7 @@ In the **Local Packed Images** and **Packed Images on Server** panes, the most r
 
 
 
- 
+
 
 ## Related topics
 
@@ -106,9 +107,9 @@ In the **Local Packed Images** and **Packed Images on Server** panes, the most r
 
 [Creating a Virtual PC Image for MED-V](creating-a-virtual-pc-image-for-med-v.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/how-to-set-up-script-actions.md b/mdop/medv-v1/how-to-set-up-script-actions.md
index db8d6d9518..674cc2b942 100644
--- a/mdop/medv-v1/how-to-set-up-script-actions.md
+++ b/mdop/medv-v1/how-to-set-up-script-actions.md
@@ -47,26 +47,28 @@ The following is a list of actions that can be added to the domain setup script:
     **Note**  
     **Rename Computer** is configured in the **VM Settings** tab. For more information, see [How to Configure VM Computer Name Pattern Properties](how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md).
 
-     
+     
 
-    **Note**  
-    To rename a computer, Windows must be restarted. It is recommended to add a Restart Windows action following a Rename Computer action.
+~~~
+**Note**  
+To rename a computer, Windows must be restarted. It is recommended to add a Restart Windows action following a Rename Computer action.
+~~~
 
-     
 
-4.  Set the order of the actions by selecting an action and clicking **Up** or **Down**.
 
-5.  Click **OK**.
+4. Set the order of the actions by selecting an action and clicking **Up** or **Down**.
 
-**Note**  
+5. Click **OK**.
+
+**Note**  
 When running the Join Domain script, for the script to work, the user logged into the MED-V workspace virtual machine must have local administrator rights.
 
- 
 
-**Note**  
+
+**Note**  
 When running the Disable Auto-Logon script, it is recommended to disable the local guest account used for the auto-logon once the initial setup is complete.
 
- 
+
 
 ### 
 
@@ -92,11 +94,10 @@ When running the Disable Auto-Logon script, it is recommended to disable the loc
 
  • Use the following credentials—The credentials specified; enter a user name and password in the corresponding fields.
    • 
 
 
    
-Note  
-
    The credentials you enter are visible to all MED-V workspace users. It is not recommended to provide domain administrator credentials.
    
+Note
    The credentials you enter are visible to all MED-V workspace users. It is not recommended to provide domain administrator credentials.
    
 
    
 
    
- 
+
 
    
 
 
@@ -112,17 +113,16 @@ When running the Disable Auto-Logon script, it is recommended to disable the loc
 
    Organization Unit
    
 
    An organization unit (OU) may be specified to join the computer to a specific OU. The format must follow an OU distinguished name: OU=<Organization Unit>,<Domain Controller> (for example, OU=QATest, DC=il, DC=MED-V, DC=com).
    
 
    
-Warning  
-
    Only a single level OU is supported as is shown in the example above.
    
+Warning
    Only a single level OU is supported as is shown in the example above.
    
 
    
 
    
- 
+ 
 
    
 
 
 
 
- 
+ 
 
 ### 
 
@@ -155,7 +155,7 @@ When running the Disable Auto-Logon script, it is recommended to disable the loc
 
 
 
- 
+ 
 
 ### 
 
@@ -214,7 +214,7 @@ When running the Disable Auto-Logon script, it is recommended to disable the loc
 
 
 
- 
+ 
 
 When configuring the command-line action, several variables can be used as defined in the following table.
 
@@ -255,7 +255,7 @@ When configuring the command-line action, several variables can be used as defin
 
 
 
- 
+ 
 
 ## Related topics
 
@@ -264,9 +264,9 @@ When configuring the command-line action, several variables can be used as defin
 
 [How to Configure VM Computer Name Pattern Properties](how-to-configure-vm-computer-name-pattern-propertiesmedvv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md b/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md
index 0ea8170a94..d1d0b3b653 100644
--- a/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-share-folders-between-the-host-and-the-med-v-workspace.md
@@ -42,7 +42,7 @@ The following procedures demonstrate how to share folders between the host and t
         **Note**  
         Ensure that the same drive letter is not in use on both computers.
 
-         
+         
 
     4.  Click **Browse**.
 
@@ -63,11 +63,11 @@ The following procedures demonstrate how to share folders between the host and t
 **Note**  
 Ensure that both the host and MED-V workspace computers are in the same domain or workgroup.
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md b/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md
index 1b394ef39a..bd490a205c 100644
--- a/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md
+++ b/mdop/medv-v1/how-to-start-and-exit-the-med-v-client.md
@@ -27,7 +27,7 @@ ms.date: 06/16/2016
 **Note**  
 MED-V cannot be started from an elevated command prompt.
 
- 
+ 
 
 **To exit the MED-V client**
 
@@ -37,9 +37,9 @@ MED-V cannot be started from an elevated command prompt.
 
     The MED-V client exits.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md b/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md
index aaa0dc074a..20febc9c9a 100644
--- a/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md
+++ b/mdop/medv-v1/how-to-start-stop-and-restart-a-med-v-workspace.md
@@ -44,14 +44,14 @@ ms.date: 06/16/2016
     **Note**  
     The first time a MED-V workspace is started, the user name should be in the following format: <domain name>\\<user name>.
 
-     
+     
 
 4.  Select **Save my password** to save your password between sessions.
 
     **Note**  
     To enable the save password feature, the EnableSavePassword attribute must be set to True in the ClientSettings.xml file. The file can be found in the *Servers\\Configuration Server\\* folder.
 
-     
+     
 
 5.  Clear the **Start last used workspace** check box to choose a different MED-V workspace.
 
@@ -86,9 +86,9 @@ ms.date: 06/16/2016
 
 [How to Start and Exit the MED-V Client](how-to-start-and-exit-the-med-v-client.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-update-a-med-v-image.md b/mdop/medv-v1/how-to-update-a-med-v-image.md
index 6492dc3a41..bee3310208 100644
--- a/mdop/medv-v1/how-to-update-a-med-v-image.md
+++ b/mdop/medv-v1/how-to-update-a-med-v-image.md
@@ -25,7 +25,7 @@ An existing MED-V image can be updated, thereby creating a new version of the im
 **Note**  
 When a new version is deployed on the client, it overwrites the existing image. When updating an image, ensure that no data on the client needs to be saved.
 
- 
+ 
 
 **To update a MED-V image**
 
@@ -42,7 +42,7 @@ When a new version is deployed on the client, it overwrites the existing image.
     **Note**  
     If you name the image a different name than the existing version, a new image will be created rather than a new version of the existing image.
 
-     
+     
 
 6.  Upload the new version to the server or distribute it via a deployment package.
 
@@ -59,9 +59,9 @@ When a new version is deployed on the client, it overwrites the existing image.
 
 [Updating a MED-V Workspace Image](updating-a-med-v-workspace-image.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md b/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md
index 37eed69b48..b0f1a3f4b5 100644
--- a/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md
+++ b/mdop/medv-v1/how-to-upload-a-med-v-image-to-the-server.md
@@ -21,10 +21,10 @@ After a MED-V image has been tested, it can be packed and then uploaded to the s
 
 Once a MED-V image is packed and uploaded to the server, it can be distributed to users by using an enterprise software distribution center, or it can be downloaded by users using a deployment package. For information on deployment using an enterprise software distribution center, see [Deploying a MED-V Workspace Using an Enterprise Software Distribution System](deploying-a-med-v-workspace-using-an-enterprise-software-distribution-system.md). For information on deployment using a package, see [Deploying a MED-V Workspace Using a Deployment Package](deploying-a-med-v-workspace-using-a-deployment-package.md).
 
-**Note**  
+**Note**  
 Before uploading an image, verify that a Web proxy is not defined in your browser settings and that Windows Update is not currently running.
 
- 
+
 
 **To upload a MED-V image to the server**
 
@@ -58,11 +58,10 @@ Before uploading an image, verify that a Web proxy is not defined in your browse
 
    Version
    
 
    The version of the displayed image.
    
 
    
-Note  
-
    All previous versions are kept unless deleted.
    
+Note
    All previous versions are kept unless deleted.
    
 
    
 
    
- 
+
 
    
 
 
@@ -76,7 +75,7 @@ Before uploading an image, verify that a Web proxy is not defined in your browse
 
 
 
- 
+
 
 ## Related topics
 
@@ -89,9 +88,9 @@ Before uploading an image, verify that a Web proxy is not defined in your browse
 
 [How to Pack a MED-V Image](how-to-pack-a-med-v-image.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/med-v-10-installation-checklist.md b/mdop/medv-v1/med-v-10-installation-checklist.md
index 3796421602..8e68457769 100644
--- a/mdop/medv-v1/med-v-10-installation-checklist.md
+++ b/mdop/medv-v1/med-v-10-installation-checklist.md
@@ -33,36 +33,36 @@ The following checklist is intended to provide a high-level list of items to con
 
 
 
    Ensure your computing environment meets the supported configurations required for installing MED-V 1.0.
    
-
    [MED-V 1.0 Supported Configurations](med-v-10-supported-configurationsmedv-10.md)
    
+
    MED-V 1.0 Supported Configurations
    
 
 
 
    Plan and design the MED-V server infrastructure.
    
-
    [MED-V Infrastructure Planning and Design](med-v-infrastructure-planning-and-design.md)
    
+
    MED-V Infrastructure Planning and Design
    
 
 
 
    Verify the required prerequisites are configured.
    
-
    [MED-V Installation Prerequisites](med-v-installation-prerequisites.md)
    
+
    MED-V Installation Prerequisites
    
 
 
 
    Install and configure the MED-V server.
    
-
    [How to Install and Configure the MED-V Server Component](how-to-install-and-configure-the-med-v-server-component.md)
    
+
    How to Install and Configure the MED-V Server Component
    
 
 
 
    If using an image repository, configure the image Web distribution server.
    
-
    [How to Configure the Image Web Distribution Server](how-to-configure-the-image-web-distribution-server.md)
    
+
    How to Configure the Image Web Distribution Server
    
 
 
 
    Install the MED-V client and management console.
    
-
    [How to Install MED-V Client and MED-V Management Console](how-to-install-med-v-client-and-med-v-management-console.md)
    
+
    How to Install MED-V Client and MED-V Management Console
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md
index ac47f58122..a439dfd41e 100644
--- a/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md
+++ b/mdop/medv-v1/med-v-10-sp1-and-sp2-release-notesmedv-10-sp1.md
@@ -22,7 +22,7 @@ To search these Release Notes, press CTRL+F.
 **Note**  
 Read these Release Notes thoroughly before you install the Microsoft Enterprise Desktop Virtualization (MED-V) platform. These Release Notes contain information that you must have to successfully install the MED-V platform. This document contains information that is not available in the product documentation. If there is a discrepancy between these Release Notes and other MED-V platform documentation, the latest change should be considered authoritative. These Release Notes supersede the content included with this product.
 
- 
+ 
 
 ## About the Product Documentation
 
@@ -71,9 +71,9 @@ Microsoft, Microsoft Enterprise Desktop Virtualization, MS-DOS, Windows, Windows
 
 The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md
index 940e6fded9..60cd668d0c 100644
--- a/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md
+++ b/mdop/medv-v1/med-v-10-sp1-supported-configurationsmedv-10-sp1.md
@@ -17,19 +17,19 @@ ms.date: 08/30/2016
 # MED-V 1.0 SP1 Supported Configurations
 
 
-This topic specifies the requirements necessary to install and run Microsoft Enterprise Desktop Virtualization (MED-V) 1.0 Service Pack 1 (SP1) in your environment.
+This topic specifies the requirements necessary to install and run Microsoft Enterprise Desktop Virtualization (MED-V) 1.0 Service Pack 1 (SP1) in your environment.
 
-## MED-V 1.0 SP1 Client System Requirements
+## MED-V 1.0 SP1 Client System Requirements
 
 
 ### MED-V Client Operating System Requirements
 
-The following table lists the operating systems that are supported for MED-V 1.0 SP1 client installation.
+The following table lists the operating systems that are supported for MED-V 1.0 SP1 client installation.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/?LinkId=31975) (https://go.microsoft.com/fwlink/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/?LinkId=31976) (https://go.microsoft.com/fwlink/?LinkId=31976).
 
- 
+
 
 @@ -48,19 +48,19 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
-
+
@@ -68,14 +68,14 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
 
    Windows XP
    Windows XP
    		
 
    Professional Edition
    		
 
    SP2 or SP3
    		
 
    x86
    		
 
    
 
    Windows Vista
    Windows Vista
    		
 
    Business, Enterprise, or Ultimate
    		
 
    SP1 or SP2
    		
 
    x86
    		
 
    
 
    Windows 7
    Windows 7
    		
 
    Professional, Enterprise, or Ultimate
    		
 
    None
    		
 
    x86 or x64
    
 
    
 
- 
 
-**Note**  
+
+**Note**  
 MED-V client does not run in native x64 mode. Instead, MED-V runs in Windows on Windows 64-bit (WOW64) mode on 64-bit computers.
 
- 
 
-The following table lists the minimal RAM required for each operating system supported in MED-V 1.0 SP1.
+
+The following table lists the minimal RAM required for each operating system supported in MED-V 1.0 SP1.
 
 @@ -90,41 +90,41 @@ The following table lists the minimal RAM required for each operating system sup
 
-
+
-
+
-
+
-
+
    
 

 
 
    Windows XP Professional
    Windows XP Professional
    		
 
    1 GB
    		
 
    
 
    Windows Vista
    Windows Vista
    		
 
    2 GB
    		
 
    
 
    Windows 7 x86
    Windows 7 x86
    		
 
    2 GB
    		
 
    
 
    Windows 7 x64
    Windows 7 x64
    		
 
    3 GB
    		
 
    
     
 
    
 
- 
 
-### MED-V 1.0 SP1 Client Configuration
+
+### MED-V 1.0 SP1 Client Configuration
 
 **.NET Framework Version**
 
-The following versions of the Microsoft .NET Framework are supported for MED-V 1.0 SP1 client installation:
+The following versions of the Microsoft .NET Framework are supported for MED-V 1.0 SP1 client installation:
 
--   .NET Framework 2.0 or .NET Framework 2.0 SP1
+-   .NET Framework 2.0 or .NET Framework 2.0 SP1
 
--   .NET Framework 3.0 or .NET Framework 3.0 SP1
+-   .NET Framework 3.0 or .NET Framework 3.0 SP1
 
--   .NET Framework 3.5 or .NET Framework 3.5 SP1
+-   .NET Framework 3.5 or .NET Framework 3.5 SP1
 
 **Virtualization Engine**
 
-Microsoft Virtual PC 2007 SP1 with the hotfix that is described in Microsoft Knowledge Base article 974918 is supported for MED-V 1.0 SP1 client installation in the following configurations:
+Microsoft Virtual PC 2007 SP1 with the hotfix that is described in Microsoft Knowledge Base article 974918 is supported for MED-V 1.0 SP1 client installation in the following configurations:
 
 -   Static Virtual Hard Disk (VHD) file
 
@@ -134,25 +134,25 @@ Microsoft Virtual PC 2007 SP1 with the hotfix that is described in Microsoft Kn
 
 **Internet Browser**
 
-Windows Internet Explorer 7 and Windows Internet Explorer 8 are supported for MED-V 1.0 SP1 client installation.
+Windows Internet Explorer 7 and Windows Internet Explorer 8 are supported for MED-V 1.0 SP1 client installation.
 
 **Microsoft Hyper-V Server**
 
 The MED-V client is not supported in a Microsoft Hyper-V Server environment.
 
-## MED-V 1.0 SP1 Workspace System Requirements
+## MED-V 1.0 SP1 Workspace System Requirements
 
 
-MED-V 1.0 SP1 introduces changes to system requirements from those for MED-V 1.0.
+MED-V 1.0 SP1 introduces changes to system requirements from those for MED-V 1.0.
 
 ### MED-V Workspace Operating System Requirements
 
-The following table lists the operating systems supported for MED-V 1.0 SP1 workspaces.
+The following table lists the operating systems supported for MED-V 1.0 SP1 workspaces.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/?LinkId=31975) (https://go.microsoft.com/fwlink/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/?LinkId=31976) (https://go.microsoft.com/fwlink/?LinkId=31976).
 
- 
+
 
 @@ -171,67 +171,66 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
    
 

 
 
    Windows 2000
    Windows 2000
    		
 
    Professional
    		
 
    SP4
    		
 
    X86
    		
 
    
 
    Windows XP
    Windows XP
    		
 
    Professional Edition
    		
 
    SP2 or SP3
    
 
    
-Note  
-
    SP3 is recommended to ensure that the MED-V workspace will be compatible with future versions of MED-V.
    
+Note
    SP3 is recommended to ensure that the MED-V workspace will be compatible with future versions of MED-V.
    
 
    
 
    
- 
+
 
    		
 
    x86
    		
 
    
     
 
    
 
- 
 
-### MED-V 1.0 SP1 Workspace Configuration
+
+### MED-V 1.0 SP1 Workspace Configuration
 
 **.NET Framework Version**
 
-MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 SP1 workspace installation:
+MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 SP1 workspace installation:
 
--   .NET Framework 2.0 SP1
+-   .NET Framework 2.0 SP1
 
--   .NET Framework 3.0 SP1
+-   .NET Framework 3.0 SP1
 
--   .NET Framework 3.5 or .NET Framework 3.5 SP1
+-   .NET Framework 3.5 or .NET Framework 3.5 SP1
+
+**Note**  
+We recommend the .NET Framework 3.5 SP1 to ensure that the MED-V workspace is compatible with future versions of MED-V.
 
-**Note**  
-We recommend the .NET Framework 3.5 SP1 to ensure that the MED-V workspace is compatible with future versions of MED-V.
 
- 
 
 **Internet Browser**
 
-Windows Internet Explorer 6 SP2 and Windows Internet Explorer 7 are supported for the MED-V 1.0 SP1 workspace installation.
+Windows Internet Explorer 6 SP2 and Windows Internet Explorer 7 are supported for the MED-V 1.0 SP1 workspace installation.
 
 ### MED-V Workspace Images
 
-MED-V workspace images must be created by using Virtual PC 2007 SP1.
+MED-V workspace images must be created by using Virtual PC 2007 SP1.
 
-## MED-V 1.0 SP1 Server System Requirements
+## MED-V 1.0 SP1 Server System Requirements
 
 
-MED-V 1.0 SP1 introduces changes to system requirements from those for MED-V 1.0.
+MED-V 1.0 SP1 introduces changes to system requirements from those for MED-V 1.0.
 
-### MED-V 1.0 Server Operating System Requirements
+### MED-V 1.0 Server Operating System Requirements
 
-The following table lists the operating systems supported for MED-V 1.0 SP1 server installations.
+The following table lists the operating systems supported for MED-V 1.0 SP1 server installations.
 
-**Note**  
+**Note**  
 Microsoft provides support for the current service pack and, in some cases, the immediately preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/?LinkId=31975) (https://go.microsoft.com/fwlink/?LinkId=31975). For additional information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/?LinkId=31976) (https://go.microsoft.com/fwlink/?LinkId=31976).
 
- 
+
 
 @@ -250,13 +249,13 @@ Microsoft provides support for the current service pack and, in some cases, the
 
-
+
-
+
@@ -264,23 +263,23 @@ Microsoft provides support for the current service pack and, in some cases, the
 
    
 

 
 
    Windows Server 2008
    Windows Server 2008
    		
 
    Standard or Enterprise
    		
 
    SP1 or SP2
    		
 
    X86 or x64
    		
 
    
 
    Windows Server 2008 R2
    Windows Server 2008 R2
    		
 
    Standard or Enterprise
    		
 
    None
    		
 
    x64
    
 
    
 
- 
 
-### MED-V 1.0 SP1 Server Configuration
+
+### MED-V 1.0 SP1 Server Configuration
 
 **.NET Framework Version**
 
-MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 SP1 workspace installation:
+MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 SP1 workspace installation:
 
--   .NET Framework 2.0 or .NET Framework 2.0 SP1
+-   .NET Framework 2.0 or .NET Framework 2.0 SP1
 
--   .NET Framework 3.0 or .NET Framework 3.0 SP1
+-   .NET Framework 3.0 or .NET Framework 3.0 SP1
 
--   .NET Framework 3.5 or .NET Framework 3.5 SP1
+-   .NET Framework 3.5 or .NET Framework 3.5 SP1
 
 **Microsoft SQL Server Version**
 
-The following versions of Microsoft SQL Server are supported for MED-V 1.0 SP1 when SQL Server is installed locally or remotely from the MED-V 1.0 SP1 Server:
+The following versions of Microsoft SQL Server are supported for MED-V 1.0 SP1 when SQL Server is installed locally or remotely from the MED-V 1.0 SP1 Server:
 
 @@ -299,13 +298,13 @@ The following versions of Microsoft SQL Server are supported for MED-V 1.0 SP1 w
 
-
+
-
+
@@ -313,16 +312,16 @@ The following versions of Microsoft SQL Server are supported for MED-V 1.0 SP1 w
 
    
 

 
 
    SQL Server 2005
    SQL Server 2005
    		
 
    Express, Standard, or Enterprise Edition
    		
 
    SP2
    		
 
    X86 or x64
    		
 
    
 
    SQL Server 2008
    SQL Server 2008
    		
 
    Express, Standard, or Enterprise
    		
 
    None
    		
 
    X86 or x64
    
 
    
 
- 
+
 
 **Microsoft Hyper-V Server**
 
 The MED-V server is supported in a Microsoft Hyper-V server environment.
 
-## MED-V 1.0 SP1 Globalization Information
+## MED-V 1.0 SP1 Globalization Information
 
 
-Although MED-V is not released in languages other than English, the following Windows operating system language versions are supported for the MED-V 1.0 SP1 client, workspace, and server installations:
+Although MED-V is not released in languages other than English, the following Windows operating system language versions are supported for the MED-V 1.0 SP1 client, workspace, and server installations:
 
 -   English
 
@@ -340,9 +339,9 @@ Although MED-V is not released in languages other than English, the following Wi
 
 -   Japanese
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md b/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md
index fb5c563f8e..631070c928 100644
--- a/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md
+++ b/mdop/medv-v1/med-v-10-sp1-upgrade-checklistmedv-10-sp1.md
@@ -45,16 +45,16 @@ To upgrade Microsoft Enterprise Desktop Virtualization (MED-V) 1.0 to MED-V 1.
 **Note**  
 If the server configuration has been changed from the default, the files might be stored in a different location.
 
- 
+ 
 
 ## Client Upgrade
 
 
 To upgrade the MED-V 1.0 client to MED-V 1.0 SP1, install the .msp file on a MED-V 1.0 client. The client and MED-V are automatically upgraded.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md b/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md
index bc19759fa7..3d45628fd0 100644
--- a/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md
+++ b/mdop/medv-v1/med-v-10-supported-configurationsmedv-10.md
@@ -17,14 +17,14 @@ ms.date: 06/16/2016
 # MED-V 1.0 Supported Configurations
 
 
-This topic specifies the requirements necessary to install and run Microsoft Enterprise Desktop Virtualization (MED-V) 1.0 in your environment.
+This topic specifies the requirements necessary to install and run Microsoft Enterprise Desktop Virtualization (MED-V) 1.0 in your environment.
 
-## MED-V 1.0 Client System Requirements
+## MED-V 1.0 Client System Requirements
 
 
 ### MED-V Client Operating System Requirements
 
-The following table lists the operating systems that are supported for MED-V 1.0 client installation.
+The following table lists the operating systems that are supported for MED-V 1.0 client installation.
 
 @@ -43,13 +43,13 @@ The following table lists the operating systems that are supported for MED-V 1.
 
-
+
-
+
@@ -57,28 +57,28 @@ The following table lists the operating systems that are supported for MED-V 1.
 
    
 

 
 
    Windows XP
    Windows XP
    		
 
    Professional Edition
    		
 
    SP2 or SP3
    		
 
    x86
    		
 
    
 
    Windows Vista
    Windows Vista
    		
 
    Business, Enterprise, or Ultimate Edition
    		
 
    SP1 or SP2
    		
 
    x86
    
 
    
 
- 
 
-**Note**  
+
+**Note**  
 MED-V client does not run in native x64 mode. Instead, MED-V runs in Windows on Windows 64-bit (WOW64) mode on 64-bit computers.
 
- 
 
-### MED-V 1.0 Client Configuration
+
+### MED-V 1.0 Client Configuration
 
 **.NET Framework Version**
 
-The following versions of the Microsoft .NET Framework are supported for MED-V 1.0 client installation:
+The following versions of the Microsoft .NET Framework are supported for MED-V 1.0 client installation:
 
--   .NET Framework 2.0 or .NET Framework 2.0 SP1
+-   .NET Framework 2.0 or .NET Framework 2.0 SP1
 
--   .NET Framework 3.0 or .NET Framework 3.0 SP1
+-   .NET Framework 3.0 or .NET Framework 3.0 SP1
 
--   .NET Framework 3.5 or .NET Framework 3.5 SP1
+-   .NET Framework 3.5 or .NET Framework 3.5 SP1
 
 **Virtualization Engine**
 
-Microsoft Virtual PC 2007 SP1 with the hotfix that is described in Microsoft Knowledge Base article 974918 is supported for MED-V 1.0 client installation in the following configurations:
+Microsoft Virtual PC 2007 SP1 with the hotfix that is described in Microsoft Knowledge Base article 974918 is supported for MED-V 1.0 client installation in the following configurations:
 
 -   Static Virtual Hard Disk (VHD) file
 
@@ -88,18 +88,18 @@ Microsoft Virtual PC 2007 SP1 with the hotfix that is described in Microsoft Kn
 
 **Internet Browser**
 
-Windows Internet Explorer 7 and Windows Internet Explorer 8 are supported for MED-V 1.0 client installation.
+Windows Internet Explorer 7 and Windows Internet Explorer 8 are supported for MED-V 1.0 client installation.
 
 **Microsoft Hyper-V Server**
 
 The MED-V client is not supported in a Microsoft Hyper-V server environment.
 
-## MED-V 1.0 Workspace System Requirements
+## MED-V 1.0 Workspace System Requirements
 
 
 ### MED-V Workspace Operating System Requirements
 
-The following table lists the operating systems supported for MED-V 1.0 workspaces.
+The following table lists the operating systems supported for MED-V 1.0 workspaces.
 
 @@ -118,60 +118,59 @@ The following table lists the operating systems supported for MED-V 1.0 workspa
 
-
+
-
+
    
 

 
 
    Windows 2000
    Windows 2000
    		
 
    Professional
    		
 
    SP4
    		
 
    X86
    		
 
    
 
    Windows XP
    Windows XP
    		
 
    Professional Edition
    		
 
    SP2 or SP3
    
 
    
-Note  
-
    SP3 is recommended to ensure that the MED-V workspace will be compatible with future versions of MED-V.
    
+Note
    SP3 is recommended to ensure that the MED-V workspace will be compatible with future versions of MED-V.
    
 
    
 
    
- 
+
 
    		
 
    x86
    		
 
    
     
 
    
 
- 
 
-### MED-V 1.0 Workspace Configuration
+
+### MED-V 1.0 Workspace Configuration
 
 **.NET Framework Version**
 
-MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 workspace installation:
+MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 workspace installation:
 
--   .NET Framework 2.0 SP1
+-   .NET Framework 2.0 SP1
 
--   .NET Framework 3.0 SP1
+-   .NET Framework 3.0 SP1
 
--   .NET Framework 3.5 or .NET Framework 3.5 SP1
+-   .NET Framework 3.5 or .NET Framework 3.5 SP1
+
+**Note**  
+.NET Framework 3.5 SP1 is recommended to ensure that the MED-V workspace will be compatible with future versions of MED-V.
 
-**Note**  
-.NET Framework 3.5 SP1 is recommended to ensure that the MED-V workspace will be compatible with future versions of MED-V.
 
- 
 
 **Internet Browser**
 
-Windows Internet Explorer 6 SP2 and Windows Internet Explorer 7 are supported for the MED-V 1.0 workspace installation.
+Windows Internet Explorer 6 SP2 and Windows Internet Explorer 7 are supported for the MED-V 1.0 workspace installation.
 
 ### MED-V Workspace Images
 
-MED-V workspace images must be created by using Virtual PC 2007 SP1.
+MED-V workspace images must be created by using Virtual PC 2007 SP1.
 
-## MED-V 1.0 Server System Requirements
+## MED-V 1.0 Server System Requirements
 
 
-### MED-V 1.0 Server Operating System Requirements
+### MED-V 1.0 Server Operating System Requirements
 
-The following table lists the operating systems supported for MED-V 1.0 server installations.
+The following table lists the operating systems supported for MED-V 1.0 server installations.
 
 @@ -190,7 +189,7 @@ The following table lists the operating systems supported for MED-V 1.0 server
 
-
+
@@ -198,23 +197,23 @@ The following table lists the operating systems supported for MED-V 1.0 server
 
    
 

 
 
    Windows Server 2008
    Windows Server 2008
    		
 
    Standard or Enterprise
    		
 
    None
    		
 
    X86 or x64
    
 
    
 
- 
 
-### MED-V 1.0 Server Configuration
+
+### MED-V 1.0 Server Configuration
 
 **.NET Framework Version**
 
-MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 workspace installation:
+MED-V requires one of the following supported versions of the Microsoft .NET Framework for MED-V 1.0 workspace installation:
 
--   .NET Framework 2.0 or .NET Framework 2.0 SP1
+-   .NET Framework 2.0 or .NET Framework 2.0 SP1
 
--   .NET Framework 3.0 or .NET Framework 3.0 SP1
+-   .NET Framework 3.0 or .NET Framework 3.0 SP1
 
--   .NET Framework 3.5 or .NET Framework 3.5 SP1
+-   .NET Framework 3.5 or .NET Framework 3.5 SP1
 
 **Microsoft SQL Server Version**
 
-The following versions of Microsoft SQL Server are supported for MED-V 1.0 when SQL Server is installed locally or remotely from the MED-V 1.0 Server:
+The following versions of Microsoft SQL Server are supported for MED-V 1.0 when SQL Server is installed locally or remotely from the MED-V 1.0 Server:
 
 @@ -233,13 +232,13 @@ The following versions of Microsoft SQL Server are supported for MED-V 1.0 when
 
-
+
-
+
@@ -247,16 +246,16 @@ The following versions of Microsoft SQL Server are supported for MED-V 1.0 when
 
    
 

 
 
    SQL Server 2005
    SQL Server 2005
    		
 
    Express, Standard, or Enterprise Edition
    		
 
    SP2
    		
 
    X86 or x64
    		
 
    
 
    SQL Server 2008
    SQL Server 2008
    		
 
    Express, Standard, or Enterprise
    		
 
    None
    		
 
    X86 or x64
    
 
    
 
- 
+
 
 **Microsoft Hyper-V Server**
 
 The MED-V server is supported in a Microsoft Hyper-V server environment.
 
-## MED-V 1.0 Globalization Information
+## MED-V 1.0 Globalization Information
 
 
-Although MED-V is not released in languages other than English, the following Windows operating system language versions are supported for the MED-V 1.0 client, workspace, and server installations:
+Although MED-V is not released in languages other than English, the following Windows operating system language versions are supported for the MED-V 1.0 client, workspace, and server installations:
 
 -   English
 
@@ -270,9 +269,9 @@ Although MED-V is not released in languages other than English, the following Wi
 
 -   Portuguese (Brazil)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v1/med-v-client-toolsv2.md b/mdop/medv-v1/med-v-client-toolsv2.md
index 51c162b3a6..8d763f41b6 100644
--- a/mdop/medv-v1/med-v-client-toolsv2.md
+++ b/mdop/medv-v1/med-v-client-toolsv2.md
@@ -33,7 +33,7 @@ The File Transfer Tool can be used to copy files or folders from the MED-V works
 **Note**  
 The File Transfer Tool is enabled only when the MED-V workspace is running.
 
- 
+ 
 
 **To copy files or folders from a MED-V workspace that is currently running**
 
@@ -101,9 +101,9 @@ The following functions can be performed using the diagnostic tool:
 
 -   Browse image store—View all available MED-V workspace images.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/med-v-installation-prerequisites.md b/mdop/medv-v1/med-v-installation-prerequisites.md
index 45d5a37090..ef53525088 100644
--- a/mdop/medv-v1/med-v-installation-prerequisites.md
+++ b/mdop/medv-v1/med-v-installation-prerequisites.md
@@ -94,7 +94,7 @@ To prevent antivirus activity from affecting the performance of the virtual desk
 **Important**  
 If Virtual PC for Windows exists on the host computer, uninstall it before installing Virtual PC 2007 SP1.
 
- 
+ 
 
 **To install Microsoft Virtual PC 2007 SP1**
 
@@ -109,16 +109,16 @@ If Virtual PC for Windows exists on the host computer, uninstall it before insta
     **Note**  
     The Virtual PC 2007 SP1 update is required for running Virtual PC 2007 SP1.
 
-     
+     
 
 ## Related topics
 
 
 [Supported Configurations](supported-configurationsmedv-orientation.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/updating-a-med-v-workspace-image.md b/mdop/medv-v1/updating-a-med-v-workspace-image.md
index 074c82d135..f5095643c7 100644
--- a/mdop/medv-v1/updating-a-med-v-workspace-image.md
+++ b/mdop/medv-v1/updating-a-med-v-workspace-image.md
@@ -67,7 +67,7 @@ An image can be updated in one of the following ways:
     **Note**  
     If you name the image a different name than the existing version, a new image will be created rather than a new version of the existing image.
 
-     
+     
 
 6.  Upload the new version to the server, push it to the image pre-stage folder, or distribute it via a deployment package.
 
@@ -82,9 +82,9 @@ An image can be updated in one of the following ways:
 
 [How to Configure the Image Web Distribution Server](how-to-configure-the-image-web-distribution-server.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v1/using-the-med-v-management-console-user-interface.md b/mdop/medv-v1/using-the-med-v-management-console-user-interface.md
index cbb1601115..9fc4f72eb1 100644
--- a/mdop/medv-v1/using-the-med-v-management-console-user-interface.md
+++ b/mdop/medv-v1/using-the-med-v-management-console-user-interface.md
@@ -45,7 +45,7 @@ The console user interface is divided into the following sections:
 **Note**  
 For security reasons, the first user to log in to the MED-V management console will become the only user on that computer allowed to access the management console.
 
- 
+ 
 
 **To log in**
 
@@ -56,7 +56,7 @@ For security reasons, the first user to log in to the MED-V management console w
     **Note**  
     When configuring the server, users with full access as well as users with read-only access are defined. All users must be domain users. The domain user name and password is used for MED-V management login.
 
-     
+     
 
 2.  Click **OK**.
 
@@ -67,9 +67,9 @@ For security reasons, the first user to log in to the MED-V management console w
 
 [How to Install MED-V Client and MED-V Management Console](how-to-install-med-v-client-and-med-v-management-console.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/authentication-of-med-v-end-users.md b/mdop/medv-v2/authentication-of-med-v-end-users.md
index c2791dd704..b9265d581c 100644
--- a/mdop/medv-v2/authentication-of-med-v-end-users.md
+++ b/mdop/medv-v2/authentication-of-med-v-end-users.md
@@ -52,10 +52,10 @@ Following is the policy path for the Terminal Services policy named DisablePassw
 
 HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Virtual Machine\\Policies\\DisablePasswordSaving
 
-**Note**  
+**Note**  
 The changes that you make to DisablePasswordSaving only affect the RDP prompt to a virtual machine.
 
- 
+
 
 The following table lists the different ways you can configure your settings for credential storing and the effects of the different configurations:
 
@@ -84,35 +84,33 @@ The following table lists the different ways you can configure your settings for
 
    
 
    If the end user does not select the check box, the Remote Desktop Connection (RDC) Client prompt is presented instead of the MED-V prompt, and the check box to accept is cleared. If the end user selects the check box, the RDC Client credential is stored for later use.
    
 
    
-Important  
-
    RDC does not validate credentials when the end user enters them. If the end user caches the credentials through the RDC prompt, there is a risk that incorrect credentials might be stored. In this case, the incorrect credentials must be deleted in the Windows Credential Manager.
    
+Important
    RDC does not validate credentials when the end user enters them. If the end user caches the credentials through the RDC prompt, there is a risk that incorrect credentials might be stored. In this case, the incorrect credentials must be deleted in the Windows Credential Manager.
    
 
    
 
    
- 
+
 
    
 
 
 
    DisablePasswordSaving
    
 
    Enabled
    
 
    
-Note  
-
    This configuration is more secure because it does not allow end user credentials to be cached.
    
+Note
    This configuration is more secure because it does not allow end user credentials to be cached.
    
 
    
 
    
- 
+
 
    
 
 
 
 
- 
+
 
 By default, the MED-V installation sets a registry key in the guest to suppress the "password about to expire" prompt. The end user is only prompted for a password change on the host. Credentials that are updated on the host are passed to the guest.
 
-**Caution**  
+**Caution**  
 If you use Group Policy in your environment, know that it can override the registry key causing the password prompts from the guest to reappear.
 
- 
+
 
 ### Security Concerns with Authentication
 
@@ -127,9 +125,9 @@ This same concern exists when MED-V authentication is disabled but the Terminal
 
 [Security Best Practices for MED-V Operations](security-best-practices-for-med-v-operations.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md b/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md
index 1af4acc751..42d933514a 100644
--- a/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md
+++ b/mdop/medv-v2/compacting-the-med-v-virtual-hard-disk.md
@@ -22,7 +22,7 @@ Although it is optional, you can compact the virtual hard disk (VHD) to reclaim
 **Important**  
 Before you proceed, create a backup copy of your Windows XP image.
 
- 
+ 
 
 **Preparing the Virtual Hard Disk**
 
@@ -113,9 +113,9 @@ Create a backup copy of your compacted virtual hard disk.
 
 [Technical Reference for MED-V](technical-reference-for-med-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/configure-environment-prerequisites.md b/mdop/medv-v2/configure-environment-prerequisites.md
index da1b3c6237..23fec1d335 100644
--- a/mdop/medv-v2/configure-environment-prerequisites.md
+++ b/mdop/medv-v2/configure-environment-prerequisites.md
@@ -34,12 +34,12 @@ The MED-V Host and Guest agents and the MED-V Workspace Packager require the Mic
 **Important**  
 You must also install the update [KB959209](https://go.microsoft.com/fwlink/?LinkId=204950) (https://go.microsoft.com/fwlink/?LinkId=204950), which addresses several known application compatibility issues.
 
- 
+ 
 
 **Note**  
 You must manually install the .NET Framework 3.5 SP1 and the update KB959209 into the Windows Virtual PC image that you prepare for use with MED-V. However, by default, the Microsoft .NET Framework 3.5 SP1 and the update are included when you install Windows 7 on the host computer.
 
- 
+ 
 
 **An Active Directory Infrastructure**
 
@@ -54,9 +54,9 @@ Group Policy provides the centralized management and configuration of operating
 
 [MED-V 2.0 Supported Configurations](med-v-20-supported-configurations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/configure-installation-prerequisites.md b/mdop/medv-v2/configure-installation-prerequisites.md
index 454be313ea..04885dd2fb 100644
--- a/mdop/medv-v2/configure-installation-prerequisites.md
+++ b/mdop/medv-v2/configure-installation-prerequisites.md
@@ -31,7 +31,7 @@ The following instructions are prerequisites for installing and using Microsoft
 **Important**  
 If a version of Virtual PC for Windows already exists on the host computer, you must uninstall it before you install Windows Virtual PC.
 
- 
+ 
 
 **To install Windows Virtual PC**
 
@@ -42,7 +42,7 @@ If a version of Virtual PC for Windows already exists on the host computer, you
 **Important**  
 Windows Virtual PC includes the Integration Components package, which provides features that improve the interaction between the virtual environment and the physical computer. For example, it lets your mouse move between the host and the guest computers. MED-V requires the installation of the Integration Components package.
 
- 
+ 
 
 ## How to Install and Configure the Windows Virtual PC Update
 
@@ -52,12 +52,12 @@ The Microsoft update associated with article KB977206 enables Windows XP Mode fo
 **Important**  
 You do not have to install this update when you are installing MED-V on host computers that are running Windows 7 with Service Pack 1.
 
- 
+ 
 
 **Tip**  
 In addition to the update listed here, we recommend that you review all available Windows Virtual PC updates and apply those updates that are appropriate or necessary for your environment.
 
- 
+ 
 
 **To install the Windows Virtual PC Update**
 
@@ -93,9 +93,9 @@ To prevent antivirus activity from affecting the performance of the virtual desk
 
 [MED-V 2.0 Supported Configurations](med-v-20-supported-configurations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
index 54637e0a48..2bae530b8d 100644
--- a/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/configuring-a-windows-virtual-pc-image-for-med-v.md
@@ -23,35 +23,35 @@ First time setup prepares the MED-V workspace for an end user. The process creat
 
 Follow these steps to configure your MED-V image for running first time setup:
 
-1.  As an option, you can compact the virtual hard disk (VHD) to reclaim empty disk space and reduce the size of the VHD before you continue with configuring the Windows Virtual PC image. For more information, see [Compacting the MED-V Virtual Hard Disk](compacting-the-med-v-virtual-hard-disk.md).
+1. As an option, you can compact the virtual hard disk (VHD) to reclaim empty disk space and reduce the size of the VHD before you continue with configuring the Windows Virtual PC image. For more information, see [Compacting the MED-V Virtual Hard Disk](compacting-the-med-v-virtual-hard-disk.md).
 
-2.  Customize the virtual machine setup process.
+2. Customize the virtual machine setup process.
 
-3.  Seal the MED-V image by using Sysprep.
+3. Seal the MED-V image by using Sysprep.
 
- **Customizing the Virtual Machine Setup Process**
+   **Customizing the Virtual Machine Setup Process**
 
-1.  As part of preparing your image for use with MED-V, you can configure various settings on the virtual machine, such as specifying the settings for running Windows Update. Specify all the necessary virtual machine settings before you create the MED-V workspace package.
+4. As part of preparing your image for use with MED-V, you can configure various settings on the virtual machine, such as specifying the settings for running Windows Update. Specify all the necessary virtual machine settings before you create the MED-V workspace package.
 
-2.  Before you create the MED-V workspace package, we recommend that you disable restore points on the virtual machine to prevent the differencing disk from growing unbounded. For more information, see [How to turn off and turn on System Restore in Windows XP](https://go.microsoft.com/fwlink/?LinkId=195927) (https://go.microsoft.com/fwlink/?LinkId=195927).
+5. Before you create the MED-V workspace package, we recommend that you disable restore points on the virtual machine to prevent the differencing disk from growing unbounded. For more information, see [How to turn off and turn on System Restore in Windows XP](https://go.microsoft.com/fwlink/?LinkId=195927) (https://go.microsoft.com/fwlink/?LinkId=195927).
 
-    **Note**  
-    You can set up your Sysprep.inf file to disable restore points when first time setup is run. For an example of setting this GuiRunOnce key, see the sample Sysprep.inf file later in this section.
+   **Note**  
+   You can set up your Sysprep.inf file to disable restore points when first time setup is run. For an example of setting this GuiRunOnce key, see the sample Sysprep.inf file later in this section.
 
-     
 
-3.  Configure the setup process to run Mini-Setup instead of the default Windows Welcome. You must either run the Sysprep tool by using the **-mini** switch, or select the **MiniSetup** check box in the graphical user interface. For more information, see [How to Seal the Image with Sysprep](#bkmk-seal).
 
-    **Calling the First time setup Completion File**
+6. Configure the setup process to run Mini-Setup instead of the default Windows Welcome. You must either run the Sysprep tool by using the **-mini** switch, or select the **MiniSetup** check box in the graphical user interface. For more information, see [How to Seal the Image with Sysprep](#bkmk-seal).
 
-    1.  An executable called FtsCompletion.exe is included as part of the installation of the MED-V Guest Agent. By default, it is located in the system drive of your MED-V image under **Program Files – Microsoft Enterprise Desktop Virtualization**.
+   **Calling the First time setup Completion File**
 
-        **Important**  
-        As the final step in the first time setup process, you must run this executable program. The user for whom the executable program is being called must be a member of the guest’s local administrator group.
+   1.  An executable called FtsCompletion.exe is included as part of the installation of the MED-V Guest Agent. By default, it is located in the system drive of your MED-V image under **Program Files – Microsoft Enterprise Desktop Virtualization**.
 
-         
+       **Important**  
+       As the final step in the first time setup process, you must run this executable program. The user for whom the executable program is being called must be a member of the guest’s local administrator group.
 
-    2.  You can decide how you want to call this executable program, for example, through a script that is deployed with the MED-V workspace. You can call this executable as the last line of your Sysprep.inf file. For an example of how to call this executable program in your Sysprep.inf file, see the sample file later in this section.
+
+
+   2.  You can decide how you want to call this executable program, for example, through a script that is deployed with the MED-V workspace. You can call this executable as the last line of your Sysprep.inf file. For an example of how to call this executable program in your Sysprep.inf file, see the sample file later in this section.
 
 After you have completed customization of your MED-V image, you are ready to seal the image by using Sysprep.
 
@@ -61,88 +61,90 @@ After you have completed customization of your MED-V image, you are ready to sea
 
 2.  In a MED-V environment, you can use Sysprep to assign unique security IDs (SID) and other settings to each MED-V workspace the first time that they are started.
 
-    **Note**  
+    **Note**  
     For more information about how to use Sysprep, see [Sysprep Technical Reference](https://go.microsoft.com/fwlink/?LinkId=195930) (https://go.microsoft.com/fwlink/?LinkId=195930).
 
-     
 
-    **Caution**  
-    When you use non-ASCII characters in the Sysprep.inf file, you must save the file by using the encoding appropriate for the characters entered. Windows XP expects the Sysprep.inf file to be encoded by using the code page for the language that you are targeting.
 
-    You must also make sure that the System Locale of the computers to which the MED-V workspace is deployed is set to handle the language specific characters that might be present in the Sysprep.inf file. To change the settings for the System Locale, follow these steps:
+~~~
+**Caution**  
+When you use non-ASCII characters in the Sysprep.inf file, you must save the file by using the encoding appropriate for the characters entered. Windows XP expects the Sysprep.inf file to be encoded by using the code page for the language that you are targeting.
 
-    1.  To open Region and Language, click **Start**, click **Control Panel**, and then click **Region and Language**.
+You must also make sure that the System Locale of the computers to which the MED-V workspace is deployed is set to handle the language specific characters that might be present in the Sysprep.inf file. To change the settings for the System Locale, follow these steps:
 
-    2.  Click the **Administrative** tab, and then click **Change System Locale** under **Language for non-Unicode programs**.
+1.  To open Region and Language, click **Start**, click **Control Panel**, and then click **Region and Language**.
 
-        If you are prompted for an administrator password or confirmation, type the administrator password or provide confirmation.
+2.  Click the **Administrative** tab, and then click **Change System Locale** under **Language for non-Unicode programs**.
 
-    3.  Select your preferred language and then click **OK**.
+    If you are prompted for an administrator password or confirmation, type the administrator password or provide confirmation.
 
-     
+3.  Select your preferred language and then click **OK**.
 
-    **To configure Sysprep on the MED-V Guest Computer**
 
-    1.  Create a folder named *Sysprep* in the root of the MED-V image system drive.
 
-    2.  Download the deploy.cab file. For more information, see [Windows XP Service Pack 3 Deployment Tools](https://go.microsoft.com/fwlink/?LinkId=195928) From the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=195928).
+**To configure Sysprep on the MED-V Guest Computer**
 
-    3.  From the deploy.cab file, copy or extract the Setupmgr.exe, Sysprep.exe, and Setupcl.exe files to the Sysprep folder.
+1.  Create a folder named *Sysprep* in the root of the MED-V image system drive.
 
-    4.  In the Sysprep folder, run **Setup Manager** (Setupmgr.exe) to create a Sysprep.inf answer file.
+2.  Download the deploy.cab file. For more information, see [Windows XP Service Pack 3 Deployment Tools](https://go.microsoft.com/fwlink/?LinkId=195928) From the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=195928).
 
-        Or, you can create this file manually or use your company’s existing file. For more information, see [How to use the Sysprep tool to automate successful deployment of Windows XP](https://go.microsoft.com/fwlink/?LinkId=195929) (https://go.microsoft.com/fwlink/?LinkId=195929).
+3.  From the deploy.cab file, copy or extract the Setupmgr.exe, Sysprep.exe, and Setupcl.exe files to the Sysprep folder.
 
-    5.  Follow the **Setup Manager** wizard.
+4.  In the Sysprep folder, run **Setup Manager** (Setupmgr.exe) to create a Sysprep.inf answer file.
 
-        **Important**  
-        You must configure the MED-V guest to join a domain that lets users log on by using the credentials that they use to log on to the MED-V host.
+    Or, you can create this file manually or use your company’s existing file. For more information, see [How to use the Sysprep tool to automate successful deployment of Windows XP](https://go.microsoft.com/fwlink/?LinkId=195929) (https://go.microsoft.com/fwlink/?LinkId=195929).
 
-         
+5.  Follow the **Setup Manager** wizard.
 
-        **Caution**  
-        When you configure a proxy account for joining virtual machines to the domain, know that it is possible for an end user to obtain the proxy account credentials. Take all the necessary security precautions to minimize risk, such as limiting account user rights. For more information about security concerns when you configure a Windows Virtual PC image for MED-V, see [Security Best Practices for MED-V Operations](security-best-practices-for-med-v-operations.md).
+    **Important**  
+    You must configure the MED-V guest to join a domain that lets users log on by using the credentials that they use to log on to the MED-V host.
 
-         
 
-        If end users must provide information during the first time setup process based on the parameters specified in the Sysprep.inf file, you must also specify that first time setup is run in **Attended** mode when you are creating your MED-V workspace package. If no information will be required from the end user, you can specify that first time setup is run in **Unattended** mode when you are creating your MED-V workspace package. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
 
-        Although you can specify any settings that you prefer, a MED-V best practice is that you create the Sysprep.inf file so that first time setup can be run in **Unattended** mode. This requires that you provide all of the required settings information as you continue through the **Setup Manager** wizard.
+    **Caution**  
+    When you configure a proxy account for joining virtual machines to the domain, know that it is possible for an end user to obtain the proxy account credentials. Take all the necessary security precautions to minimize risk, such as limiting account user rights. For more information about security concerns when you configure a Windows Virtual PC image for MED-V, see [Security Best Practices for MED-V Operations](security-best-practices-for-med-v-operations.md).
 
-        **Caution**  
-        If you have set a local policy or registry entry to include a service level agreement (SLA) in your image (VHD), you must specify that first time setup is run in **Attended** mode or first time setup will fail. Or, a MED-V best practice is to enforce the SLA through Group Policy later so that the SLA is displayed to the end user after first time setup is finished.
 
-         
 
-        **Note**  
-        You can configure the MED-V workspace to set certain Sysprep.inf settings based on the configuration of the host and the identity of the end user. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
+    If end users must provide information during the first time setup process based on the parameters specified in the Sysprep.inf file, you must also specify that first time setup is run in **Attended** mode when you are creating your MED-V workspace package. If no information will be required from the end user, you can specify that first time setup is run in **Unattended** mode when you are creating your MED-V workspace package. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
 
-         
+    Although you can specify any settings that you prefer, a MED-V best practice is that you create the Sysprep.inf file so that first time setup can be run in **Unattended** mode. This requires that you provide all of the required settings information as you continue through the **Setup Manager** wizard.
 
-    6.  Seal the MED-V image.
+    **Caution**  
+    If you have set a local policy or registry entry to include a service level agreement (SLA) in your image (VHD), you must specify that first time setup is run in **Attended** mode or first time setup will fail. Or, a MED-V best practice is to enforce the SLA through Group Policy later so that the SLA is displayed to the end user after first time setup is finished.
 
-        **Important**  
-        We recommend that you make a backup copy of the MED-V image before sealing it.
 
-         
 
-        After you have completed all the steps in the **Setup Manager** wizard, you are ready to run Sysprep to seal the MED-V image.
+    **Note**  
+    You can configure the MED-V workspace to set certain Sysprep.inf settings based on the configuration of the host and the identity of the end user. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
 
-    **To run Sysprep**
 
-    1.  Run the System Preparation Tool (Sysprep.exe) from the *Sysprep* folder that you created when you configured Sysprep in the MED-V virtual machine.
 
-    2.  In the warning message box that appears, click **OK**.
+6.  Seal the MED-V image.
 
-    3.  In the **Options** dialog box, select the **Don't reset grace period for activation** and **Use Mini-Setup** check boxes. Also, make sure that the **Shutdown mode** box is set to **Shut down**.
+    **Important**  
+    We recommend that you make a backup copy of the MED-V image before sealing it.
 
-    4.  Click **Reseal**. This removes identity information and clears event logs to prepare for first time setup.
 
-    5.  If you are not satisfied with the information listed in the confirmation message box that appears, click **Cancel** and then change the selections.
 
-    6.  Click **OK** to complete the system preparation process.
+    After you have completed all the steps in the **Setup Manager** wizard, you are ready to run Sysprep to seal the MED-V image.
 
-    After you have run Sysprep on your MED-V image, the virtual machine shuts down and is ready for use in creating a MED-V workspace.
+**To run Sysprep**
+
+1.  Run the System Preparation Tool (Sysprep.exe) from the *Sysprep* folder that you created when you configured Sysprep in the MED-V virtual machine.
+
+2.  In the warning message box that appears, click **OK**.
+
+3.  In the **Options** dialog box, select the **Don't reset grace period for activation** and **Use Mini-Setup** check boxes. Also, make sure that the **Shutdown mode** box is set to **Shut down**.
+
+4.  Click **Reseal**. This removes identity information and clears event logs to prepare for first time setup.
+
+5.  If you are not satisfied with the information listed in the confirmation message box that appears, click **Cancel** and then change the selections.
+
+6.  Click **OK** to complete the system preparation process.
+
+After you have run Sysprep on your MED-V image, the virtual machine shuts down and is ready for use in creating a MED-V workspace.
+~~~
 
 ## Example
 
@@ -193,8 +195,8 @@ Here is an example of a Sysprep.inf file.
     Language=00000409
 
 [GuiRunOnce]
-    Command0="wmic /namespace:\\root\default path SystemRestore call Disable %SystemDrive%\"
-    Command1="c:\Program Files\Microsoft Enterprise Desktop Virtualization\FtsCompletion.exe"
+    Command0="wmic /namespace:\\root\default path SystemRestore call Disable %SystemDrive%\"
+    Command1="c:\Program Files\Microsoft Enterprise Desktop Virtualization\FtsCompletion.exe"
 
 [sysprepcleanup]
 ```
@@ -206,9 +208,9 @@ Here is an example of a Sysprep.inf file.
 
 [Prepare a MED-V Image](prepare-a-med-v-image.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md b/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md
index 9bd4461552..2cd2f9a102 100644
--- a/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md
+++ b/mdop/medv-v2/configuring-advanced-settings-by-using-windows-powershell.md
@@ -82,7 +82,7 @@ Run Windows PowerShell with administrative credentials, and ensure that the Wind
 
     This command runs the Windows PowerShell script and runs the **New-MedvWorkspace** cmdlet to generate a new MED-V workspace package. The new packager files are saved in the folder that you originally specified for storing your MED-V Workspace Packager files. For additional help about this cmdlet, see the Windows PowerShell Help.
 
- 
+ 
 
 ## Exporting a MED-V Configuration to a Registry File
 
@@ -102,9 +102,9 @@ You can import the resultant registry file from the host computer to a MED-V wor
 
 [Test And Deploy the MED-V Workspace Package](test-and-deploy-the-med-v-workspace-package.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/create-a-med-v-workspace-package.md b/mdop/medv-v2/create-a-med-v-workspace-package.md
index e43d9b4394..7dac2edf43 100644
--- a/mdop/medv-v2/create-a-med-v-workspace-package.md
+++ b/mdop/medv-v2/create-a-med-v-workspace-package.md
@@ -27,7 +27,7 @@ Use the **MED-V Workspace Packager** to create MED-V workspaces. The **MED-V Wor
 
 -   A **Help Center** on the right-hand side of the window that provides information and guidance to help you create, test, and manage your MED-V workspaces.
 
-**Important**  
+**Important**  
 Before you can use the **MED-V Workspace Packager**, you must first make sure that the Windows PowerShell execution policy is set to Unrestricted.
 
 `Set-ExecutionPolicy Unrestricted`
@@ -48,12 +48,12 @@ If it is necessary, change the SAN policy to "Online All" by typing the followin
 
 `DISKPART> exit`
 
- 
 
-**Important**  
+
+**Important**  
 If automatic disk encryption software is installed on the computer that you use to mount the virtual hard disk and build the MED-V workspace package, you must disable the software before you start. Otherwise, you cannot use the MED-V workspace on any other computer.
 
- 
+
 
 The information we provide here can help you create your MED-V workspace deployment package.
 
@@ -70,32 +70,34 @@ Before you start to build your MED-V workspace deployment package, verify that y
 
     Your URL redirection text file or list contains those URLs that you want redirected from the host computer to Internet Explorer in the MED-V workspace. When you are using the packaging wizard to create your MED-V workspace, you import, type, or copy and paste this redirection information as one of the steps in the package creation process.
 
-    **Note**  
+    **Note**  
     URL redirection in MED-V only supports the protocols HTTP and HTTPS. MED-V does not provide support for FTP or any other protocols.
 
-     
 
-    Enter each web address on a single line, for example:
 
-    http://www.contoso.com/webapps/webapp1
+~~~
+Enter each web address on a single line, for example:
 
-    http://www.contoso.com/webapps/webapp2
+http://www.contoso.com/webapps/webapp1
 
-    http://\*.contoso.com
+http://www.contoso.com/webapps/webapp2
 
-    http://www.contoso.com/webapps/\*
+http://\*.contoso.com
+
+http://www.contoso.com/webapps/\*
+
+**Important**  
+If you import a text file that includes a URL that uses special characters (such as ~ ! @ \# and so on), make sure that you specify UTF-8 encoding when you save the text file. Special characters do not import correctly into the MED-V Workspace Packager if the text file was saved using the default ANSI encoding.
+~~~
 
-    **Important**  
-    If you import a text file that includes a URL that uses special characters (such as ~ ! @ \# and so on), make sure that you specify UTF-8 encoding when you save the text file. Special characters do not import correctly into the MED-V Workspace Packager if the text file was saved using the default ANSI encoding.
 
-     
 
 ## Packaging a MED-V Workspace for a Language Other than the Language of the MED-V Workspace Packager Computer
 
 
 By default, the MED-V workspace supports characters in both the language of the computer and in English. To create a MED-V workspace for a language other than the one installed on the computer, specify **-loc \[locale\]** in the PowerShell script (.ps1) after the MED-V workspace name.
 
-To create a MED-V workspace package in a language other than the default language of the MED-V Workspace Packager computer, generate a script in the default language by running the MED-V Workspace Packager and then modifying the output script as required for your locale. The script is located in the MED-V workspace output directory that was specified during packaging. The names of the locale settings are on the .WXL files in the following directory:
+To create a MED-V workspace package in a language other than the default language of the MED-V Workspace Packager computer, generate a script in the default language by running the MED-V Workspace Packager and then modifying the output script as required for your locale. The script is located in the MED-V workspace output directory that was specified during packaging. The names of the locale settings are on the .WXL files in the following directory:
 
 C:\\Program Files\\Microsoft Enterprise Desktop Virtualization\\WindowsPowerShell\\Modules\\Microsoft.Medv.Administration.Commands.WorkspacePackager\\locale
 
@@ -157,267 +159,283 @@ To create a MED-V workspace package, follow these steps:
     
     
 
-     
+
 
 3.  On the **Package Information** page, enter a name for the MED-V workspace and select a folder where the MED-V workspace package files are saved.
 
-    **Warning**  
+    **Warning**  
     You must name the MED-V workspace and specify a folder to continue.
 
-     
 
-    After you have finished, click **Next**.
 
-4.  On the **Select Windows XP Image** page, specify the location of your prepared MED-V Windows XP Virtual PC image (.vhd file).
+~~~
+After you have finished, click **Next**.
+~~~
 
-    **Warning**  
-    You must specify a Windows XP VHD image to continue.
+4. On the **Select Windows XP Image** page, specify the location of your prepared MED-V Windows XP Virtual PC image (.vhd file).
 
-     
+   **Warning**  
+   You must specify a Windows XP VHD image to continue.
 
-    After you have finished, click **Next**.
 
-5.  On the **First Time Setup** page, select whether you want first time setup to run while attended or unattended and whether you want the MED-V workspace used separately or used by all end users on a shared computer.
 
-    If you select **Unattended setup, without any notification**, the end user is not informed before first time setup is run and the virtual machine is not shown to the end user during first time setup. In addition, the **MED-V Messages** page of the wizard is hidden because no messages are required if first time setup runs in a completely unattended mode.
+~~~
+After you have finished, click **Next**.
+~~~
 
-    If you select **Unattended setup, but notify end users before first time setup begins**, the end user is informed before first time setup is run. However, the virtual machine is not shown to the end user during first time setup.
+5. On the **First Time Setup** page, select whether you want first time setup to run while attended or unattended and whether you want the MED-V workspace used separately or used by all end users on a shared computer.
 
-    Select **Attended setup** if the end user must enter information during first time setup.
+   If you select **Unattended setup, without any notification**, the end user is not informed before first time setup is run and the virtual machine is not shown to the end user during first time setup. In addition, the **MED-V Messages** page of the wizard is hidden because no messages are required if first time setup runs in a completely unattended mode.
 
-    The default behavior is **Unattended setup, but notify end users before first time setup begins**.
+   If you select **Unattended setup, but notify end users before first time setup begins**, the end user is informed before first time setup is run. However, the virtual machine is not shown to the end user during first time setup.
 
-    **Caution**  
-    If you created the Sysprep.inf file so that Mini-Setup requires user input to complete, you must select **Attended setup** or problems might occur during first time setup.
+   Select **Attended setup** if the end user must enter information during first time setup.
 
-     
+   The default behavior is **Unattended setup, but notify end users before first time setup begins**.
 
-    You can also specify how a MED-V workspace is used on computers that are shared by multiple end users. You can decide that you want to create a unique MED-V workspace for each end user or that you want the MED-V workspace made available to all end users who share the computer. The default is that the MED-V workspace is unique for each end user.
+   **Caution**  
+   If you created the Sysprep.inf file so that Mini-Setup requires user input to complete, you must select **Attended setup** or problems might occur during first time setup.
 
-    **Important**  
-    We recommend that you disable the fast user switching feature in Windows if you configure the MED-V workspace to be accessed by all users on a shared computer. Problems can occur if an end user logs on by using the fast user switching feature in Windows when another user is still logged on.
 
-     
 
-    **Tip**  
-    When you create a name mask for the MED-V workspace on the **Naming Computers** page, make sure that each virtual machine on a shared computer has a unique computer name.
+~~~
+You can also specify how a MED-V workspace is used on computers that are shared by multiple end users. You can decide that you want to create a unique MED-V workspace for each end user or that you want the MED-V workspace made available to all end users who share the computer. The default is that the MED-V workspace is unique for each end user.
 
-     
+**Important**  
+We recommend that you disable the fast user switching feature in Windows if you configure the MED-V workspace to be accessed by all users on a shared computer. Problems can occur if an end user logs on by using the fast user switching feature in Windows when another user is still logged on.
 
-    You can also specify whether the MED-V workspace is added to the Administrators group or administrator credentials are managed outside MED-V. By default, the MED-V workspace is not automatically added to the Administrators group.
 
-    After you have finished, click **Next**.
 
-6.  On the **MED-V Messages** page, specify the following messages that the end user sees during first time setup:
+**Tip**  
+When you create a name mask for the MED-V workspace on the **Naming Computers** page, make sure that each virtual machine on a shared computer has a unique computer name.
 
-    -   The message that the end user sees when first time setup starts.
 
-    -   The message that the end user sees if first time setup fails or an error occurs.
 
-    **Note**  
-    The **MED-V Messages** page of the wizard is hidden if you selected **Unattended setup, without any notification** on the **First Time Setup** page.
+You can also specify whether the MED-V workspace is added to the Administrators group or administrator credentials are managed outside MED-V. By default, the MED-V workspace is not automatically added to the Administrators group.
 
-     
+After you have finished, click **Next**.
+~~~
 
-    You can also specify an optional URL location for help information that is provided to the end user when first time setup is running.
+6. On the **MED-V Messages** page, specify the following messages that the end user sees during first time setup:
 
-    For example, the URL can point to an internal IT webpage with answers to questions such as "How long will this take and how will I know when it has completed?" or "What do you do if you get an error message?"
+   -   The message that the end user sees when first time setup starts.
 
-    **Note**  
-    If you specify a URL, a link is shown during first time setup that points the end user to this help information. If you do not specify a URL, no link is provided.
+   -   The message that the end user sees if first time setup fails or an error occurs.
 
-     
+   **Note**  
+   The **MED-V Messages** page of the wizard is hidden if you selected **Unattended setup, without any notification** on the **First Time Setup** page.
 
-    After you have finished, click **Next**.
 
-7.  On the **Naming Computers** page, you can specify whether computer naming is managed by MED-V or by a system management tool, such as Sysprep. The default is that computer naming is managed by a system management tool.
 
-    If you specify that computer naming is managed by MED-V, select a predefined computer naming convention (mask) from the drop-down list. A preview of a sample computer name appears that is based on the computer that you are using to build the MED-V workspace package.
+~~~
+You can also specify an optional URL location for help information that is provided to the end user when first time setup is running.
 
-    If you select one of the custom naming conventions, the fields you can specify are limited to the following characters:
+For example, the URL can point to an internal IT webpage with answers to questions such as "How long will this take and how will I know when it has completed?" or "What do you do if you get an error message?"
 
-    -   The prefix and suffix fields are limited to the characters A-Z, a-z, 0-9, and the special characters ! @ \# $ % ^ & ( ) - \_ ' { } . and ~.
+**Note**  
+If you specify a URL, a link is shown during first time setup that points the end user to this help information. If you do not specify a URL, no link is provided.
 
-    -   The hostname and username fields are limited to the digits 0 through 9.
 
-    **Important**  
-    Computer names must be unique and are limited to a maximum of 15 characters. When you decide on your computer naming method, consider end users who have multiple computers or that share a computer, and avoid using computer name masks that could cause a collision on the network.
 
-     
+After you have finished, click **Next**.
+~~~
 
-    **Caution**  
-    The computer name settings that you specify on this page override those specified in the Sysprep.inf answer file.
+7. On the **Naming Computers** page, you can specify whether computer naming is managed by MED-V or by a system management tool, such as Sysprep. The default is that computer naming is managed by a system management tool.
 
-     
+   If you specify that computer naming is managed by MED-V, select a predefined computer naming convention (mask) from the drop-down list. A preview of a sample computer name appears that is based on the computer that you are using to build the MED-V workspace package.
 
-    After you have finished, click **Next**.
+   If you select one of the custom naming conventions, the fields you can specify are limited to the following characters:
 
-8.  On the **Copy Settings from Host** page, you can select the following settings to specify how the MED-V workspace is configured:
+   -   The prefix and suffix fields are limited to the characters A-Z, a-z, 0-9, and the special characters ! @ \# $ % ^ & ( ) - \_ ' { } . and ~.
 
-    **Caution**  
-    The settings that you specify on this page that are copied from the host computer to the MED-V workspace override those specified in the Sysprep.inf answer file.
+   -   The hostname and username fields are limited to the digits 0 through 9.
 
-     
+   **Important**  
+   Computer names must be unique and are limited to a maximum of 15 characters. When you decide on your computer naming method, consider end users who have multiple computers or that share a computer, and avoid using computer name masks that could cause a collision on the network.
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    Copy regional settings
    Select this check box to copy the regional settings from the host computer to the MED-V workspace.
    If you select this check box, the following settings are set in the Sysprep.inf file:
    
-    
    [RegionalSettings]
-    Language
-    SystemLocale
-    UserLocale
-    UserLocale_DefaultUser
-    InputLocale
-    InputLocale_DefaultUser
-    
    Copy user settings
    Select this check box to copy certain user settings, such as user name and company name, from the host to the MED-V workspace.
    If you select this check box, the following settings are set in the Sysprep.inf file:
    
-    
    [UserData]
-    OrgName
-    FullName
    
-    
    
-    Note  
-    
    Personal settings, such as Internet browsing history, are not copied over to the MED-V workspace.
    
-    
    
-    
    
-     
-    
    Copy domain name
    Select this check box to let the guest join the same domain as the host.
    
-    Important  
-    
    The MED-V guest must be configured to join a domain that lets users log on by using the credentials that they use to log on to the MED-V host.
    
-    
    
-    
    
-     
-    
    Copy domain organizational unit
    Select this check box to copy the domain organizational unit from the host computer to the MED-V workspace. This check box is only enabled if you select to copy the domain name from the host computer.
    
 
-     
 
-    After you have finished, click **Next**.
+~~~
+**Caution**  
+The computer name settings that you specify on this page override those specified in the Sysprep.inf answer file.
 
-9.  On the **Startup and Networking** page, you can change the default behavior for the following settings:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    Start MED-V workspace
    Choose whether to start the MED-V workspace at user logon, at first use, or to let the end user decide when the MED-V workspace starts.
    The MED-V workspace starts in one of two ways: either when the end user logs on or when they first start an action that requires MED-V, such as opening a published application or entering a URL that requires redirection.
    
-    
    You can either define this setting for the end user or let the end user control how MED-V starts.
    
-    
    
-    Note  
-    
    If you specify that the end user decides, the default behavior they experience is that the MED-V workspace starts when they log on. They can change the default by right-clicking the MED-V icon in the notification area and selecting MED-V User Settings. If you define this setting for the end user, they cannot change how MED-V starts.
    
-    
    
-    
    
-     
-    
    Networking
    Select Shared or Bridged for your networking setting. The default is Shared.
    Shared - The MED-V workspace uses Network Address Translation (NAT) to share the host's IP for outgoing traffic.
    
-    
    Bridged - The MED-V workspace has its own network address, typically obtained through DHCP.
    Store credentials
    Choose whether you want to store the end user credentials.
    The default behavior is that credential storing is disabled so that the end user must be authenticated every time that they log on.
    
-    
    
-    Important  
-    
    Even though caching the end user’s credentials provides the best user experience, you should be aware of the risks involved.
    
-    
    The end user’s domain credential is stored in a reversible format in the Windows Credential Manager. As a result, an attacker could write a program that retrieves the password and could gain access to the user’s credentials. You can only lessen this risk by disabling the storing of end-user credentials.
    
-    
    
-    
    
-     
-    
    
 
-     
+After you have finished, click **Next**.
+~~~
 
-    After you have finished, click **Next**.
+8. On the **Copy Settings from Host** page, you can select the following settings to specify how the MED-V workspace is configured:
+
+   **Caution**  
+   The settings that you specify on this page that are copied from the host computer to the MED-V workspace override those specified in the Sysprep.inf answer file.
+
+
+
+~~~
+
++++
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    



    Copy regional settings
    Select this check box to copy the regional settings from the host computer to the MED-V workspace.
    If you select this check box, the following settings are set in the Sysprep.inf file:
    
+
    [RegionalSettings]
+Language
+SystemLocale
+UserLocale
+UserLocale_DefaultUser
+InputLocale
+InputLocale_DefaultUser
+
    Copy user settings
    Select this check box to copy certain user settings, such as user name and company name, from the host to the MED-V workspace.
    If you select this check box, the following settings are set in the Sysprep.inf file:
    
+
    [UserData]
+OrgName
+FullName
    
+
    
+Note  
+
    Personal settings, such as Internet browsing history, are not copied over to the MED-V workspace.
    
+
    
+
    
+
+
    Copy domain name
    Select this check box to let the guest join the same domain as the host.
    
+Important  
+
    The MED-V guest must be configured to join a domain that lets users log on by using the credentials that they use to log on to the MED-V host.
    
+
    
+
    
+
+
    Copy domain organizational unit
    Select this check box to copy the domain organizational unit from the host computer to the MED-V workspace. This check box is only enabled if you select to copy the domain name from the host computer.
    
+
+
+
+After you have finished, click **Next**.
+~~~
+
+9. On the **Startup and Networking** page, you can change the default behavior for the following settings:
+
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    Start MED-V workspace
    Choose whether to start the MED-V workspace at user logon, at first use, or to let the end user decide when the MED-V workspace starts.
    The MED-V workspace starts in one of two ways: either when the end user logs on or when they first start an action that requires MED-V, such as opening a published application or entering a URL that requires redirection.
    
+   
    You can either define this setting for the end user or let the end user control how MED-V starts.
    
+   
    
+   Note
    If you specify that the end user decides, the default behavior they experience is that the MED-V workspace starts when they log on. They can change the default by right-clicking the MED-V icon in the notification area and selecting MED-V User Settings. If you define this setting for the end user, they cannot change how MED-V starts.
    
+   
    
+   
    
+
+   
    Networking
    Select Shared or Bridged for your networking setting. The default is Shared.
    Shared - The MED-V workspace uses Network Address Translation (NAT) to share the host's IP for outgoing traffic.
    
+   
    Bridged - The MED-V workspace has its own network address, typically obtained through DHCP.
    Store credentials
    Choose whether you want to store the end user credentials.
    The default behavior is that credential storing is disabled so that the end user must be authenticated every time that they log on.
    
+   
    
+   Important
    Even though caching the end user’s credentials provides the best user experience, you should be aware of the risks involved.
    
+   
    The end user’s domain credential is stored in a reversible format in the Windows Credential Manager. As a result, an attacker could write a program that retrieves the password and could gain access to the user’s credentials. You can only lessen this risk by disabling the storing of end-user credentials.
    
+   
    
+   
    
+
+   
    
+
+
+
+~~~
+After you have finished, click **Next**.
+~~~
 
 10. On the **Web Redirection** page, you can enter, paste, or import a list of the URLs that are redirected to Internet Explorer in the MED-V workspace. For more information about how to configure your URL redirection information, see [Prerequisites](#bkmk-prereq).
 
-    You can also specify how Internet Explorer in the MED-V workspace is configured for end users. By default, the Internet zone security level is set to High. Also, certain default browsing capabilities, such as the address bar, are removed. This default configuration of Internet Explorer in the MED-V workspace provides a more secure browsing environment for end users.
+   You can also specify how Internet Explorer in the MED-V workspace is configured for end users. By default, the Internet zone security level is set to High. Also, certain default browsing capabilities, such as the address bar, are removed. This default configuration of Internet Explorer in the MED-V workspace provides a more secure browsing environment for end users.
 
-    **Caution**  
-    By changing the default settings, you can customize Internet Explorer in the MED-V workspace. However, realize that if you change the default settings so as to make them less secure, you can expose your organization to those security risks that are present in older versions of Internet Explorer. For more information, see [Security Best Practices for MED-V Operations](security-best-practices-for-med-v-operations.md).
+   **Caution**  
+   By changing the default settings, you can customize Internet Explorer in the MED-V workspace. However, realize that if you change the default settings so as to make them less secure, you can expose your organization to those security risks that are present in older versions of Internet Explorer. For more information, see [Security Best Practices for MED-V Operations](security-best-practices-for-med-v-operations.md).
 
-     
 
-    After you have finished, click **Next**.
+
+~~~
+After you have finished, click **Next**.
+~~~
 
 11. On the **Summary** page, you can review the packaging settings for this MED-V workspace. If you want to change any settings, click the **Previous** button to return to the relevant page. After you have finished reviewing the settings, click **Create**.
 
-    The **Completion** page of the **Create MED-V Workspace Package Wizard** opens to show the progress of the package creation.
+   The **Completion** page of the **Create MED-V Workspace Package Wizard** opens to show the progress of the package creation.
 
-    **Note**  
-    The MED-V workspace package creation process might take several minutes to complete, depending on the size of the VHD specified.
+   **Note**  
+   The MED-V workspace package creation process might take several minutes to complete, depending on the size of the VHD specified.
 
-     
 
-    If the MED-V workspace package is created successfully, the **Completion** page displays a list of the files that you created and their respective locations. The following is a list of the files that are created and their descriptions:
 
-    -   **setup.exe**—an installation program that you deploy and run on end-user computers to install the MED-V workspaces.
+~~~
+If the MED-V workspace package is created successfully, the **Completion** page displays a list of the files that you created and their respective locations. The following is a list of the files that are created and their descriptions:
 
-    -   **<*workspace\_name*>.msi**—an installer file that you deploy to the end-user computers. The setup.exe file will run this file to install the MED-V workspaces.
+-   **setup.exe**—an installation program that you deploy and run on end-user computers to install the MED-V workspaces.
 
-    -   **<*vhd\_name*>.medv**—a compressed VHD file that you deploy to the end-user computers. The setup.exe file uses it when it installs the MED-V workspaces.
+-   **<*workspace\_name*>.msi**—an installer file that you deploy to the end-user computers. The setup.exe file will run this file to install the MED-V workspaces.
 
-    -   **<*workspace\_name*>.reg**—the configuration settings that are installed when the setup.exe, <*workspace\_name*>.msi, and <*vhd\_name*>.medv files are deployed and setup.exe is run.
+-   **<*vhd\_name*>.medv**—a compressed VHD file that you deploy to the end-user computers. The setup.exe file uses it when it installs the MED-V workspaces.
 
-    -   **<*workspace\_name*>.ps1**—a Windows PowerShell script that you can use to rebuild the registry file and re-build the MED-V workspace package.
+-   **<*workspace\_name*>.reg**—the configuration settings that are installed when the setup.exe, <*workspace\_name*>.msi, and <*vhd\_name*>.medv files are deployed and setup.exe is run.
 
-        **Important**  
-        Before deployment, you can edit configuration settings by updating the .ps1 file that has your preferred method of script editing, such as Windows PowerShell. After you change the .ps1 file, use that file to rebuild the MED-V workspace package that you deploy to your enterprise. For more information, see [Configuring Advanced Settings by Using Windows PowerShell](configuring-advanced-settings-by-using-windows-powershell.md).
+-   **<*workspace\_name*>.ps1**—a Windows PowerShell script that you can use to rebuild the registry file and re-build the MED-V workspace package.
+
+    **Important**  
+    Before deployment, you can edit configuration settings by updating the .ps1 file that has your preferred method of script editing, such as Windows PowerShell. After you change the .ps1 file, use that file to rebuild the MED-V workspace package that you deploy to your enterprise. For more information, see [Configuring Advanced Settings by Using Windows PowerShell](configuring-advanced-settings-by-using-windows-powershell.md).
+
+    However, after the MED-V workspace is deployed, you must edit configuration settings through the registry. For a list and description of the configuration settings, see [Managing MED-V Workspace Configuration Settings](managing-med-v-workspace-configuration-settings.md).
+~~~
 
-        However, after the MED-V workspace is deployed, you must edit configuration settings through the registry. For a list and description of the configuration settings, see [Managing MED-V Workspace Configuration Settings](managing-med-v-workspace-configuration-settings.md).
 
-         
 
 12. Click **Close** to close the packaging wizard and return to the **MED-V Workspace Packager**.
 
@@ -432,9 +450,9 @@ Your MED-V workspace package is now ready for testing before deployment.
 
 [Prepare a MED-V Image](prepare-a-med-v-image.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
index faa841f442..b3ff8ab2d9 100644
--- a/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
+++ b/mdop/medv-v2/creating-a-windows-virtual-pc-image-for-med-v.md
@@ -45,7 +45,7 @@ Alternately, if you already have a Windows Imaging (WIM) file that you want to u
 **Important**  
 MED-V only supports one virtual hard disk per virtual machine and only one partition on each virtual disk.
 
- 
+ 
 
 After you have created your virtual hard disk, install Windows XP on the image.
 
@@ -69,12 +69,12 @@ After you have installed Windows XP on your virtual machine, install any require
 **Important**  
 MED-V requires that Windows XP SP3 be running on the guest operating system.
 
- 
+ 
 
 **Warning**  
 When you install updates to Windows XP, make sure that you remain on the version of Internet Explorer in the guest that you intend to use in the MED-V workspace. For example, if you intend to run Internet Explorer 6 in the MED-V workspace, make sure that any updates that you install now do not include Internet Explorer 7 or Internet Explorer 8. In addition, we recommend that you configure the registry to prevent automatic updates from upgrading Internet Explorer.
 
- 
+ 
 
 ### Installing an Optional Performance Update
 
@@ -83,7 +83,7 @@ Although it is optional, we recommend that you install the following update for
 **Note**  
 The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
 
- 
+ 
 
 ### Configuring a Group Policy Performance Update
 
@@ -105,7 +105,7 @@ Windows Virtual PC includes the Integration Components package. This provides fe
 **Important**  
 MED-V requires the installation of the Integration Components package.
 
- 
+ 
 
 When you configure the virtual image to work with MED-V, you must manually install the Integration Components package on the guest operating system to make the integration features that are available.
 
@@ -122,7 +122,7 @@ After you install the Integration Components package, you are prompted to instal
 **Important**  
 If you are not prompted to install the RemoteApp update, you must download and install it manually. For more information and instructions about how to download this update, see [Update for Windows XP SP3 to enable RemoteApp](https://go.microsoft.com/fwlink/?LinkId=195925) (https://go.microsoft.com/fwlink/?LinkId=195925).
 
- 
+ 
 
 ### Enabling Remote Desktop
 
@@ -138,7 +138,7 @@ If you want, you can use the Internet Explorer Administration Kit to customize I
 **Warning**  
 You should consider security concerns associated with customizing Internet Explorer in the MED-V workspace. For more information, see [Security Best Practices for MED-V Operations](security-best-practices-for-med-v-operations.md).
 
- 
+ 
 
 After your virtual hard disk is installed with an up-to-date guest operating system, you can install applications on the image.
 
@@ -149,9 +149,9 @@ After your virtual hard disk is installed with an up-to-date guest operating sys
 
 [Configuring a Windows Virtual PC Image for MED-V](configuring-a-windows-virtual-pc-image-for-med-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/deploying-the-med-v-workspace-package.md b/mdop/medv-v2/deploying-the-med-v-workspace-package.md
index 5d53fd396e..5296ed863d 100644
--- a/mdop/medv-v2/deploying-the-med-v-workspace-package.md
+++ b/mdop/medv-v2/deploying-the-med-v-workspace-package.md
@@ -22,12 +22,12 @@ After you have tested your Microsoft Enterprise Desktop Virtualization (MED-V) 2
 **Note**  
 When you are ready to deploy, we recommend that you install the MED-V workspace by running the setup.exe executable program that is included in your MED-V workspace installer package.
 
- 
+ 
 
 **Warning**  
 Before you can install the MED-V workspace, you must first install the MED-V Host Agent.
 
- 
+ 
 
 ## In This Section
 
@@ -41,9 +41,9 @@ Provides information about how to deploy a MED-V workspace in a Windows 7 image.
 [How to Deploy a MED-V Workspace Manually](how-to-deploy-a-med-v-workspace-manually.md)  
 Provides information about how to manually deploy a MED-V workspace.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md b/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md
index cae1c454a4..f8f174a569 100644
--- a/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md
+++ b/mdop/medv-v2/detecting-network-changes-that-affect-med-v.md
@@ -24,7 +24,7 @@ The feature includes a component running in the guest operating system that is n
 **Note**  
 This feature is only available if the virtual machine is configured for network address translation (NAT) mode. If the virtual machine is configured for BRIDGED mode, no change indications are generated.
 
- 
+ 
 
 This section provides information and instruction to assist you in monitoring those network changes that can affect MED-V.
 
@@ -33,37 +33,37 @@ This section provides information and instruction to assist you in monitoring th
 
 After you have deployed your MED-V workspaces, you can monitor changes to certain network configurations by preforming the following tasks:
 
-1.  Create a Managed Object Format (MOF) file that will look for the network configuration changes that you want to monitor. The following code shows an example of the MOF file that you can create.
+1. Create a Managed Object Format (MOF) file that will look for the network configuration changes that you want to monitor. The following code shows an example of the MOF file that you can create.
 
-    ``` syntax
-#pragma namespace ("\\\\.\\root\\ccm\\NetworkConfig")
+   ``` syntax
+   #pragma namespace ("\\\\.\\root\\ccm\\NetworkConfig")
 
-    class CCM_IPConfig
-    {
-        [NotNull: ToInstance ToSubClass] uint32 AddressFamily; // AF_INET, AF_INET6
-        [Key, NotNull: ToInstance ToSubClass] string IPAddress; // IPv4 or IPv6 address
-        [NotNull: ToInstance ToSubClass] string SubnetMask; // IPv4 subnet mask
-    };
+   class CCM_IPConfig
+   {
+       [NotNull: ToInstance ToSubClass] uint32 AddressFamily; // AF_INET, AF_INET6
+       [Key, NotNull: ToInstance ToSubClass] string IPAddress; // IPv4 or IPv6 address
+       [NotNull: ToInstance ToSubClass] string SubnetMask; // IPv4 subnet mask
+   };
 
-    class CCM_NetworkAdapter
-    {
-        [Key, NotNull: ToInstance ToSubClass] string Name;
-        [NotNull: ToInstance ToSubClass] uint32 DHCPEnabled = 0; 
-        [NotNull: ToInstance ToSubClass] uint32 Quarantined = 0; // To check if it is quarantined.
-        CCM_IPConfig IPConfigInfo[];
-    };
+   class CCM_NetworkAdapter
+   {
+       [Key, NotNull: ToInstance ToSubClass] string Name;
+       [NotNull: ToInstance ToSubClass] uint32 DHCPEnabled = 0; 
+       [NotNull: ToInstance ToSubClass] uint32 Quarantined = 0; // To check if it is quarantined.
+       CCM_IPConfig IPConfigInfo[];
+   };
 
-    [singleton]
-    class CCM_NetworkAdapters
-    {
-        [NotNull: ToInstance ToSubClass] String ProviderName; // MED-V or other provider
-        CCM_NetworkAdapter AdaptersInfo[];
-    };
-    ```
+   [singleton]
+   class CCM_NetworkAdapters
+   {
+       [NotNull: ToInstance ToSubClass] String ProviderName; // MED-V or other provider
+       CCM_NetworkAdapter AdaptersInfo[];
+   };
+   ```
 
-2.  Compile the MOF file.
+2. Compile the MOF file.
 
-3.  Install the MOF file in the guest.
+3. Install the MOF file in the guest.
 
 After you have installed the MOF file, you can create an event subscription that subscribes to Windows Management Instrumentation (WMI) creation, modification, or deletion events for the **CCM\_NetworkAdapters** class. This detects the following changes to the host:
 
@@ -86,9 +86,9 @@ The event subscription you created provides notification through the WMI system
 
 [Manage MED-V Workspace Settings](manage-med-v-workspace-settings.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/determining-how-med-v-will-be-deployed.md b/mdop/medv-v2/determining-how-med-v-will-be-deployed.md
index b7aff89a83..84034b795d 100644
--- a/mdop/medv-v2/determining-how-med-v-will-be-deployed.md
+++ b/mdop/medv-v2/determining-how-med-v-will-be-deployed.md
@@ -29,7 +29,7 @@ If you are currently using an electronic software distribution solution, you can
 **Note**  
 Whichever electronic software distribution solution that you use, you must be familiar with the requirements of your particular solution. If you are using System Center Configuration Manager 2007 R2 or a later version, see the [Configuration Manager Documentation Library](https://go.microsoft.com/fwlink/?LinkId=66999) in the Microsoft Technical Library (https://go.microsoft.com/fwlink/?LinkId=66999).
 
- 
+ 
 
 You might prefer to install MED-V in a Windows 7 image. Then, after you deploy the Windows 7 images throughout your enterprise, MED-V is ready to be installed when an end user needs it. For more information, see [How to Deploy a MED-V Workspace in a Windows 7 Image](how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md).
 
@@ -40,9 +40,9 @@ You might prefer to install MED-V in a Windows 7 image. Then, after you deploy t
 
 [Planning for MED-V](planning-for-med-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/example-med-v-environment-planning-checklist.md b/mdop/medv-v2/example-med-v-environment-planning-checklist.md
index 2944202128..4a91991ac1 100644
--- a/mdop/medv-v2/example-med-v-environment-planning-checklist.md
+++ b/mdop/medv-v2/example-med-v-environment-planning-checklist.md
@@ -33,28 +33,28 @@ The following checklist provides a high-level list of items to consider and outl
 
 
 
    Review the components of a MED-V deployment.
    
-
    [High-Level Architecture](high-level-architecturemedv2.md)
    
+
    High-Level Architecture
    
 
 
 
    Ensure that your computing environment meets the supported configurations required for installing MED-V 2.0.
    
-
    [MED-V 2.0 Supported Configurations](med-v-20-supported-configurations.md)
    
+
    MED-V 2.0 Supported Configurations
    
 
 
 
    Determine how you want to design your MED-V deployment.
    
-
    [Define and Plan your MED-V Deployment](define-and-plan-your-med-v-deployment.md)
    
+
    Define and Plan your MED-V Deployment
    
 
 
 
    Review the list of best practices for ensuring that your MED-V deployment environment is more secure.
    
-
    [Security and Protection for MED-V](security-and-protection-for-med-v.md)
    
+
    Security and Protection for MED-V
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/example-med-v-image-preparation-checklist.md b/mdop/medv-v2/example-med-v-image-preparation-checklist.md
index cd44b3abc5..d1ddce73d0 100644
--- a/mdop/medv-v2/example-med-v-image-preparation-checklist.md
+++ b/mdop/medv-v2/example-med-v-image-preparation-checklist.md
@@ -33,24 +33,24 @@ The following checklist provides a high-level list of items to consider and outl
 
 
 
    Create a virtual machine that is running Windows XP SP3 with updates and additions.
    
-
    [Creating a Windows Virtual PC Image for MED-V](creating-a-windows-virtual-pc-image-for-med-v.md)
    
+
    Creating a Windows Virtual PC Image for MED-V
    
 
 
 
    Install any predeployment software that you want on the MED-V image.
    
-
    [Installing Applications on a Windows Virtual PC Image](installing-applications-on-a-windows-virtual-pc-image.md)
    
+
    Installing Applications on a Windows Virtual PC Image
    
 
 
 
    Package the MED-V image by using Sysprep.
    
-
    [Configuring a Windows Virtual PC Image for MED-V](configuring-a-windows-virtual-pc-image-for-med-v.md)
    
+
    Configuring a Windows Virtual PC Image for MED-V
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/example-med-v-project-planning-checklist.md b/mdop/medv-v2/example-med-v-project-planning-checklist.md
index 6d8395809e..b0a5d1d39b 100644
--- a/mdop/medv-v2/example-med-v-project-planning-checklist.md
+++ b/mdop/medv-v2/example-med-v-project-planning-checklist.md
@@ -33,28 +33,28 @@ The following checklist provides a high-level list of items to consider and outl
 
 
 
    Determine how you can use MED-V to help solve your application compatibility issues.
    
-
    [Planning for Application Operating System Compatibility](planning-for-application-operating-system-compatibility.md)
    
+
    Planning for Application Operating System Compatibility
    
 
 
 
    Plan an end-to-end deployment scenario for your organization.
    
-
    [End-to-End Planning Scenario for MED-V 2.0](end-to-end-planning-scenario-for-med-v-20.md)
    
+
    End-to-End Planning Scenario for MED-V 2.0
    
 
 
 
    Define the project scope by defining the end users and determining the MED-V images to be managed.
    
-
    [Define and Plan your MED-V Deployment](define-and-plan-your-med-v-deployment.md)
    
+
    Define and Plan your MED-V Deployment
    
 
 
 
    Review the list of best practices for ensuring that your MED-V deployment is more secure.
    
-
    [Security and Protection for MED-V](security-and-protection-for-med-v.md)
    
+
    Security and Protection for MED-V
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/example-med-v-system-installation-checklist.md b/mdop/medv-v2/example-med-v-system-installation-checklist.md
index 0020984dbc..de3ca2a590 100644
--- a/mdop/medv-v2/example-med-v-system-installation-checklist.md
+++ b/mdop/medv-v2/example-med-v-system-installation-checklist.md
@@ -33,28 +33,28 @@ The following checklist provides a high-level list of items to consider and outl
 
 
 
    Ensure that your computing environment meets the supported configurations that are required for installing MED-V 2.0.
    
-
    [MED-V 2.0 Supported Configurations](med-v-20-supported-configurations.md)
    
+
    MED-V 2.0 Supported Configurations
    
 
 
 
    Plan and design the MED-V deployment.
    
-
    [Planning for MED-V](planning-for-med-v.md)
    
+
    Planning for MED-V
    
 
 
 
    Verify that the required installation prerequisites are configured.
    
-
    [Configure Installation Prerequisites](configure-installation-prerequisites.md)
    
+
    Configure Installation Prerequisites
    
 
 
 
    Install the MED-V Host Agent and MED-V Workspace Packager.
    
-
    [Deploy the MED-V Components](deploy-the-med-v-components.md)
    
+
    Deploy the MED-V Components
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md b/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md
index 2a2ccb41c5..f86a94139f 100644
--- a/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md
+++ b/mdop/medv-v2/example-med-v-workspace-deployment-checklist.md
@@ -33,28 +33,28 @@ The following checklist provides a high-level list of items to consider and outl
 
 
 
    Prepare the MED-V image for deployment.
    
-
    [Prepare a MED-V Image](prepare-a-med-v-image.md)
    
+
    Prepare a MED-V Image
    
 
 
 
    Create the MED-V workspace deployment package.
    
-
    [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md)
    
+
    Create a MED-V Workspace Package
    
 
 
 
    Test the MED-V workspace installer package.
    
-
    [Testing the MED-V Workspace Package](testing-the-med-v-workspace-package.md)
    
+
    Testing the MED-V Workspace Package
    
 
 
 
    Deploy the MED-V workspace installer package.
    
-
    [Deploying the MED-V Workspace Package](deploying-the-med-v-workspace-package.md)
    
+
    Deploying the MED-V Workspace Package
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/high-level-architecturemedv2.md b/mdop/medv-v2/high-level-architecturemedv2.md
index fd5bb0cbb9..a5adeabb7e 100644
--- a/mdop/medv-v2/high-level-architecturemedv2.md
+++ b/mdop/medv-v2/high-level-architecturemedv2.md
@@ -33,7 +33,7 @@ The MED-V software contained in the MED-V host that provides a channel to commun
 **Note**  
 After MED-V and its required components are installed MED-V must be configured. The configuration of MED-V is referred to as first time setup.
 
- 
+ 
 
 **ESD System**  
 Your existing software distribution method that lets you deploy and install the MED-V workspace package files that MED-V creates.
@@ -59,7 +59,7 @@ The MED-V software contained in the MED-V guest that provides a channel to commu
 **Note**  
 The MED-V Guest Agent is installed automatically during first time setup.
 
- 
+ 
 
 **ESD Client**  
 An optional part of your ESD system that installs software packages and reports status to the ESD system.
@@ -71,9 +71,9 @@ An optional part of your ESD system that installs software packages and reports
 
 [Prepare the Deployment Environment for MED-V](prepare-the-deployment-environment-for-med-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
index 7cb3e45e0c..0821577e21 100644
--- a/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-add-or-remove-url-redirection-information-in-a-deployed-med-v-workspace.md
@@ -46,7 +46,7 @@ You can add and remove URL redirection information by performing one of the foll
 **Note**  
 This method of editing URL redirection information is a MED-V best practice.
 
- 
+ 
 
 **To rebuild the MED-V workspace by using an updated URL text file**
 
@@ -55,7 +55,7 @@ This method of editing URL redirection information is a MED-V best practice.
     **Important**  
     We do not recommend this method of editing URL redirection information. In addition, any time that you redeploy the MED-V workspace back out to your enterprise, first time setup must run again, and any data saved in the virtual machine is lost.
 
-     
+     
 
 ## Related topics
 
@@ -66,9 +66,9 @@ This method of editing URL redirection information is a MED-V best practice.
 
 [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-create-a-test-environment.md b/mdop/medv-v2/how-to-create-a-test-environment.md
index a3ac7df325..18068b07ed 100644
--- a/mdop/medv-v2/how-to-create-a-test-environment.md
+++ b/mdop/medv-v2/how-to-create-a-test-environment.md
@@ -34,7 +34,7 @@ The following are some steps and instructions to help you create a test environm
         **Important**  
         The VHD and Setup executable program must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.
 
-         
+         
 
 2.  After all of the components are installed on the test computer, run the MED-V Host Agent to start first time setup.
 
@@ -43,7 +43,7 @@ The following are some steps and instructions to help you create a test environm
     **Note**  
     If you cannot physically run the MED-V Host Agent on the test computer, first time setup starts automatically the next time that the computer restarts.
 
-     
+     
 
 First time setup starts and can take ten minutes or more to finish.
 
@@ -58,7 +58,7 @@ For information about testing your configuration settings when first time setup
     **Important**  
     The VHD and Setup executable program must be in the same folder on your test environment as the MED-V workspace installer.
 
-     
+     
 
 3.  Install the MED-V workspace by running setup.exe.
 
@@ -73,7 +73,7 @@ You are now ready to test the different settings for configuration, application
 **Note**  
 By default, MED-V overrides the screen lock policy in the guest. However, this does not pose a security problem because the host computer still honors the screen lock policy.
 
- 
+ 
 
 ## Related topics
 
@@ -84,9 +84,9 @@ By default, MED-V overrides the screen lock policy in the guest. However, this d
 
 [How to Test URL Redirection](how-to-test-url-redirection.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md
index 7067a394fc..550099841d 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md
@@ -32,14 +32,14 @@ The following section provides information and instructions to help you deploy t
     **Warning**  
     Internet Explorer must be closed before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
 
-     
+     
 
 4.  Copy the MED-V workspace package files to the Windows 7 image. The MED-V workspace package files are the MED-V workspace installer, .medv file, and setup.exe file that you created by using the **MED-V Workspace Packager**.
 
     **Important**  
     The .medv and setup.exe file must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace by running setup.exe.
 
-     
+     
 
 5.  Configure a shortcut on the **Start** menu to open the MED-V workspace package installation.
 
@@ -56,9 +56,9 @@ When the end user has to access an application published in the MED-V workspace,
 
 [How to Deploy a MED-V Workspace Through an Electronic Software Distribution System](how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md
index fe8b09b8d8..da44b5f136 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-manually.md
@@ -31,38 +31,42 @@ This section provides instruction about how to manually deploy a MED-V workspace
 
     -   **MED-V Host Agent Installation File** – installs the Host Agent (MED-V\_HostAgent\_Setup installation file).
 
-        **Warning**  
+        **Warning**  
         Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
 
-         
 
-    -   **MED-V Workspace Installer, VHD, and Setup Executable** – created with the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
 
-        **Important**  
-        The compressed VHD file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer.
+~~~
+-   **MED-V Workspace Installer, VHD, and Setup Executable** – created with the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
 
-         
+    **Important**  
+    The compressed VHD file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer.
+~~~
 
-2.  Install the following in the order listed. The end user can perform this task manually or you can create a script to install the following:
 
-    -   Windows Virtual PC and the Windows Virtual PC additions and updates. A computer restart is required.
 
-    -   The MED-V Host Agent.
+2. Install the following in the order listed. The end user can perform this task manually or you can create a script to install the following:
 
-        **Note**  
-        If it is running, Internet Explorer must be restarted before the installation of the MED-V Host Agent can finish.
+   -   Windows Virtual PC and the Windows Virtual PC additions and updates. A computer restart is required.
 
-         
+   -   The MED-V Host Agent.
 
-    -   The MED-V workspace package.
+       **Note**  
+       If it is running, Internet Explorer must be restarted before the installation of the MED-V Host Agent can finish.
 
-        Install the MED-V workspace by running the setup.exe program that is included in the MED-V workspace package files.
 
-3.  Complete first time setup.
 
-    After the MED-V workspace is installed, you have the option of starting MED-V. This starts the MED-V Host Agent. You can either start MED-V at that time, or start the MED-V Host Agent later to complete first time setup.
+~~~
+-   The MED-V workspace package.
 
-    To start the MED-V Host Agent, click **Start**, click **All Programs**, click **Microsoft Enterprise Desktop Virtualization**, and then click **MED-V Host Agent**.
+    Install the MED-V workspace by running the setup.exe program that is included in the MED-V workspace package files.
+~~~
+
+3. Complete first time setup.
+
+   After the MED-V workspace is installed, you have the option of starting MED-V. This starts the MED-V Host Agent. You can either start MED-V at that time, or start the MED-V Host Agent later to complete first time setup.
+
+   To start the MED-V Host Agent, click **Start**, click **All Programs**, click **Microsoft Enterprise Desktop Virtualization**, and then click **MED-V Host Agent**.
 
 ## Related topics
 
@@ -73,9 +77,9 @@ This section provides instruction about how to manually deploy a MED-V workspace
 
 [Deploying the MED-V Workspace Package](deploying-the-med-v-workspace-package.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
index 12d765d4ac..7d9e7b0536 100644
--- a/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md
@@ -19,19 +19,19 @@ ms.date: 08/30/2016
 
 An electronic software distribution system is designed to efficiently move software to many different computers over slow or fast network connections. The following section provides information and instructions to help you deploy your MED-V workspace throughout your enterprise by using a software distribution system.
 
-**Note**  
+**Note**  
 Whichever software distribution solution that you use, you must be familiar with the requirements of your particular solution. If you are using System Center Configuration Manager 2007 R2 or a later version, see the [Configuration Manager Documentation Library](https://go.microsoft.com/fwlink/?LinkId=66999) in the Microsoft Technical Library (https://go.microsoft.com/fwlink/?LinkId=66999).
 
- 
 
-**Important**  
+
+**Important**  
 If you are using System Center Configuration Manager 2007 SP2 and your MED-V workspaces are configured to operate in **NAT** mode, the virtual machines are classified as Internet-based clients and cannot find the closest distribution points from which to download content.
 
 The [hotfix to improve the functionality for VMs that are managed by MED-V](https://go.microsoft.com/fwlink/?LinkId=201088) (https://go.microsoft.com/fwlink/?LinkId=201088) adds new functionality to virtual machines that are managed by MED-V and that are configured to operate in **NAT** mode. The new functionality lets virtual machines access the closest distribution points. Therefore, the administrator can manage the virtual machine and the host computer in the same manner. This hotfix must be installed first on the site server and then on the client.
 
 The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
 
- 
+
 
 You can also deploy the MED-V components together by using a batch file, but this requires a restart after the installation of Windows Virtual PC. To bypass this requirement, you can specify a single restart after all of the components are installed. The single restart also automatically starts MED-V because the MED-V workspace installation places an entry in the RUNKEY.
 
@@ -47,48 +47,50 @@ You can also deploy the MED-V components together by using a batch file, but thi
 
     3.  **MED-V Host Agent Installation File** – installs the Host Agent (MED-V\_HostAgent\_Setup installation file). For more information, see [How to Manually Install the MED-V Host Agent](how-to-manually-install-the-med-v-host-agent.md).
 
-        **Warning**  
+        **Warning**  
         Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
 
-         
+
 
     4.  **MED-V Workspace Installer, VHD, and Setup Executable** – created in the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
 
-        **Important**  
+        **Important**  
         The compressed virtual hard disk file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.
 
-         
 
-        **Tip**  
-        Because problems can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
 
-         
+~~~
+    **Tip**  
+    Because problems can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
+~~~
 
-3.  Configure the packages to run in silent mode (no user interaction is required).
 
-    Running in silent mode eliminates the prompt to close Internet Explorer if it is running and the prompt to start the MED-V Host Agent. Both actions are performed when the computer is restarted.
 
-    **Note**  
-    Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [How to Deploy the MED-V Components Through an Electronic Software Distribution System](how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md#bkmk-batch). MED-V automatically starts when the computer is restarted.
+3. Configure the packages to run in silent mode (no user interaction is required).
 
-     
+   Running in silent mode eliminates the prompt to close Internet Explorer if it is running and the prompt to start the MED-V Host Agent. Both actions are performed when the computer is restarted.
 
-4.  Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.
+   **Note**  
+   Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [How to Deploy the MED-V Components Through an Electronic Software Distribution System](how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md#bkmk-batch). MED-V automatically starts when the computer is restarted.
 
-    **Important**  
-    Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.
 
-     
 
-5.  Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.
+4. Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.
 
-6.  Assign the packages to the target set of computers/users.
+   **Important**  
+   Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.
 
-    As computers are running, the software distribution system client recognizes that new packages are available and begins to install the packages per the definition and requirements. The installations should run sequentially in silent. We recommend that this is performed as a single process that does not require a restart until all the packages are installed.
 
-7.  After the installations are complete, restart the updated computers.
 
-    Depending on the software distribution system, you can schedule a restart of the computer or the end users can restart the computers manually during their regular work. After the computer is restarted, MED-V automatically starts after an end user logs on. When MED-V starts for the first time, it runs first time setup.
+5. Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.
+
+6. Assign the packages to the target set of computers/users.
+
+   As computers are running, the software distribution system client recognizes that new packages are available and begins to install the packages per the definition and requirements. The installations should run sequentially in silent. We recommend that this is performed as a single process that does not require a restart until all the packages are installed.
+
+7. After the installations are complete, restart the updated computers.
+
+   Depending on the software distribution system, you can schedule a restart of the computer or the end users can restart the computers manually during their regular work. After the computer is restarted, MED-V automatically starts after an end user logs on. When MED-V starts for the first time, it runs first time setup.
 
 First time setup starts and might take several minutes to finish, depending on the size of the virtual hard disk that you specified and the number of policies applied to the MED-V workspace on startup. The end user can track the progress by watching the MED-V icon in the notification area. For more information about first time setup, see [MED-V 2.0 Deployment Overview](med-v-20-deployment-overview.md).
 
@@ -134,11 +136,10 @@ The following example, with the specified arguments, shows how to install 64-bit
 
    IGNORE_PREREQUISITES
    
 
    Installs without checking for Windows Virtual PC.
    
 
    
-Note  
-
    Only specify this argument if you are installing Windows Virtual PC as part of this installation.
    
+Note
    Only specify this argument if you are installing Windows Virtual PC as part of this installation.
    
 
    
 
    
- 
+
 
    
 
 
@@ -148,7 +149,7 @@ The following example, with the specified arguments, shows how to install 64-bit
 
 
 
- 
+
 
 ## Example
 
@@ -178,9 +179,9 @@ wusa.exe Windows6.1-KB977206-x64.msu /norestart /quiet
 
 [How to Deploy a MED-V Workspace in a Windows 7 Image](how-to-deploy-a-med-v-workspace-in-a-windows-7-image.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
index 571c1c8cea..9271b1face 100644
--- a/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
+++ b/mdop/medv-v2/how-to-deploy-the-med-v-components-through-an-electronic-software-distribution-system.md
@@ -19,24 +19,24 @@ ms.date: 11/01/2016
 
 An electronic software distribution system can help you efficiently move software to many computers over slow or fast network connections. The following section provides information and instructions to help you deploy the Microsoft Enterprise Desktop Virtualization (MED-V) 2.0 components throughout your enterprise by using a software distribution system.
 
-**Note**  
+**Note**  
 Whichever software distribution solution that you use, you must be familiar with the requirements of your particular solution. If you are using System Center Configuration Manager 2007 R2 or a later version, see the [Configuration Manager Documentation Library](https://go.microsoft.com/fwlink/?LinkId=66999) in the Microsoft Technical Library (https://go.microsoft.com/fwlink/?LinkId=66999).
 
- 
 
-**Important**  
+
+**Important**  
 If you are using System Center Configuration Manager 2007 SP2 and your MED-V workspaces are configured to operate in **NAT** mode, the virtual machines are classified as Internet-based clients and cannot find the closest distribution points from which to download content.
 
 The [hotfix to improve the functionality for VMs that are managed by MED-V](https://go.microsoft.com/fwlink/?LinkId=201088) (https://go.microsoft.com/fwlink/?LinkId=201088) adds new functionality to virtual machines that are managed by MED-V and that are configured to operate in **NAT** mode. The new functionality lets virtual machines access the closest distribution points. Therefore, the administrator can manage the virtual machine and the host computer in the same manner. This hotfix must be installed first on the site server and then on the client.
 
 The update is publically available. However, you might be prompted to accept an agreement for Microsoft Services. Follow the prompts on the successive webpages to retrieve this hotfix.
 
- 
 
-**Note**  
+
+**Note**  
 You must install the MED-V workspace packager and build your MED-V workspaces before you can deploy the MED-V components through your software distribution system. For more information about how to prepare an image and to build your MED-V workspaces, see [Operations for MED-V](operations-for-med-v.md).
 
- 
+
 
 **To deploy the MED-V components by using a software distribution system**
 
@@ -50,27 +50,27 @@ You must install the MED-V workspace packager and build your MED-V workspaces be
 
     3.  **MED-V Host Agent Installation File** – installs the Host Agent (MED-V\_HostAgent\_Setup installation file). For more information, see [How to Manually Install the MED-V Host Agent](how-to-manually-install-the-med-v-host-agent.md).
 
-        **Warning**  
-        Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.   
+        **Warning**  
+        Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.   
 
     4.  **MED-V Workspace Installer, VHD, and Setup Executable** – created in the **MED-V Workspace Packager**. For more information, see [Create a MED-V Workspace Package](create-a-med-v-workspace-package.md).
 
-        **Important**  
+        **Important**  
         The compressed virtual hard disk file (.medv) and the Setup executable program (setup.exe) must be in the same folder as the MED-V workspace installer. Then, install the MED-V workspace installer by running setup.exe.
 
-        **Tip**  
-        Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.       
+        **Tip**  
+        Because problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.       
 
 3.  Configure the packages to run in silent mode (no user interaction is required).
 
     Running in silent mode eliminates the prompt to close Internet Explorer if it is running and the prompt to start the MED-V Host Agent. Both actions are performed when the computer is restarted.
 
-    **Note**  
+    **Note**  
     Installation of Windows Virtual PC requires you to restart the computer. You can create a single installation process and install all the components at the same time if you suppress the restart and ignore the prerequisites necessary for MED-V to install. You can also do this by using command-line arguments. For an example of these arguments, see [To install the MED-V components by using a batch file](#bkmk-batch). MED-V automatically starts when the computer is restarted.
 
 4.  Install MED-V and its components before installing Windows Virtual PC. See the example batch file later in this topic.
 
-    **Important**  
+    **Important**  
     Select the **IGNORE\_PREREQUISITES** option as shown in the example batch file so that the MED-V components can be installed prior to the required VPC components. Install the MED-V components in this order to allow for the single restart.
 
 5.  Identify any other requirements necessary for the installation and for your software distribution system, such as target platforms and the free disk space.
@@ -127,11 +127,10 @@ The following example, with the specified arguments, shows how to install 64-bit
 
    IGNORE_PREREQUISITES
    
 
    Installs without checking for Windows Virtual PC.
    
 
    
-Note  
-
    Only specify this argument if you are installing Windows Virtual PC as part of this installation.
    
+Note
    Only specify this argument if you are installing Windows Virtual PC as part of this installation.
    
 
    
 
    
- 
+
 
    
 
 
@@ -141,7 +140,7 @@ The following example, with the specified arguments, shows how to install 64-bit
 
 
 
- 
+
 
 ## Example
 
@@ -171,9 +170,9 @@ wusa.exe Windows6.1-KB977206-x64.msu /norestart /quiet
 
 [Deploy the MED-V Components](deploy-the-med-v-components.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md b/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md
index 438d2539d0..581db9047a 100644
--- a/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md
+++ b/mdop/medv-v2/how-to-install-the-med-v-workspace-packager.md
@@ -22,7 +22,7 @@ Microsoft Enterprise Desktop Virtualization (MED-V) 2.0 includes a **MED-V Works
 **Important**  
 Before you start to run the wizards, make sure that you have a prepared VHD ready to install. For more information, see [Prepare a MED-V Image](prepare-a-med-v-image.md).
 
- 
+ 
 
 This section provides step-by-step instructions for installing or repairing the **MED-V Workspace Packager**.
 
@@ -69,9 +69,9 @@ If the packager does not open as expected, you can try to repair the installatio
 
 [How to Uninstall the MED-V Components](how-to-uninstall-the-med-v-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md b/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md
index e4c2f8386b..b933cc1510 100644
--- a/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md
+++ b/mdop/medv-v2/how-to-manage-url-redirection-by-using-the-med-v-workspace-packager.md
@@ -27,29 +27,31 @@ You can use the MED-V Workspace Packager to manage URL redirection in the MED-V
 
 3.  In the **Manage Web Redirection** window, you can type, paste, or import a list of the URLs that are redirected to Internet Explorer in the MED-V workspace.
 
-    **Note**  
+    **Note**  
     URL redirection in MED-V only supports the protocols HTTP and HTTPS. MED-V does not provide support for FTP or any other protocols.
 
-     
 
-    Enter each web address on a single line, for example:
 
-    http://www.contoso.com/webapps/webapp1
+~~~
+Enter each web address on a single line, for example:
 
-    http://www.contoso.com/webapps/webapp2
+http://www.contoso.com/webapps/webapp1
 
-    http://\*.contoso.com
+http://www.contoso.com/webapps/webapp2
 
-    http://www.contoso.com/webapps/\*
+http://\*.contoso.com
 
-    **Important**  
-    If you import a text file that includes a URL that uses special characters (such as ~ ! @ \# and so on), make sure that you specify UTF-8 encoding when you save the text file. Special characters do not import correctly into the MED-V Workspace Packager if the text file was saved using the default ANSI encoding.
+http://www.contoso.com/webapps/\*
 
-     
+**Important**  
+If you import a text file that includes a URL that uses special characters (such as ~ ! @ \# and so on), make sure that you specify UTF-8 encoding when you save the text file. Special characters do not import correctly into the MED-V Workspace Packager if the text file was saved using the default ANSI encoding.
+~~~
 
-4.  Click **Save as…** to save the updated URL redirection files in the specified folder. MED-V creates a registry file that contains the updated URL redirection information. Deploy the updated registry key by using Group Policy. For more information about how to use Group Policy, see [Group Policy Software Installation](https://go.microsoft.com/fwlink/?LinkId=195931) (https://go.microsoft.com/fwlink/?LinkId=195931).
 
-    MED-V also creates a Windows PowerShell script in the specified folder that you can use to re-create the updated MED-V workspace package.
+
+4. Click **Save as…** to save the updated URL redirection files in the specified folder. MED-V creates a registry file that contains the updated URL redirection information. Deploy the updated registry key by using Group Policy. For more information about how to use Group Policy, see [Group Policy Software Installation](https://go.microsoft.com/fwlink/?LinkId=195931) (https://go.microsoft.com/fwlink/?LinkId=195931).
+
+   MED-V also creates a Windows PowerShell script in the specified folder that you can use to re-create the updated MED-V workspace package.
 
 ## Related topics
 
@@ -58,9 +60,9 @@ You can use the MED-V Workspace Packager to manage URL redirection in the MED-V
 
 [Manage MED-V URL Redirection](manage-med-v-url-redirection.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md b/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md
index 618753a5f0..a8214e0d7a 100644
--- a/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md
+++ b/mdop/medv-v2/how-to-manually-install-the-med-v-host-agent.md
@@ -24,12 +24,12 @@ Typically, you deploy and install the MED-V Host Agent by using your company’s
 **Note**  
 The MED-V Guest Agent is installed automatically during first time setup.
 
- 
+ 
 
 **Important**  
 Close Internet Explorer before you install the MED-V Host Agent, otherwise conflicts can occur later with URL redirection. You can also do this by specifying a computer restart during a distribution.
 
- 
+ 
 
 **To install the MED-V Host Agent**
 
@@ -52,7 +52,7 @@ Close Internet Explorer before you install the MED-V Host Agent, otherwise confl
 **Note**  
 Until a MED-V workspace is installed, the MED-V Host Agent can be started and runs, but provides no functionality.
 
- 
+ 
 
 ## Related topics
 
@@ -63,9 +63,9 @@ Until a MED-V workspace is installed, the MED-V Host Agent can be started and ru
 
 [How to Uninstall the MED-V Components](how-to-uninstall-the-med-v-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md b/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md
index 4a089430a4..5708a84057 100644
--- a/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md
+++ b/mdop/medv-v2/how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md
@@ -24,7 +24,7 @@ In some cases, you might want to install applications on the MED-V workspace wit
 **Important**  
 If you publish an application that does not support UNC paths, we recommend that you map the application to a drive.
 
- 
+ 
 
 You can publish or unpublish applications to a deployed MED-V workspace by performing one of the following tasks:
 
@@ -45,14 +45,14 @@ You can publish or unpublish applications to a deployed MED-V workspace by perfo
     **Note**  
     Frequently, the shortcut is automatically deleted from the host computer **Start** menu when you uninstall the application. However, in some cases, such as for a MED-V workspace that is configured for all users of a shared computer, you might have to manually delete the shortcut on the **Start** menu after the application is uninstalled. The end-user can do this by right-clicking the shortcut and selecting **Delete**.
 
-     
+     
 
 To test that the application was published or unpublished, verify on the MED-V workspace whether the corresponding shortcut is available or not.
 
 **Note**  
 Applications that are included in Windows XP SP3 and are located in the virtual machine Start Menu folder are not automatically published to the host. They are controlled by registry settings that block automatic publishing. For more information, see [Windows Virtual PC Application Exclude List](windows-virtual-pc-application-exclude-list.md).
 
- 
+ 
 
 **To publish Control Panel items**
 
@@ -67,7 +67,7 @@ Applications that are included in Windows XP SP3 and are located in the virtual
 **Caution**  
 When you create the shortcut, do not specify %SystemRoot%\\control.exe. This application will not be published because it is contained in the registry settings that block automatic publishing.
 
- 
+ 
 
 **How MED-V handles automatic application publishing**
 
@@ -90,7 +90,7 @@ When you create the shortcut, do not specify %SystemRoot%\\control.exe. This app
 **Note**  
 A folder must already exist in the host computer Start Menu folder for MED-V to copy the shortcut there. MED-V does not create the folder if it does not already exist.
 
- 
+ 
 
 ## Related topics
 
@@ -101,9 +101,9 @@ A folder must already exist in the host computer Start Menu folder for MED-V to
 
 [Windows Virtual PC Application Exclude List](windows-virtual-pc-application-exclude-list.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-test-application-publishing.md b/mdop/medv-v2/how-to-test-application-publishing.md
index 1b2b5b7d9f..0e21fda4c9 100644
--- a/mdop/medv-v2/how-to-test-application-publishing.md
+++ b/mdop/medv-v2/how-to-test-application-publishing.md
@@ -65,9 +65,9 @@ After you have completed testing your MED-V workspace package and have verified
 
 [Deploying the MED-V Workspace Package](deploying-the-med-v-workspace-package.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-test-url-redirection.md b/mdop/medv-v2/how-to-test-url-redirection.md
index 1077e5c86a..e003cb9d88 100644
--- a/mdop/medv-v2/how-to-test-url-redirection.md
+++ b/mdop/medv-v2/how-to-test-url-redirection.md
@@ -62,9 +62,9 @@ After you have completed testing your MED-V workspace package and have verified
 
 [Deploying the MED-V Workspace Package](deploying-the-med-v-workspace-package.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-uninstall-the-med-v-components.md b/mdop/medv-v2/how-to-uninstall-the-med-v-components.md
index f12e602dc3..9a514186e2 100644
--- a/mdop/medv-v2/how-to-uninstall-the-med-v-components.md
+++ b/mdop/medv-v2/how-to-uninstall-the-med-v-components.md
@@ -24,7 +24,7 @@ Typically, you can configure your electronic software distribution (ESD) system
 **Important**  
 Before you can uninstall the MED-V Host Agent, you must first uninstall any installed MED-V workspace.
 
- 
+ 
 
 Use the following procedures to uninstall the MED-V components from your enterprise.
 
@@ -51,7 +51,7 @@ The ESD client recognizes when the new packages are available and starts to unin
     **Note**  
     If MED-V is currently running, a dialog box appears and prompts you whether you want to shut it down. Click **Yes** to continue with the uninstallation. Click **No** to cancel the uninstallation.
 
-     
+     
 
 Alternately, you can remove a MED-V workspace by running the `uninstall.exe` file, typically located at C:\\ProgramData\\Microsoft\\Medv\\Workspace.
 
@@ -66,7 +66,7 @@ Alternately, you can remove a MED-V workspace by running the `uninstall.exe` fil
     **Note**  
     If you try to uninstall the MED-V Host Agent before you uninstall the MED-V workspace, a dialog box appears that states that you must first uninstall the MED-V workspace. Click **OK** to continue.
 
-     
+     
 
 **To manually uninstall the MED-V Workspace Packager**
 
@@ -79,16 +79,16 @@ Alternately, you can remove a MED-V workspace by running the `uninstall.exe` fil
     **Note**  
     You can uninstall the MED-V Workspace Packager at any time without affecting any deployed MED-V workspaces.
 
-     
+     
 
 ## Related topics
 
 
 [Deploy the MED-V Components](deploy-the-med-v-components.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/how-to-verify-first-time-setup-settings.md b/mdop/medv-v2/how-to-verify-first-time-setup-settings.md
index 9c22bba9e4..e7f28b9e80 100644
--- a/mdop/medv-v2/how-to-verify-first-time-setup-settings.md
+++ b/mdop/medv-v2/how-to-verify-first-time-setup-settings.md
@@ -22,7 +22,7 @@ While your test of first time setup is running or after it finishes, you can ver
 **Note**  
 For information about how to monitor the successful completion of first time setup throughout your enterprise after deployment, see [Monitoring MED-V Workspace Deployments](monitoring-med-v-workspace-deployments.md).
 
- 
+ 
 
 **To verify settings during first time setup**
 
@@ -51,7 +51,7 @@ For information about how to monitor the successful completion of first time set
         **Note**  
         You can close the virtual machine window at any time and first time setup continues.
 
-         
+         
 
 **To verify settings after first time setup finishes**
 
@@ -84,7 +84,7 @@ For information about how to monitor the successful completion of first time set
 **Note**  
 If you encounter any problems when verifying your first time setup settings, see [Operations Troubleshooting](operations-troubleshooting-medv2.md).
 
- 
+ 
 
 After you have verified that your first time setup settings are correct, you can test other MED-V workspace configurations to verify that they function as intended, such as application publishing and URL redirection.
 
@@ -101,9 +101,9 @@ After you have completed all testing of your MED-V workspace package and have ve
 
 [Manage MED-V Workspace Settings](manage-med-v-workspace-settings.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md b/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md
index 634bfd7d49..99eeb385f5 100644
--- a/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md
+++ b/mdop/medv-v2/identifying-the-number-and-types-of-med-v-workspaces.md
@@ -45,7 +45,7 @@ To calculate the required disk space, determine the following:
     **Important**  
     Do not use the .medv file size for your calculation because the .medv file is compressed.
 
-     
+     
 
 -   **Users per computer** – MED-V creates a MED-V workspace for each user on a computer; the MED-V workspace consumes disk space as each user logs on and the MED-V workspace is created.
 
@@ -60,7 +60,7 @@ The following example shows a calculation based on three users of a MED-V worksp
 **Note**  
 A MED-V best practice is to calculate the required space by using a lab deployment to validate the requirements.
 
- 
+ 
 
 ### Locate the Files to Determine File Size
 
@@ -98,7 +98,7 @@ The following locations contain the files for the computer and user settings:
 
 
 
- 
+ 
 
 ### Calculate the Disk Space Requirements for Shared MED-V Workspaces
 
@@ -113,9 +113,9 @@ You can find the differencing disk and the saved state file for shared MED-V wor
 
 [Planning for MED-V](planning-for-med-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md b/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md
index cd9e061d6b..6a9fb7c44b 100644
--- a/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md
+++ b/mdop/medv-v2/installing-and-removing-an-application-on-the-med-v-workspace.md
@@ -32,12 +32,12 @@ After you have deployed a MED-V workspace, you have several different options av
 **Important**  
 To make sure that an installed application is automatically published to the host, install the application on the virtual machine for **All Users**. For more information about application publishing, see [How to Publish and Unpublish an Application on the MED-V Workspace](how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md).
 
- 
+ 
 
 **Tip**  
 MED-V does not support guest-to-host redirection for content handling, such as double-clicking a Microsoft Word document in Internet Explorer in the MED-V workspace. Therefore, the required applications, such as Microsoft Word, must be installed in MED-V workspace to provide the default content handling functionality that an end user might expect.
 
- 
+ 
 
 ##  Adding and Removing Applications by Using Group Policy
 
@@ -67,7 +67,7 @@ App-V applications that you publish to the MED-V workspace have file-type associ
 
 To force redirection of those file-type associations, query App-V for mapped file type associations by typing the following at a command prompt in the guest virtual machine: **sftmime /QUERY OBJ:TYPE**. Then, map those file type associations in the host computer.
 
- 
+ 
 
 ##  Adding and Removing Applications on the Core Image
 
@@ -79,14 +79,14 @@ For more information about how to add or remove applications on the core image,
 **Important**  
 We do not recommend this method of managing applications. If you add or remove applications on the core image and redeploy the MED-V workspace back out to your enterprise, first time setup must run again, and any data saved on the virtual machine is lost.
 
- 
+ 
 
 **Note**  
 Even though an application is installed into a MED-V workspace, you might also have to publish the application before it becomes available to the end user. For example, you might have to publish an installed application if the installation did not automatically create a shortcut on the **Start** menu. Likewise, to unpublish an application, you might have to manually remove a shortcut from the **Start** menu.
 
 By default, most applications are published at the time that they are installed, when shortcuts are automatically created and enabled.
 
- 
+ 
 
 ## Related topics
 
@@ -95,9 +95,9 @@ By default, most applications are published at the time that they are installed,
 
 [How to Publish and Unpublish an Application on the MED-V Workspace](how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md b/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md
index 626d60a82c..fc9d0a46a6 100644
--- a/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md
+++ b/mdop/medv-v2/installing-applications-on-a-windows-virtual-pc-image.md
@@ -24,7 +24,7 @@ The following section provides information to help you install software on the M
 **Caution**  
 For ease of MED-V workspace management after deployment, we recommend that you limit the number of components that you install on the MED-V image to those components that are required or that are helpful when using MED-V. For example, although they are not required to run MED-V, you can install an ESD system to use later for installing applications to a MED-V workspace and antivirus software for security on the image.
 
- 
+ 
 
 **Installing Software on a MED-V Image**
 
@@ -41,7 +41,7 @@ For ease of MED-V workspace management after deployment, we recommend that you l
     **Note**  
     After installation is complete, you might have to close and then restart the virtual machine.
 
-     
+     
 
 Repeat these steps for any software or application that you want to install on the MED-V image. We recommend that you limit the number of applications that you preinstall on the image. The recommended process for installing applications and other software on the image is to preinstall an ESD system now and to use it later to deploy software to the image. Alternately, you can also use Group Policy or App-V to add or remove applications on a MED-V workspace. For more information, see [Managing Applications Deployed to MED-V Workspaces](managing-applications-deployed-to-med-v-workspaces.md).
 
@@ -60,9 +60,9 @@ After you have installed all of the software that you want on the MED-V image, y
 
 [Prepare a MED-V Image](prepare-a-med-v-image.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md b/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md
index 11dce74b42..ccc7f402df 100644
--- a/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md
+++ b/mdop/medv-v2/managing-automatic-updates-for-med-v-workspaces.md
@@ -27,7 +27,7 @@ The MED-V workspace wake-up policy guarantees that the MED-V virtual machine is
 **Important**  
 The MED-V workspace wake-up policy is optimized for the Microsoft Update infrastructure. If you are using Microsoft System Center Configuration Manager to deploy non-Microsoft updates, we recommend that you also use the System Center Updates Publisher, which takes advantage of the same infrastructure as Microsoft Update and therefore benefits from the MED-V workspace wake-up policy. For more information, see [System Center Updates Publisher](https://go.microsoft.com/fwlink/?LinkId=200035) (https://go.microsoft.com/fwlink/?LinkId=200035).
 
- 
+ 
 
 When you created your MED-V workspace package, you configured when and how it starts, either when the end user logs on (**Fast Start**) or when the end user first opens a published application (**Normal Start**). Or you set the option to let the end user control this setting.
 
@@ -38,7 +38,7 @@ However, for those cases in which **Fast Start** is not specified or the virtual
 **Note**  
 If the end user opens a published application during the update period, the required updates are applied, but MED-V is not automatically hibernated or shut down after the update period ends. Instead, MED-V continues running.
 
- 
+ 
 
 The MED-V workspace wake-up policy includes three main components:
 
@@ -67,7 +67,7 @@ For more information about how to define your MED-V configuration values, see [M
 **Note**  
 A MED-V best practice is to set your wake up interval to match the time when MED-V virtual machines are planned to be updated regularly. In addition, we recommend that you configure these settings to resemble the host computer’s behavior.
 
- 
+ 
 
 ### Reboot Notification Using your ESD System
 
@@ -76,7 +76,7 @@ You can configure your ESD system to notify MED-V whenever a restart is required
 **Important**  
 You must open the event with Modify Only rights and then signal it. If you do not open it with the correct permissions, it does not work.
 
- 
+ 
 
 ``` syntax
 /// 
@@ -97,9 +97,9 @@ When you signal this event, MED-V captures it and informs the virtual machine th
 
 [Managing Software Updates for MED-V Workspaces](managing-software-updates-for-med-v-workspaces.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md b/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md
index 47165531df..c9a2d28a4c 100644
--- a/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md
+++ b/mdop/medv-v2/managing-med-v-workspace-configuration-settings.md
@@ -33,12 +33,12 @@ If the value is still not found, MED-V uses the default.
 
 A general best practice is to set the value in the HKEY\_LOCAL\_MACHINE\\System hive or in the machine policy. But if you want the end user to be able to configure a particular setting, then you should leave it out.
 
-**Note**  
+**Note**  
 Before you deploy your MED-V workspaces, you can use a script editor to change the Windows PowerShell script (.ps1 file) that the MED-V workspace packager created. For more information, see [Configuring Advanced Settings by Using Windows PowerShell](configuring-advanced-settings-by-using-windows-powershell.md).
 
 After you have deployed your MED-V workspaces, you can change certain MED-V configuration settings by editing the registry entries.
 
- 
+
 
 This section lists all the configurable MED-V registry keys and explains their uses.
 
@@ -56,23 +56,23 @@ The following table provides information about the registry values associated wi
 
 
 
-Name 
-Type 
-Data/Default 
-Description 
+Name 
+Type 
+Data/Default 
+Description 
 
 
 
 
-
    EventLogLevel 
    
-
    DWORD 
    
+
    EventLogLevel 
    
+
    DWORD 
    
 
    Default=3
    
 
    The type of information that is logged in the event log. Levels include the following: 0 (None), 1 (Error), 2 (Warning), 3 (Information), 4 (Debug).
    
 
 
 
 
- 
+
 
 ## Fts Key
 
@@ -96,28 +96,28 @@ The following table provides information about the registry values associated wi
 
 
 
-
    AddUserToAdminGroupEnabled 
    
+
    AddUserToAdminGroupEnabled 
    
 
    DWORD
    
 
    Default=0
    
-
    Configures whether first time setup automatically adds the end user to the administrator's group. 0 = false; 1 = true.
    
+
    Configures whether first time setup automatically adds the end user to the administrator's group. 0 = false; 1 = true.
    
 
 
 
    
 
    
 
    
-
    0 = false: First time setup does not automatically add the end user to the administrator's group.
    
+
    0 = false: First time setup does not automatically add the end user to the administrator's group.
    
 
 
 
    
 
    
 
    
-
    1 = true: First time setup automatically adds the end user to the administrator's group.
    
+
    1 = true: First time setup automatically adds the end user to the administrator's group.
    
 
 
-
    ComputerNameMask 
    
+
    ComputerNameMask 
    
 
    SZ
    
-
    MEDV* 
    
-
    The computer name mask that is used to create the guest virtual machine's computer name.
    
+
    MEDV* 
    
+
    The computer name mask that is used to create the guest virtual machine's computer name.
    
 
 
 
    
@@ -131,67 +131,67 @@ The following table provides information about the registry values associated wi
 
    DeleteVMStateTimeout
    
 
    DWORD
    
 
    Default=90
    
-
    The time-out value, in seconds, when first time setup tries to delete the virtual machine. Range = 0 to 2147483647.
    
+
    The time-out value, in seconds, when first time setup tries to delete the virtual machine. Range = 0 to 2147483647.
    
 
 
 
    DetachVfdTimeout
    
 
    DWORD
    
 
    Default=120
    
-
    The time-out value, in seconds, when first time setup tries to detach the virtual floppy disk from the virtual machine. Range = 0 to 2147483647.
    
+
    The time-out value, in seconds, when first time setup tries to detach the virtual floppy disk from the virtual machine. Range = 0 to 2147483647.
    
 
 
-
    DialogUrl 
    
+
    DialogUrl 
    
 
    SZ
    
 
    
-
    Customizable URL that links to internal webpage and is displayed by first time setup dialog messages. 
    
+
    Customizable URL that links to internal webpage and is displayed by first time setup dialog messages. 
    
 
 
 
    ExplorerTimeout
    
 
    DWORD
    
 
    Default=900
    
-
    The time-out value, in seconds, that first time setup waits for Windows Explorer. Range = 0 to 2147483647.
    
+
    The time-out value, in seconds, that first time setup waits for Windows Explorer. Range = 0 to 2147483647.
    
 
 
-
    FailureDialogMsg 
    
+
    FailureDialogMsg 
    
 
    MULTI_SZ
    
-
    Message is found in resource file 
    
+
    Message is found in resource file 
    
 
    Customizable message that is displayed to the end user when first time setup cannot be completed.
    
 
 
-
    GiveUserGroupRightsMaxRetryCount 
    
-
    DWORD 
    
+
    GiveUserGroupRightsMaxRetryCount 
    
+
    DWORD 
    
 
    Default=3
    
 
    The maximum number of times that MED-V tries to give an end user group rights. Exceeding the specified retry value without being able to successfully give an end user group rights most likely causes a virtual machine preparation failure that is then subject to the MaxRetryCount value. Range = 0 to 2147483647.
    
 
 
-
    GiveUserGroupRightsTimeout 
    
+
    GiveUserGroupRightsTimeout 
    
 
    DWORD
    
 
    Default=300
    
-
    The time-out value, in seconds, when giving a user group rights. Range = 0 to 2147483647.
    
+
    The time-out value, in seconds, when giving a user group rights. Range = 0 to 2147483647.
    
 
 
-
    LogFilePaths 
    
+
    LogFilePaths 
    
 
    MULTI_SZ
    
 
    
-
    A list of the log file paths that MED-V collects during first time setup. 
    
+
    A list of the log file paths that MED-V collects during first time setup. 
    
 
 
-
    MaxPostponeTime 
    
+
    MaxPostponeTime 
    
 
    DWORD
    
 
    Default=120
    
-
    The maximum number of hours that first time setup can be postponed by the end user. Range = 0 to 2147483647.
    
+
    The maximum number of hours that first time setup can be postponed by the end user. Range = 0 to 2147483647.
    
 
 
-
    MaxRetryCount 
    
+
    MaxRetryCount 
    
 
    DWORD
    
 
    Default=3
    
 
    The maximum number of times that MED-V tries to prepare a virtual machine if each attempt ends in a failure other than a software error. When virtual machine preparation fails and the number of first time setup retries is exceeded, then MED-V informs the end user about the failure and does not give the option to retry. The count is re-set every time that MED-V is started. Range = 0 to 2147483647.
    
 
 
-
    Mode 
    
+
    Mode 
    
 
    SZ
    
 
    Default=Unattended
    
-
    Configures how first time setup interacts with the user. Possible values are as follows:
    
+
    Configures how first time setup interacts with the user. Possible values are as follows:
    
 
 
 
    
@@ -199,11 +199,10 @@ The following table provides information about the registry values associated wi
 
    
 
    Attended. The end user must enter information during first time setup.
    
 
    
-Note  
-
    If you created the Sysprep.inf file so that Mini-Setup requires user input to complete, then you must select Attended mode or problems might occur during first time setup.
    
+Note
    If you created the Sysprep.inf file so that Mini-Setup requires user input to complete, then you must select Attended mode or problems might occur during first time setup.
    
 
    
 
    
- 
+
 
    
 
 
@@ -219,34 +218,34 @@ The following table provides information about the registry values associated wi
 
    Silent. The virtual machine is not shown to the end user at all during first time setup.
    
 
 
-
    NonInteractiveRetryTimeoutInc 
    
+
    NonInteractiveRetryTimeoutInc 
    
 
    DWORD
    
 
    Default=15
    
-
    The time-out value, in minutes, that first time setup must be completed in first time setup interactive mode when re-attempting setup. Range = 0 to 2147483647.
    
+
    The time-out value, in minutes, that first time setup must be completed in first time setup interactive mode when re-attempting setup. Range = 0 to 2147483647.
    
 
 
-
    NonInteractiveTimeout 
    
+
    NonInteractiveTimeout 
    
 
    DWORD
    
 
    Default=45
    
-
    The time-out value, in minutes, that first time setup must be completed in first time setup interactive mode. Range = 0 to 2147483647.
    
+
    The time-out value, in minutes, that first time setup must be completed in first time setup interactive mode. Range = 0 to 2147483647.
    
 
 
-
    PostponeUtcDateTimeLimit 
    
+
    PostponeUtcDateTimeLimit 
    
 
    SZ
    
 
    
-
    The date and time, in UTC DateTime format, that first time setup can be postponed. Enter in the format "yyyy-MM-dd hh:mm" with hours specified by using the 24-hour clock standard.
    
+
    The date and time, in UTC DateTime format, that first time setup can be postponed. Enter in the format "yyyy-MM-dd hh:mm" with hours specified by using the 24-hour clock standard.
    
 
 
-
    RetryDialogMsg 
    
+
    RetryDialogMsg 
    
 
    MULTI_SZ
    
-
    Message is found in resource file 
    
+
    Message is found in resource file 
    
 
    Customizable message that is displayed to the end user when first time setup must re-attempt setup.
    
 
 
-
    SetComputerNameEnabled 
    
+
    SetComputerNameEnabled 
    
 
    DWORD
    
 
    Default=0
    
-
    Configures whether the ComputerName entry under the [UserData] section of the Sysprep.inf file in the guest should be updated according to the specified ComputerNameMask.   0 = false; 1 = true.
    
+
    Configures whether the ComputerName entry under the [UserData] section of the Sysprep.inf file in the guest should be updated according to the specified ComputerNameMask.   0 = false; 1 = true.
    
 
 
 
    
@@ -261,10 +260,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: The ComputerName entry in the Sysprep.inf file is updated according to the ComputerNameMask.
    
 
 
-
    SetJoinDomainEnabled 
    
+
    SetJoinDomainEnabled 
    
 
    DWORD
    
 
    Default=0
    
-
    Configures whether the JoinDomain setting under the [Identification] section of the Sysprep.inf file in the guest should be updated to match the settings on the host.  0 = false; 1 = true.
    
+
    Configures whether the JoinDomain setting under the [Identification] section of the Sysprep.inf file in the guest should be updated to match the settings on the host.  0 = false; 1 = true.
    
 
 
 
    
@@ -279,10 +278,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: The JoinDomain setting in the Sysprep.inf file is updated to match the settings on the host.
    
 
 
-
    SetMachineObjectOUEnabled 
    
+
    SetMachineObjectOUEnabled 
    
 
    DWORD
    
 
    Default=0
    
-
    Configures whether the MachineObjectOU setting under the [Identification] section of the Sysprep.inf file in the guest is updated to match the host.  0 = false; 1 = true.
    
+
    Configures whether the MachineObjectOU setting under the [Identification] section of the Sysprep.inf file in the guest is updated to match the host.  0 = false; 1 = true.
    
 
 
 
    
@@ -297,16 +296,15 @@ The following table provides information about the registry values associated wi
 
    1 = true: The MachineObjectOU setting in the Sysprep.inf file is updated to match the settings on the host.
    
 
 
-
    SetRegionalSettingsEnabled 
    
+
    SetRegionalSettingsEnabled 
    
 
    DWORD
    
 
    Default=0
    
-
    Configures whether the settings under the [RegionalSettings] section of the Sysprep.inf file in the guest are updated to match the host.  0 = false; 1 = true.
    
+
    Configures whether the settings under the [RegionalSettings] section of the Sysprep.inf file in the guest are updated to match the host.  0 = false; 1 = true.
    
 
    
-Note  
-
    By default, the setting for TimeZone in the guest is always synchronized with the TimeZone setting in the host.
    
+Note
    By default, the setting for TimeZone in the guest is always synchronized with the TimeZone setting in the host.
    
 
    
 
    
- 
+
 
    
 
 
@@ -322,10 +320,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: The settings under the [RegionalSettings] section of the Sysprep.inf file in the guest are updated to match the host.
    
 
 
-
    SetUserDataEnabled 
    
+
    SetUserDataEnabled 
    
 
    DWORD
    
 
    Default=0
    
-
    Configures whether the FullName and the OrgName settings under the [UserData] section of the Sysprep.inf file in the guest are updated to match the settings on the host.  0 = false; 1 = true.
    
+
    Configures whether the FullName and the OrgName settings under the [UserData] section of the Sysprep.inf file in the guest are updated to match the settings on the host.  0 = false; 1 = true.
    
 
 
 
    
@@ -340,22 +338,22 @@ The following table provides information about the registry values associated wi
 
    1 = true: The FullName and OrgName settings in the Sysprep.inf file are updated to match the settings on the host.
    
 
 
-
    StartDialogMsg 
    
+
    StartDialogMsg 
    
 
    MULTI_SZ
    
-
    Message is found in resource file 
    
-
    Customizable message that is displayed to the end user when first time setup is ready to start. 
    
+
    Message is found in resource file 
    
+
    Customizable message that is displayed to the end user when first time setup is ready to start. 
    
 
 
 
    TaskCancelTimeout
    
 
    DWORD
    
 
    Default=30
    
-
    The time-out value, in seconds, that first time setup waits for a response from the virtual machine for a Cancel operation. Range = 0 to 2147483647.
    
+
    The time-out value, in seconds, that first time setup waits for a response from the virtual machine for a Cancel operation. Range = 0 to 2147483647.
    
 
 
 
    TaskVMTurnOffTimeout
    
 
    DWORD
    
 
    Default=60
    
-
    The time-out value, in seconds, that first time setup waits for the virtual machine to shut down. Range = 0 to 2147483647.
    
+
    The time-out value, in seconds, that first time setup waits for the virtual machine to shut down. Range = 0 to 2147483647.
    
 
 
 
    UpgradeTimeout
    
@@ -366,7 +364,7 @@ The following table provides information about the registry values associated wi
 
 
 
- 
+
 
 ## UserExperience Key
 
@@ -390,10 +388,10 @@ The following table provides information about the registry values associated wi
 
 
 
-
    AppPublishingEnabled 
    
+
    AppPublishingEnabled 
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether application publication from the guest to the host is enabled.  0 = false; 1 = true.
    
+
    Configures whether application publication from the guest to the host is enabled.  0 = false; 1 = true.
    
 
 
 
    
@@ -408,10 +406,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: Enables application publishing from the guest to the host.
    
 
 
-
    AudioSharingEnabled 
    
+
    AudioSharingEnabled 
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether the sharing of the audio I/O device between the guest and the host is enabled.  0 = false; 1 = true.
    
+
    Configures whether the sharing of the audio I/O device between the guest and the host is enabled.  0 = false; 1 = true.
    
 
 
 
    
@@ -426,10 +424,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: Enables the sharing of the audio I/O device between the guest and the host.
    
 
 
-
    ClipboardSharingEnabled 
    
+
    ClipboardSharingEnabled 
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether the sharing of the Clipboard between the guest and the host is enabled.  0 = false; 1 = true.
    
+
    Configures whether the sharing of the Clipboard between the guest and the host is enabled.  0 = false; 1 = true.
    
 
 
 
    
@@ -447,7 +445,7 @@ The following table provides information about the registry values associated wi
 
    DialogTimeout
    
 
    DWORD
    
 
    Default=300
    
-
    The time, in seconds, before the first time setup Start Dialog times out. Range = 0 to 2147483647.
    
+
    The time, in seconds, before the first time setup Start Dialog times out. Range = 0 to 2147483647.
    
 
 
 
    HideVmTimeout
    
@@ -456,10 +454,10 @@ The following table provides information about the registry values associated wi
 
    The time-out value, in minutes, that the full-screen virtual machine window is hidden from the end user during a long logon attempt.
    
 
 
-
    LogonStartEnabled 
    
+
    LogonStartEnabled 
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether the guest should be started when the end user logs on to the desktop or when the first guest application is started.  0 = false; 1 = true.
    
+
    Configures whether the guest should be started when the end user logs on to the desktop or when the first guest application is started.  0 = false; 1 = true.
    
 
 
 
    
@@ -474,10 +472,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: The guest is started when the end user logs on to the desktop.
    
 
 
-
    PrinterSharingEnabled 
    
+
    PrinterSharingEnabled 
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether the sharing of printers between the guest and the host is enabled.  0 = false; 1 = true.
    
+
    Configures whether the sharing of printers between the guest and the host is enabled.  0 = false; 1 = true.
    
 
 
 
    
@@ -492,16 +490,16 @@ The following table provides information about the registry values associated wi
 
    1 = true: Enables the sharing of printers between the guest and the host.
    
 
 
-
    RebootAbsoluteDelayTimeout 
    
+
    RebootAbsoluteDelayTimeout 
    
 
    DWORD
    
 
    Default=1440
    
-
    The time-out value, in minutes, that first time setup waits for a restart. Range = 0 to 2147483647.
    
+
    The time-out value, in minutes, that first time setup waits for a restart. Range = 0 to 2147483647.
    
 
 
-
    RedirectUrls 
    
+
    RedirectUrls 
    
 
    MULTI_SZ
    
 
    Specified URL list
    
-
    Specifies a list of URLs to be redirected from the host to the guest. 
    
+
    Specifies a list of URLs to be redirected from the host to the guest. 
    
 
 
 
    SmartCardLogonEnabled
    
@@ -521,18 +519,17 @@ The following table provides information about the registry values associated wi
 
    
 
    1 = true: Lets Smart Cards authenticate end users to MED-V.
    
 
    
-Important  
-
    If SmartCardLogonEnabled and CredentialCacheEnabled are both enabled, SmartCardLogonEnabled overrides CredentialCacheEnabled.
    
+Important
    If SmartCardLogonEnabled and CredentialCacheEnabled are both enabled, SmartCardLogonEnabled overrides CredentialCacheEnabled.
    
 
    
 
    
- 
+
 
    
 
 
-
    SmartCardSharingEnabled 
    
+
    SmartCardSharingEnabled 
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether the sharing of Smart Cards between the guest and the host is enabled.  0 = false; 1 = true.
    
+
    Configures whether the sharing of Smart Cards between the guest and the host is enabled.  0 = false; 1 = true.
    
 
 
 
    
@@ -547,10 +544,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: Enables the sharing of Smart Cards between the guest and the host.
    
 
 
-
    USBDeviceSharingEnabled 
    
+
    USBDeviceSharingEnabled 
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether the sharing of USB devices between the guest and the host is enabled.  0 = false; 1 = true.
    
+
    Configures whether the sharing of USB devices between the guest and the host is enabled.  0 = false; 1 = true.
    
 
 
 
    
@@ -567,7 +564,7 @@ The following table provides information about the registry values associated wi
 
 
 
- 
+
 
 ## VM Key
 
@@ -591,10 +588,10 @@ The following table provides information about the registry values associated wi
 
 
 
-
    CloseAction 
    
+
    CloseAction 
    
 
    SZ
    
 
    Default=HIBERNATE
    
-
    The action that the virtual machine performs after the last application that is running is closed. This setting is ignored if the LogonStartEnabled value is enabled. Possible options are as follows:
    
+
    The action that the virtual machine performs after the last application that is running is closed. This setting is ignored if the LogonStartEnabled value is enabled. Possible options are as follows:
    
 
 
 
    
@@ -615,36 +612,36 @@ The following table provides information about the registry values associated wi
 
    TURN-OFF. This option can cause data loss because it is the same as turning off the power button or pulling out the power cord on a physical computer. Use this option only if you cannot use one of the other two options.
    
 
 
-
    GuestMemFromHostMem 
    
+
    GuestMemFromHostMem 
    
 
    MULTI_SZ
    
-
    378, 512, 1024, 1536, 2048 
    
-
    A list of memory (MB) values for the guest. This value is used to determine how much RAM is available to the guest. Combined with HostMemToGuestMem, a lookup table is created to determine how much RAM to allocate on the guest virtual machine. Possible values can be from 128 to 3712.
    
+
    378, 512, 1024, 1536, 2048 
    
+
    A list of memory (MB) values for the guest. This value is used to determine how much RAM is available to the guest. Combined with HostMemToGuestMem, a lookup table is created to determine how much RAM to allocate on the guest virtual machine. Possible values can be from 128 to 3712.
    
 
 
-
    GuestUpdateDuration 
    
+
    GuestUpdateDuration 
    
 
    DWORD
    
 
    Default=240
    
-
    The number of minutes that MED-V should keep the guest awake for automatic updating, starting at the time specified in the GuestUpdateTime value. Range = 0 to 1440. Setting this value to zero (0) disables the guest patching functionality.
    
-
    For more information about guest patching for automatic updating, see [Managing Automatic Updates for MED-V Workspaces](managing-automatic-updates-for-med-v-workspaces.md).
    
+
    The number of minutes that MED-V should keep the guest awake for automatic updating, starting at the time specified in the GuestUpdateTime value. Range = 0 to 1440. Setting this value to zero (0) disables the guest patching functionality.
    
+
    For more information about guest patching for automatic updating, see Managing Automatic Updates for MED-V Workspaces.
    
 
 
-
    GuestUpdateTime 
    
+
    GuestUpdateTime 
    
 
    SZ
    
 
    Default=00:00
    
-
    The hour and minute each day when MED-V should wake up the guest for automatic updating, by using the 24-hour clock standard. Specify the time in the format HH:MM  
    
-
    For more information about guest patching for automatic updating, see [Managing Automatic Updates for MED-V Workspaces](managing-automatic-updates-for-med-v-workspaces.md).
    
+
    The hour and minute each day when MED-V should wake up the guest for automatic updating, by using the 24-hour clock standard. Specify the time in the format HH:MM  
    
+
    For more information about guest patching for automatic updating, see Managing Automatic Updates for MED-V Workspaces.
    
 
 
-
    HostMemToGuestMem 
    
+
    HostMemToGuestMem 
    
 
    MULTI_SZ
    
-
    1024, 2048, 4096, 8192, 16384 
    
-
    A list of memory (MB) values for the guest, determined by the RAM available on the host. Combined with GuestMemFromHostMem, a lookup table is created to determine how much RAM to allocate on the guest virtual machine. Possible values can be from 1024 to 16384.
    
+
    1024, 2048, 4096, 8192, 16384 
    
+
    A list of memory (MB) values for the guest, determined by the RAM available on the host. Combined with GuestMemFromHostMem, a lookup table is created to determine how much RAM to allocate on the guest virtual machine. Possible values can be from 1024 to 16384.
    
 
 
 
    HostMemToGuestMemCalcEnabled
    
 
    DWORD
    
 
    Default=1
    
-
    Configures whether the memory allocated for the guest is calculated from the memory present on the host.  0 = false; 1 = true.
    
+
    Configures whether the memory allocated for the guest is calculated from the memory present on the host.  0 = false; 1 = true.
    
 
 
 
    
@@ -659,16 +656,16 @@ The following table provides information about the registry values associated wi
 
    1 = true: The memory allocated for the guest is calculated from the memory present on the host.
    
 
 
-
    Memory 
    
+
    Memory 
    
 
    DWORD
    
 
    Default=512
    
-
    The RAM (MB) that should be allocated for the guest virtual machine. This setting is ignored if the HostMemToGuestMemEnabled setting is enabled. Range=128 to 2048.
    
+
    The RAM (MB) that should be allocated for the guest virtual machine. This setting is ignored if the HostMemToGuestMemEnabled setting is enabled. Range=128 to 2048.
    
 
 
-
    MultiUserEnabled 
    
+
    MultiUserEnabled 
    
 
    DWORD
    
 
    Default=0
    
-
    Configures whether multiple users share the same MED-V workspace.  0 = false; 1 = true.
    
+
    Configures whether multiple users share the same MED-V workspace.  0 = false; 1 = true.
    
 
 
 
    
@@ -683,10 +680,10 @@ The following table provides information about the registry values associated wi
 
    1 = true: Multiple users share the same MED-V workspace.
    
 
 
-
    NetworkingMode 
    
+
    NetworkingMode 
    
 
    SZ
    
 
    Default=NAT
    
-
    The kind of network connection used on the guest. Possible values are as follows:
    
+
    The kind of network connection used on the guest. Possible values are as follows:
    
 
 
 
    
@@ -698,18 +695,18 @@ The following table provides information about the registry values associated wi
 
    
 
    
 
    
-
    NAT. MED-V uses Network Address Translation (NAT) to share the host's IP for outgoing traffic.
    
+
    NAT. MED-V uses Network Address Translation (NAT) to share the host's IP for outgoing traffic.
    
 
 
-
    TaskTimeout 
    
+
    TaskTimeout 
    
 
    DWORD
    
 
    Default=600
    
-
    A general time-out value, in seconds, that MED-V waits for a task to be completed, such as restarting and shutting down. Range = 0 to 2147483647.
    
+
    A general time-out value, in seconds, that MED-V waits for a task to be completed, such as restarting and shutting down. Range = 0 to 2147483647.
    
 
 
 
 
- 
+
 
 ## Guest Registry Settings
 
@@ -729,17 +726,17 @@ The following table provides information about the guest registry value associat
 
 
 
-Name 
-Type 
-Data/Default 
+Name 
+Type 
+Data/Default 
 Description
 
 
 
 
 
    EnableGPWorkarounds
    
-
    DWORD 
    
-
    Default=1 
    
+
    DWORD 
    
+
    Default=1 
    
 
    Configures how MED-V handles the keys BufferPolicyReads and GroupPolicyMinTransferRate.
    
 
 
@@ -748,13 +745,12 @@ The following table provides information about the guest registry value associat
 
    
 
    By default, MED-V sets these keys as follows:
    
 
    BufferPolicyReads=1 and GroupPolicyMinTransferRate=0.
    
-
    Create the EnableGPWorkarounds  key, if it is necessary, and set the key to zero if you do not want MED-V to change the default settings of BufferPolicyReads and GroupPolicyMinTransferRate.
    
+
    Create the EnableGPWorkarounds  key, if it is necessary, and set the key to zero if you do not want MED-V to change the default settings of BufferPolicyReads and GroupPolicyMinTransferRate.
    
 
    
-Note  
-
    If your MED-V workspace is running in NAT mode, EnableGPWorkarounds affects the registry keys BufferPolicyReads and GroupPolicyMinTransferRate. If your MED-V workspace is running in BRIDGED mode, EnableGPWorkarounds only affects the registry key BufferPolicyReads.
    
+Note
    If your MED-V workspace is running in NAT mode, EnableGPWorkarounds affects the registry keys BufferPolicyReads and GroupPolicyMinTransferRate. If your MED-V workspace is running in BRIDGED mode, EnableGPWorkarounds only affects the registry key BufferPolicyReads.
    
 
    
 
    
- 
+
 
    
 
    1=true: MED-V sets the keys BufferPolicyReads=1 and GroupPolicyMinTransferRate=0 (if running in NAT mode) or just BufferPolicyReads=1 (if running in BRIDGED mode).
    
 
    0=false: MED-V does not make any changes to the keys BufferPolicyReads and GroupPolicyMinTransferRate.
    
@@ -762,7 +758,7 @@ The following table provides information about the guest registry value associat
 
 
 
- 
+
 
 ## Related topics
 
@@ -773,9 +769,9 @@ The following table provides information about the guest registry value associat
 
 [Manage MED-V Workspace Settings](manage-med-v-workspace-settings.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md
index 77ab2350c8..4ceab3afe3 100644
--- a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md
+++ b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-a-wmi.md
@@ -29,7 +29,7 @@ The WMI provider is implemented in the **root\\microsoft\\medv** namespace and i
 **Caution**  
 WMI browsing tools can be used to delete or modify classes and instances. Deleting or modifying certain classes and instances can result in the loss of valuable data and cause MED-V to function unpredictably.
 
- 
+ 
 
 You can use your preferred WMI browsing tool to view and edit MED-V configuration settings by following these steps.
 
@@ -56,7 +56,7 @@ After you have finished viewing or editing MED-V configuration settings, close t
 **Important**  
 In some cases, a restart of the MED-V workspace is required for changes to MED-V configuration settings to take effect.
 
- 
+ 
 
 The following code shows the Managed Object Format (MOF) file that defines the **Setting** class.
 
@@ -64,9 +64,9 @@ The following code shows the Managed Object Format (MOF) file that defines the *
 [dynamic: ToInstance, provider("TroubleShooting, Version=2.0.392.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"), singleton: DisableOverride ToInstance ToSubClass]
 class Setting : ConfigValueProvider
 {
-                boolean UxSmartCardLogonEnabled = TRUE;
-                [read] string User;
-                [implemented] void Clear([in] string propertyName);
+                boolean UxSmartCardLogonEnabled = TRUE;
+                [read] string User;
+                [implemented] void Clear([in] string propertyName);
 };
 ```
 
@@ -76,55 +76,55 @@ The **Setting** class inherits from the **ConfigValueProvider** class. The follo
 [abstract]
 class ConfigValueProvider
 {
-                [write] string DiagEventLogLevel;
-                [write] boolean FtsAddUserToAdminGroupEnabled;
-                [write] string FtsComputerNameMask;
-                [write] sint32 FtsDeleteVMStateTimeout;
-                [write] sint32 FtsDetachVfdTimeout;
-                [write] string FtsDialogUrl;
-                [write] sint32 FtsExplorerTimeout;
-                [write] string FtsFailureDialogMsg;
-                [write] string FtsLogFilePaths[];
-                [write] sint32 FtsMaxPostponeTime;
-                [write] sint32 FtsMaxRetryCount;
-                [write] string FtsMode;
-                [write] sint32 FtsNonInteractiveRetryTimeoutInc;
-                [write] sint32 FtsNonInteractiveTimeout;
-                [write] string FtsPostponeUtcDateTimeLimit;
-                [write] string FtsRetryDialogMsg;
-                [write] boolean FtsSetComputerNameEnabled;
-                [write] boolean FtsSetJoinDomainEnabled;
-                [write] boolean FtsSetMachineObjectOUEnabled;
-                [write] boolean FtsSetRegionalSettingsEnabled;
-                [write] boolean FtsSetUserDataEnabled;
-                [write] string FtsStartDialogMsg;
-                [write] sint32 FtsTaskCancelTimeout;
-                [write] sint32 FtsTaskVMTurnOffTimeout;
-                [write] sint32 FtsUpgradeTimeout;
-                [write] boolean UxAppPublishingEnabled;
-                [write] boolean UxAudioSharingEnabled;
-                [write] boolean UxClipboardSharingEnabled;
-                [write] boolean UxCredentialCacheEnabled;
-                [write] sint32 UxDialogTimeout;
-                [write] sint32 UxHideVmTimeout;
-                [write] boolean UxLogonStartEnabled;
-                [write] boolean UxPrinterSharingEnabled;
-                [write] sint32 UxRebootAbsoluteDelayTimeout;
-                [write] string UxRedirectUrls[];
-                [write] boolean UxShowExit;
-                [write] boolean UxSmartCardLogonEnabled;
-                [write] boolean UxSmartCardSharingEnabled;
-                [write] boolean UxUSBDeviceSharingEnabled;
-                [write] string VmCloseAction;
-                [write] sint32 VmGuestMemFromHostMem[];
-                [write] sint32 VmGuestUpdateDuration;
-                [write] string VmGuestUpdateTime;
-                [write] sint32 VmHostMemToGuestMem[];
-                [write] boolean VmHostMemToGuestMemCalcEnabled;
-                [write] sint32 VmMemory;
-                [write] boolean VmMultiUserEnabled;
-                [write] string VmNetworkingMode;
-                [write] sint32 VmTaskTimeout;
+                [write] string DiagEventLogLevel;
+                [write] boolean FtsAddUserToAdminGroupEnabled;
+                [write] string FtsComputerNameMask;
+                [write] sint32 FtsDeleteVMStateTimeout;
+                [write] sint32 FtsDetachVfdTimeout;
+                [write] string FtsDialogUrl;
+                [write] sint32 FtsExplorerTimeout;
+                [write] string FtsFailureDialogMsg;
+                [write] string FtsLogFilePaths[];
+                [write] sint32 FtsMaxPostponeTime;
+                [write] sint32 FtsMaxRetryCount;
+                [write] string FtsMode;
+                [write] sint32 FtsNonInteractiveRetryTimeoutInc;
+                [write] sint32 FtsNonInteractiveTimeout;
+                [write] string FtsPostponeUtcDateTimeLimit;
+                [write] string FtsRetryDialogMsg;
+                [write] boolean FtsSetComputerNameEnabled;
+                [write] boolean FtsSetJoinDomainEnabled;
+                [write] boolean FtsSetMachineObjectOUEnabled;
+                [write] boolean FtsSetRegionalSettingsEnabled;
+                [write] boolean FtsSetUserDataEnabled;
+                [write] string FtsStartDialogMsg;
+                [write] sint32 FtsTaskCancelTimeout;
+                [write] sint32 FtsTaskVMTurnOffTimeout;
+                [write] sint32 FtsUpgradeTimeout;
+                [write] boolean UxAppPublishingEnabled;
+                [write] boolean UxAudioSharingEnabled;
+                [write] boolean UxClipboardSharingEnabled;
+                [write] boolean UxCredentialCacheEnabled;
+                [write] sint32 UxDialogTimeout;
+                [write] sint32 UxHideVmTimeout;
+                [write] boolean UxLogonStartEnabled;
+                [write] boolean UxPrinterSharingEnabled;
+                [write] sint32 UxRebootAbsoluteDelayTimeout;
+                [write] string UxRedirectUrls[];
+                [write] boolean UxShowExit;
+                [write] boolean UxSmartCardLogonEnabled;
+                [write] boolean UxSmartCardSharingEnabled;
+                [write] boolean UxUSBDeviceSharingEnabled;
+                [write] string VmCloseAction;
+                [write] sint32 VmGuestMemFromHostMem[];
+                [write] sint32 VmGuestUpdateDuration;
+                [write] string VmGuestUpdateTime;
+                [write] sint32 VmHostMemToGuestMem[];
+                [write] boolean VmHostMemToGuestMemCalcEnabled;
+                [write] sint32 VmMemory;
+                [write] boolean VmMultiUserEnabled;
+                [write] string VmNetworkingMode;
+                [write] sint32 VmTaskTimeout;
 };
 ```
 
@@ -135,9 +135,9 @@ class ConfigValueProvider
 
 [Manage MED-V Workspace Settings](manage-med-v-workspace-settings.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md
index a9bf24e246..f82ac07a75 100644
--- a/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md
+++ b/mdop/medv-v2/managing-med-v-workspace-settings-by-using-the-med-v-workspace-packager.md
@@ -21,67 +21,65 @@ You can use the MED-V Workspace Packager to manage certain settings in the MED-V
 
 **To manage settings in a MED-V workspace**
 
-1.  To open the **MED-V Workspace Packager**, click **Start**, click **All Programs**, click **Microsoft Enterprise Desktop Virtualization**, and then click **MED-V Workspace Packager**.
+1. To open the **MED-V Workspace Packager**, click **Start**, click **All Programs**, click **Microsoft Enterprise Desktop Virtualization**, and then click **MED-V Workspace Packager**.
 
-2.  On the **MED-V Workspace Packager** main panel, click **Manage Settings**.
+2. On the **MED-V Workspace Packager** main panel, click **Manage Settings**.
 
-3.  In the **Manage Settings** window, you can configure the following MED-V workspace settings:
+3. In the **Manage Settings** window, you can configure the following MED-V workspace settings:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    Start MED-V workspace
    Choose whether to start the MED-V workspace at user logon, at first use, or to let the end user decide when the MED-V workspace starts.
    The MED-V workspace starts in one of two ways: either when the end user logs on or when they first perform an action that requires MED-V, such as opening a published application or entering a URL that requires redirection.
    
-    
    You can either define this setting for the end user or let the end user control how MED-V starts.
    
-    
    
-    Note  
-    
    If you specify that the end user decides, the default behavior they experience is that the MED-V workspace starts when they log on. They can change the default by right-clicking the MED-V icon in the notification area and selecting MED-V User Settings. If you define this setting for the end user, they cannot change the way in which MED-V starts.
    
-    
    
-    
    
-     
-    
    Networking
    Select Shared or Bridged for your networking setting. The default is Shared.
    Shared - The MED-V workspace uses Network Address Translation (NAT) to share the host's IP for outgoing traffic.
    
-    
    Bridged - The MED-V workspace has its own network address, typically obtained through DHCP.
    Store credentials
    Choose whether you want to store the end user credentials.
    The default behavior is that credential storing is disabled so that the end user must be authenticated every time that they log on.
    
-    
    
-    Important  
-    
    Even though caching the end user’s credentials provides the best user experience, you should be aware of the risks involved.
    
-    
    The end user’s domain credential is stored in a reversible format in the Windows Credential Manager. An attacker could write a program that retrieves the password and thus gain access to the user’s credentials. You can only lessen this risk by disabling the storing of end user credentials.
    
-    
    
-    
    
-     
-    
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    Start MED-V workspace
    Choose whether to start the MED-V workspace at user logon, at first use, or to let the end user decide when the MED-V workspace starts.
    The MED-V workspace starts in one of two ways: either when the end user logs on or when they first perform an action that requires MED-V, such as opening a published application or entering a URL that requires redirection.
    
+   
    You can either define this setting for the end user or let the end user control how MED-V starts.
    
+   
    
+   Note
    If you specify that the end user decides, the default behavior they experience is that the MED-V workspace starts when they log on. They can change the default by right-clicking the MED-V icon in the notification area and selecting MED-V User Settings. If you define this setting for the end user, they cannot change the way in which MED-V starts.
    
+   
    
+   
    
 
-     
+   
    Networking
    Select Shared or Bridged for your networking setting. The default is Shared.
    Shared - The MED-V workspace uses Network Address Translation (NAT) to share the host's IP for outgoing traffic.
    
+   
    Bridged - The MED-V workspace has its own network address, typically obtained through DHCP.
    Store credentials
    Choose whether you want to store the end user credentials.
    The default behavior is that credential storing is disabled so that the end user must be authenticated every time that they log on.
    
+   
    
+   Important
    Even though caching the end user’s credentials provides the best user experience, you should be aware of the risks involved.
    
+   
    The end user’s domain credential is stored in a reversible format in the Windows Credential Manager. An attacker could write a program that retrieves the password and thus gain access to the user’s credentials. You can only lessen this risk by disabling the storing of end user credentials.
    
+   
    
+   
    
 
-4.  Click **Save as…** to save the updated configuration settings in the specified folder. MED-V creates a registry file that contains the updated settings. Deploy the updated registry file by using Group Policy. For more information about how to use Group Policy, see [Group Policy Software Installation](https://go.microsoft.com/fwlink/?LinkId=195931) (https://go.microsoft.com/fwlink/?LinkId=195931).
+   
    
 
-    MED-V also creates a Windows PowerShell script in the specified folder that you can use to re-create this updated registry file.
+
+
+4. Click **Save as…** to save the updated configuration settings in the specified folder. MED-V creates a registry file that contains the updated settings. Deploy the updated registry file by using Group Policy. For more information about how to use Group Policy, see [Group Policy Software Installation](https://go.microsoft.com/fwlink/?LinkId=195931) (https://go.microsoft.com/fwlink/?LinkId=195931).
+
+   MED-V also creates a Windows PowerShell script in the specified folder that you can use to re-create this updated registry file.
 
 ## Related topics
 
@@ -90,9 +88,9 @@ You can use the MED-V Workspace Packager to manage certain settings in the MED-V
 
 [Manage MED-V Workspace Settings](manage-med-v-workspace-settings.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md b/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md
index 252992aabd..cf173e2d6d 100644
--- a/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md
+++ b/mdop/medv-v2/managing-printers-on-a-med-v-workspace.md
@@ -29,14 +29,14 @@ In most cases, MED-V handles printer redirection automatically. After first time
 **Note**  
 If applications are running on the MED-V workspace, the end user is prompted to let the restart continue or postpone it until later. If no applications are running, the restart is automatic and not shown to the end user.
 
- 
+ 
 
 Every time MED-V is re-started, it checks whether any new printers are installed on the host and, if found, retrieves the corresponding drivers from the network print server and installs them on the guest. MED-V then restarts the MED-V workspace just as when first time setup was completed.
 
 **Important**  
 After the relevant drivers are installed on the guest, the printers only become visible on the guest after the restart occurs.
 
- 
+ 
 
 If at any time a driver cannot be located or installed, it must be manually installed on the guest for the network printer to be available to the end user.
 
@@ -51,16 +51,16 @@ The following list offers some additional guidance:
 **Warning**  
 If a printer is manually installed on the guest, and the same printer is later installed on the host, the result is that the printer is installed two times in the guest. To avoid this situation, a MED-V best practice is to manage printer redirection in one manner only: either disable redirection and install printers manually on the guest, or enable redirection and do not install printers manually on the guest.
 
- 
+ 
 
 ## Related topics
 
 
 [Manage MED-V Workspace Settings](manage-med-v-workspace-settings.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md b/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md
index 838c2b6a1c..4dd09c0751 100644
--- a/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md
+++ b/mdop/medv-v2/managing-software-updates-for-med-v-workspaces.md
@@ -22,7 +22,7 @@ You have several different options available to you for providing software updat
 **Note**  
 For information about how to specify the configuration settings that define how MED-V receives automatic updates, see [Managing Automatic Updates for MED-V Workspaces](managing-automatic-updates-for-med-v-workspaces.md).
 
- 
+ 
 
 **Updating Software in a MED-V Workspace**
 
@@ -45,7 +45,7 @@ For information about how to specify the configuration settings that define how
     **Important**  
     We do not recommend this method of managing software updates. In addition, if you update software in the core image and redeploy the MED-V workspace back out to your enterprise, first time setup must run again, and any data saved in the virtual machine is lost.
 
-     
+     
 
 ## Related topics
 
@@ -56,9 +56,9 @@ For information about how to specify the configuration settings that define how
 
 [How to Publish and Unpublish an Application on the MED-V Workspace](how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/med-v-20-best-practices.md b/mdop/medv-v2/med-v-20-best-practices.md
index 8edf9ea8a0..e402342e9f 100644
--- a/mdop/medv-v2/med-v-20-best-practices.md
+++ b/mdop/medv-v2/med-v-20-best-practices.md
@@ -50,7 +50,7 @@ If you want end users to see a service level agreement (SLA) before they access
 **Caution**  
 Even though a best practice is to run first time setup in **Unattended** mode, if you decide to set the local policy or registry entry to include an SLA in your image (virtual hard disk), you must also specify that first time setup is run in **Attended** mode, or first time setup can fail.
 
- 
+ 
 
 ### Compact the virtual hard disk
 
@@ -101,9 +101,9 @@ To prevent antivirus activity from affecting the performance of the virtual desk
 
 [Security and Protection for MED-V](security-and-protection-for-med-v.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/med-v-20-deployment-overview.md b/mdop/medv-v2/med-v-20-deployment-overview.md
index 2608c24bb9..eb8d227f1d 100644
--- a/mdop/medv-v2/med-v-20-deployment-overview.md
+++ b/mdop/medv-v2/med-v-20-deployment-overview.md
@@ -24,10 +24,10 @@ This section provides general information and instructions about how to install
 
 MED-V 2.0 is based on an application model, where the same methods that you use to deploy applications can be used to deploy and manage MED-V. A deployed MED-V solution includes two components: the MED-V Host Agent and Guest Agent. The MED-V Host Agent is installed on the Windows 7 desktop and the MED-V Guest Agent is installed on Windows XP inside the MED-V workspace. MED-V also includes a MED-V Workspace Packager that provides the information and tools necessary for creating and configuring MED-V workspaces.
 
-**Important**  
+**Important**  
 MED-V only supports the installation of the MED-V Workspace Packager, the MED-V Host Agent, and the MED-V workspace for all users. Installing MED-V for the current user only by selecting **ALLUSERS=””** causes failures in the installation of the components and in the setup of the MED-V workspace.
 
- 
+
 
 ### The MED-V Installation Files
 
@@ -41,10 +41,10 @@ The Host Agent installation file is named MED-V\_HostAgent\_Setup.exe. This file
 
 The MED-V Workspace Packager installation file is named MED-V\_WorkspacePackager\_Setup.exe. Use this file to install the MED-V Workspace Packager on a computer where you have administrator rights and permissions. The desktop administrator uses the MED-V Workspace Packager to create and manage MED-V workspaces.
 
-**Note**  
+**Note**  
 The MED-V Guest Agent is installed automatically during first time setup.
 
- 
+
 
 ### The MED-V Deployment Process
 
@@ -56,10 +56,10 @@ The following is a high-level overview of the MED-V installation and deployment
 
 3.  Deploy the required MED-V components throughout your enterprise. The required components of MED-V are Windows Virtual PC, the MED-V Host Agent, and the MED-V workspace.
 
-**Important**  
+**Important**  
 Installation of the MED-V components requires administrative credentials. If an end user is installing MED-V, they are prompted to enter administrative credentials. Alternately, administrative credentials can be provided in context if you are installing by using an electronic software distribution (ESD) system.
 
- 
+
 
 ### The MED-V Components
 
@@ -89,10 +89,10 @@ To deploy MED-V, copy all the required installation files to the host computer o
 
 You can perform the installation manually. However, we recommend that you use an electronic software distribution method to automate the deployment of the components. For more information, see [How to Deploy a MED-V Workspace Through an Electronic Software Distribution System](how-to-deploy-a-med-v-workspace-through-an-electronic-software-distribution-system.md).
 
-**Note**  
+**Note**  
 For information about available command-line arguments to control install options, see [Command-Line Options for MED-V Installation Files](command-line-options-for-med-v-installation-files.md).
 
- 
+
 
 ## Deployment Steps
 
@@ -105,29 +105,33 @@ When you deploy MED-V throughout your enterprise, there are two main considerati
 
     You can install these as part of the Windows 7 installations before you install MED-V, or you can install them as part of the MED-V distribution. However, MED-V does not include a mechanism for their deployment; they must be deployed by using an electronic software distribution (ESD) system or as part of the Windows 7 image.
 
-    **Important**  
+    **Important**  
     When you install the MED-V components by using a batch file, a best practice is to specify that Windows Virtual PC and the Windows Virtual PC hotfix are installed after the MED-V Host Agent and the MED-V workspace package files. This means that Windows Update will not cause any interference with the installation process by requiring a restart.
 
-     
 
-    **Note**  
-    After you install Windows Virtual PC, the computer must be restarted.
 
-     
+~~~
+**Note**  
+After you install Windows Virtual PC, the computer must be restarted.
+~~~
 
-2.  **MED-V Host Agent** – Install the MED-V Host Agent on the Windows 7 computer where MED-V will be run. This must be installed before installing the MED-V workspace and checks to make sure that Windows Virtual PC is installed.
 
-3.  **MED-V workspace** – You create the files that are required in this installation by using the MED-V Workspace Packager: the setup.exe, .medv, and .msi files. To install the MED-V workspace, run setup.exe; this triggers the other files as required. The installation places an entry in the registry under the local machine run key to start the MED-V Host Agent, which always runs MED-V when Windows is started.
 
-    **Important**  
-    The installation of the MED-V workspace can be run interactively by the end user or silently through an electronic software distribution system. Installation of the MED-V workspace requires administrative credentials, so end users must be administrators of their computers to install the MED-V workspace. Alternately, an electronic software distribution system typically runs in the system context and has sufficient permissions.
+2. **MED-V Host Agent** – Install the MED-V Host Agent on the Windows 7 computer where MED-V will be run. This must be installed before installing the MED-V workspace and checks to make sure that Windows Virtual PC is installed.
 
-     
+3. **MED-V workspace** – You create the files that are required in this installation by using the MED-V Workspace Packager: the setup.exe, .medv, and .msi files. To install the MED-V workspace, run setup.exe; this triggers the other files as required. The installation places an entry in the registry under the local machine run key to start the MED-V Host Agent, which always runs MED-V when Windows is started.
+
+   **Important**  
+   The installation of the MED-V workspace can be run interactively by the end user or silently through an electronic software distribution system. Installation of the MED-V workspace requires administrative credentials, so end users must be administrators of their computers to install the MED-V workspace. Alternately, an electronic software distribution system typically runs in the system context and has sufficient permissions.
+
+
+
+~~~
+**Tip**  
+Because of problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
+~~~
 
-    **Tip**  
-    Because of problems that can occur when you install MED-V from a network location, we recommend that you copy the MED-V workspace setup files locally and then run setup.exe.
 
-     
 
 ### First Time Setup
 
@@ -152,9 +156,9 @@ After first time setup is complete, the end user is notified that the published
 
 [Deployment of MED-V](deployment-of-med-v.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/medv-v2/med-v-20-release-notes.md b/mdop/medv-v2/med-v-20-release-notes.md
index 8a77376bd5..51c9d5c1c7 100644
--- a/mdop/medv-v2/med-v-20-release-notes.md
+++ b/mdop/medv-v2/med-v-20-release-notes.md
@@ -41,7 +41,7 @@ This section provides the most up-to-date information about issues with the Micr
 **Note**  
 There are currently no known issues with MED-V 2.0.
 
- 
+ 
 
 ## Release Notes Copyright Information
 
@@ -58,9 +58,9 @@ Microsoft, Active Directory, ActiveSync, MS-DOS, Windows, Windows Server, and W
 
 All other trademarks are property of their respective owners.
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md b/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md
index 17bf709dbb..4a1f38168d 100644
--- a/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md
+++ b/mdop/medv-v2/restarting-and-resetting-a-med-v-workspace.md
@@ -36,7 +36,7 @@ For information about how to open the MED-V Administration Toolkit, see [Trouble
     **Warning**  
     Resetting the MED-V workspace causes first time setup to run again, and thus reloads the original virtual hard disk. All data that is stored in the MED-V workspace since first time setup was originally run will be deleted.
 
-     
+     
 
 2.  Click **Reset**.
 
@@ -49,9 +49,9 @@ For information about how to open the MED-V Administration Toolkit, see [Trouble
 
 [Viewing MED-V Workspace Configurations](viewing-med-v-workspace-configurations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/viewing-and-configuring-med-v-logs.md b/mdop/medv-v2/viewing-and-configuring-med-v-logs.md
index 4fb86e486b..831ec64b9b 100644
--- a/mdop/medv-v2/viewing-and-configuring-med-v-logs.md
+++ b/mdop/medv-v2/viewing-and-configuring-med-v-logs.md
@@ -31,7 +31,7 @@ Event Viewer opens and displays the corresponding event logs that you can use to
 **Note**  
 End users can only save event log files in the guest if they have administrative permissions.
 
- 
+ 
 
 ### To manually open the Event Viewer in the host computer
 
@@ -51,7 +51,7 @@ You can also specify the event logging level by editing the EventLogLevel regist
 **Note**  
 The level you specify on the **MED-V Administration Toolkit** window applies to future MED-V event logging. If you set the level to capture all errors, warnings, and informational messages, then the event logs fill more quickly and older events are removed.
 
- 
+ 
 
 ## Related topics
 
@@ -60,9 +60,9 @@ The level you specify on the **MED-V Administration Toolkit** window applies to
 
 [Viewing MED-V Workspace Configurations](viewing-med-v-workspace-configurations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md b/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md
index bdbd6e496b..6b98064476 100644
--- a/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md
+++ b/mdop/medv-v2/windows-virtual-pc-application-exclude-list.md
@@ -51,7 +51,7 @@ Windows Virtual PC includes a feature known as the "Exclude List" that lets you
         **Important**  
         If applicable, remove the quotation marks from the full path when you enter it into the value data field.
 
-         
+         
 
 5.  Close Registry Editor and restart the MED-V workspace virtual machine.
 
@@ -66,9 +66,9 @@ You can also republish an excluded application to the host **Start** menu by del
 
 [How to Publish and Unpublish an Application on the MED-V Workspace](how-to-publish-and-unpublish-an-application-on-the-med-v-workspace.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md b/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md
index a9f323bdbc..b2c6ffe718 100644
--- a/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md
+++ b/mdop/solutions/creating-app-v-45-databases-using-sql-scripting.md
@@ -144,10 +144,10 @@ If used, the two sample batch files provided run the SQL scripts in the followin
 
     -   dbversion.sql
 
-**Note**  
+**Note**  
 Careful consideration when modifying the scripts must be taken and should only be done by someone with the appropriate knowledge. Also, of the sample files presented only the following should be changed: **create\_schema.bat**, **create\_tables.bat**, **database.sql**, and **roles.sql**. All other files should not be modified in any way as this could cause the database to be created incorrectly, which will lead to the failure of App-V services to be installed.
 
- 
+
 
 The two sample batch files must be placed in the same directory where the rest of the SQL scripts were copied to on the computer.
 
@@ -206,7 +206,7 @@ The following accounts will need to be created on the SQL server with specific p
 
 2.  Administrator in the “App-V Admins” group logs in to Application Virtualization Management Console and deletes the following objects from the Management Console.
 
-    **Warning**  
+    **Warning**  
     This is required as the traditional setup populates certain records in the database that are not populated if you run the install against an already existing database. Delete the following objects:
 
     -   Under “Server Groups,” “Default Server Group,” delete “Application Virtualization Management Server”
@@ -215,7 +215,7 @@ The following accounts will need to be created on the SQL server with specific p
 
     -   Under “Provider Policies,” delete “Default Provider”
 
-     
+
 
 3.  Administrator in the App-V admins group should then create:
 
@@ -223,32 +223,34 @@ The following accounts will need to be created on the SQL server with specific p
 
     -   Create a “Default Server Group”
 
-        **Note**  
-        You must create a “Default Server” group even if you will not be used. The server installer only looks for the "Default Server Group" when trying to add the server.  If there is no "Default Server Group" then the installation will fail. If you plan on using server groups other than the default that is fine, it’s just necessary to retain the "Default Server Group" if you plan on adding subsequent App-V Management Servers to your infrastructure.
+        **Note**  
+        You must create a “Default Server” group even if you will not be used. The server installer only looks for the "Default Server Group" when trying to add the server.  If there is no "Default Server Group" then the installation will fail. If you plan on using server groups other than the default that is fine, it’s just necessary to retain the "Default Server Group" if you plan on adding subsequent App-V Management Servers to your infrastructure.
 
-         
 
-    -   Assign the App-V Users Group to the New Provider Policy created above
 
-    -   Under “Server Groups,” create a New Server Group, specifying the New Provider Policy
+~~~
+-   Assign the App-V Users Group to the New Provider Policy created above
 
-    -   Under the New Server group, create a New Application Virtualization Management Server
+-   Under “Server Groups,” create a New Server Group, specifying the New Provider Policy
 
-        **Important**  
-        Do not restart the service before completing all of the above steps!
+-   Under the New Server group, create a New Application Virtualization Management Server
 
-         
+    **Important**  
+    Do not restart the service before completing all of the above steps!
 
-    -   Administrator restarts the Application Virtualization Management Server service.
+
+
+-   Administrator restarts the Application Virtualization Management Server service.
+~~~
 
 ## Conclusion
 
 
 In conclusion, the information in this document allows an administrator to work with the SQL administrators to develop a deployment path that works for the security and administrative divisions in an organization. After reading this document and testing the tasks documented, an administrator should be ready to implement their App-V infrastructure in this type of environment.
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index 7d59d2e47f..080458ef89 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -23,69 +23,69 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
 
 **How to download and deploy the MDOP Group Policy templates**
 
-1.  Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) 
+1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531) 
 
-2.  Expand the downloaded .cab file by running `expand \MDOP_ADMX_Templates.cab -F:* `
+2. Expand the downloaded .cab file by running `expand \MDOP_ADMX_Templates.cab -F:* `
 
-    **Warning**  
-    Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
+   **Warning**  
+   Do not extract the templates directly to the Group Policy deployment directory. Multiple technologies and versions are bundled in this file.
 
-3.  In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
+3. In the extracted folder, locate the technology-version .admx file. Certain MDOP technologies have multiple sets of Group Policy Objects (GPOs). For example, MBAM includes MBAM Management settings and MBAM User settings.
 
-4.  Locate the appropriate .adml file by language-culture (that is, *en-us* for English-United States).
+4. Locate the appropriate .adml file by language-culture (that is, *en-us* for English-United States).
 
-5.  Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
+5. Copy the .admx and .adml files to a policy definition folder. Depending on where you store the templates, you can configure Group Policy settings from the local device or from any computer on the domain.
 
    - **Local files:** To configure Group Policy settings from the local device, copy template files to the following locations:
 
    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    File typeFile location
    Group Policy template (.admx)
    %systemroot%\policyDefinitions
    Group Policy language file (.adml)
    %systemroot%\policyDefinitions\[MUIculture]
    
+   
+   
+   
+   
+   
+   
+   File type
+   File location
+   
+   
+   
+   
+   
    Group Policy template (.admx)
    
+   
    %systemroot%<strong>policyDefinitions
    
+   
+   
+   
    Group Policy language file (.adml)
    
+   
    %systemroot%<strong>policyDefinitions[MUIculture]
    
+   
+   
+   
 
    - **Domain central store:** To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
 
    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    File typeFile location
    Group Policy template (.admx)
    %systemroot%\sysvol\domain\policies\PolicyDefinitions
    Group Policy language file (.adml)
    %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]\[MUIculture]
    
-    
    For example, the U.S. English ADML language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us.
    
+   
+   
+   
+   
+   
+   
+   File type
+   File location
+   
+   
+   
+   
+   
    Group Policy template (.admx)
    
+   
    %systemroot%<strong>sysvol\domain\policies\PolicyDefinitions
    
+   
+   
+   
    Group Policy language file (.adml)
    
+   
    %systemroot%<strong>sysvol\domain\policies\PolicyDefinitions[MUIculture][MUIculture]
    
+   
    For example, the U.S. English ADML language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us.
    
+   
+   
+   
 
 6. Edit the Group Policy settings using Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM) to configure Group Policy settings for the MDOP technology.
 
@@ -110,42 +110,42 @@ For more information about supported MDOP Group Policy, see the specific documen
 
 
    Application Virtualization (App-V)
    
 
    App-V 5.0 and App-V 5.0 Service Packs
    
-
    [How to Modify App-V 5.0 Client Configuration Using the ADMX Template and Group Policy](../appv-v5/how-to-modify-app-v-50-client-configuration-using-the-admx-template-and-group-policy.md)
    
+
    How to Modify App-V 5.0 Client Configuration Using the ADMX Template and Group Policy
    
 
 
 
    User Experience Virtualization (UE-V)
    
 
    UE-V 2.0 and UE-V 2.1
    
-
    [Configuring UE-V 2.x with Group Policy Objects](../uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md)
    
+
    Configuring UE-V 2.x with Group Policy Objects
    
 
 
 
    
 
    UE-V 1.0 including 1.0 SP1
    
-
    [Configuring UE-V with Group Policy Objects](../uev-v1/configuring-ue-v-with-group-policy-objects.md)
    
+
    Configuring UE-V with Group Policy Objects
    
 
 
 
    Microsoft BitLocker Administration and Monitoring (MBAM)
    
 
    MBAM 2.5
    
-
    [Planning for MBAM 2.5 Group Policy Requirements](../mbam-v25/planning-for-mbam-25-group-policy-requirements.md)
    
+
    Planning for MBAM 2.5 Group Policy Requirements
    
 
 
 
    
 
    MBAM 2.0 including 2.0 SP1
    
-
    [Planning for MBAM 2.0 Group Policy Requirements](../mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md)
    
-
    [Deploying MBAM 2.0 Group Policy Objects](../mbam-v2/deploying-mbam-20-group-policy-objects-mbam-2.md)
    
+
    Planning for MBAM 2.0 Group Policy Requirements
    
+
    Deploying MBAM 2.0 Group Policy Objects
    
 
 
 
    
 
    MBAM 1.0
    
-
    [How to Edit MBAM 1.0 GPO Settings](../mbam-v1/how-to-edit-mbam-10-gpo-settings.md)
    
+
    How to Edit MBAM 1.0 GPO Settings
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md b/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md
index 43d84169b9..ddac76e38c 100644
--- a/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md
+++ b/mdop/uev-v1/about-user-experience-virtualization-10-sp1.md
@@ -141,12 +141,12 @@ UE-V 1.0 Service Pack 1 provides updates for both the UE-V Agent and the UE-V Ge
 
 
 
- 
+ 
 
 **Important**  
 While the UE-V Agent installation program (AgentSetup.exe) and UE-V Generator installation program (ToolSetup.exe) are translated into the languages above, the Windows Installer (.msi) files are only available in English.
 
- 
+ 
 
 ## Office 2007 Settings Location Templates
 
@@ -261,11 +261,11 @@ When running the UE-V setup for UE-V Agent (AgentSetup.exe), the following retur
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/accessibility-for-ue-v.md b/mdop/uev-v1/accessibility-for-ue-v.md
index 5cbdc15111..710364b2ab 100644
--- a/mdop/uev-v1/accessibility-for-ue-v.md
+++ b/mdop/uev-v1/accessibility-for-ue-v.md
@@ -33,7 +33,7 @@ You can access most commands by using two keystrokes. To use an access key:
 **Note**  
 To cancel the action that you are taking and hide the keyboard shortcuts, press ALT.
 
- 
+ 
 
 ### Documentation in alternative formats
 
@@ -66,13 +66,13 @@ For information about the availability of Microsoft product documentation and bo
 
    (609) 987-8116
    
 
 
-
    [http://www.learningally.org/](https://go.microsoft.com/fwlink/p/?linkid=239)
    
+
    http://www.learningally.org/
    
 
    Web addresses can change, so you might be unable to connect to the website or sites that are mentioned here.
    
 
 
 
 
- 
+ 
 
 ### Customer service for people with hearing impairments
 
@@ -94,9 +94,9 @@ For more information about how accessible technology for computers can help to i
 
 [Getting Started With User Experience Virtualization 1.0](getting-started-with-user-experience-virtualization-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md b/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md
index 52ac1dbab4..4ff6a7f274 100644
--- a/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md
+++ b/mdop/uev-v1/configuring-ue-v-with-group-policy-objects.md
@@ -45,13 +45,13 @@ The following policy settings can be configured for UE-V:
 
    Settings storage path
    
 
    Computers and Users
    
 
    This policy setting configures where the user settings will be stored.
    
-
    Provide a Universal Naming Convention (UNC) path and variables such as \\Server\SettingsShare\%username%.
    
+
    Provide a Universal Naming Convention (UNC) path and variables such as \Server\SettingsShare%username%.
    
 
 
 
    Settings template catalog path
    
 
    Computers Only
    
 
    This policy setting configures where custom settings location templates are stored. This policy setting also configures whether the catalog will be used to replace the default Microsoft templates that are installed with the UE-V agent.
    
-
    Provide a Universal Naming Convention (UNC) path such as \\Server\TemplateShare or a folder location on the computer.
    
+
    Provide a Universal Naming Convention (UNC) path such as \Server\TemplateShare or a folder location on the computer.
    
 
    
 
    Select the check box to replace the default Microsoft templates.
    
 
@@ -95,7 +95,7 @@ The following policy settings can be configured for UE-V:
 
 
 
- 
+ 
 
 **To configure computer-targeted policies**
 
@@ -128,9 +128,9 @@ The UE-V agent uses the following order of precedence to determine synchronizati
 
 [Operations for UE-V 1.0](operations-for-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md b/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md
index 30a6a4fad1..57534783a3 100644
--- a/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md
+++ b/mdop/uev-v1/create-ue-v-settings-location-templates-with-the-ue-v-generator.md
@@ -32,7 +32,7 @@ The UE-V Generator monitors an application to discover and capture the locations
 **Note**  
 UE-V templates cannot be created from virtualized applications or terminal services applications. However, settings synchronized using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and terminal services applications, open a Windows Installer File (.msi) version of the application with UE-V Generator.
 
- 
+ 
 
 **Excluded Locations**
 
@@ -68,7 +68,7 @@ Use the UE-V Generator to create settings location templates for line-of-busines
     **Note**  
     Before the application is started, the system displays a prompt for **User Account Control**. Permission is required to monitor the registry and file locations that the application uses to store settings.
 
-     
+     
 
 4.  After the application starts, close the application. The UE-V Generator records the locations where the application stores its settings.
 
@@ -115,9 +115,9 @@ Use the UE-V Generator to create settings location templates for line-of-busines
 
 [Operations for UE-V 1.0](operations-for-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md b/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md
index 01763c96b5..7a2b1288e2 100644
--- a/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md
+++ b/mdop/uev-v1/deploying-the-settings-storage-location-for-ue-v-10.md
@@ -59,7 +59,7 @@ When you create the settings storage share, you should limit access only to user
     
     
 
-     
+     
 
 4.  Set the following NTFS permissions for the settings storage location folder:
 
@@ -90,7 +90,7 @@ When you create the settings storage share, you should limit access only to user
     
     
 
-     
+     
 
 5.  Click **OK** to close the dialog boxes.
 
@@ -103,7 +103,7 @@ Additional security can be configured when a Windows server is utilized for the
 
 2.  Set registry key value to 1.
 
- 
+ 
 
 ## Related topics
 
@@ -117,9 +117,9 @@ Deploy the Central Storage for User Experience Virtualization Settings Templates
 
 [Deploying the UE-V Agent](deploying-the-ue-v-agent.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/deploying-the-ue-v-agent.md b/mdop/uev-v1/deploying-the-ue-v-agent.md
index bd718b4336..80f00c8ff1 100644
--- a/mdop/uev-v1/deploying-the-ue-v-agent.md
+++ b/mdop/uev-v1/deploying-the-ue-v-agent.md
@@ -91,7 +91,7 @@ The Microsoft User Experience Virtualization (UE-V) agent must run on each compu
 
 
 
- 
+ 
 
 During installation, the SettingsStoragePath command-line parameter specifies the settings storage location for the settings values. A settings storage location can be defined before deploying the UE-V Agent. If no settings storage location is defined, then UE-V uses the Active Directory user Home Directory as the settings storage location. When you specify the SettingsStoragePath configuration during setup and use the %username% as part of the value, this will roam the same user settings experience on all computers or sessions that a user logs into. If you specify the %username%\\%computername% variables as part of the SettingsStoragePath value, this will preserve the settings experience for each computer.
 
@@ -100,7 +100,7 @@ Architecture-specific Windows Installer (.msi) files are provided for the UE-V a
 **Note**  
 During UE-V agent installation or uninstallation you can either use the AgentSetup.exe file or the AgentSetup<arch>.msi file, but not both. The same file must be used to uninstall the UE-V Agent as it was used to install the UE-V Agent.
 
- 
+ 
 
 Be sure to use the correct variable format when you install the UE-V agent. The following table provides examples of deployment options for using the AgentSetup.exe or the Windows Installer (.msi) installation files.
 
@@ -122,42 +122,42 @@ Be sure to use the correct variable format when you install the UE-V agent. The
 
    Command prompt
    
 
    When you install the UE-V agent from a command prompt, use the %^username% variable format. If quotation marks are needed because of spaces in the settings storage path, use a batch script file for deployment.
    
 
    
-
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%^username%
    
+
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%^username%
    
 
    
-
    msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%^username%
    
+
    msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%^username%
    
 
 
 
    Batch script
    
 
    When you install the UE-V Agent from a batch script file, use the %%username%% variable format. If you use this install method, you must escape the variable with the %% characters. Without this character, the script expands the username variable at install time, rather than at run time, causing UE-V to use a single settings storage location for all users.
    
-
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\\server\settingsshare\%%username%%"
    
+
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\server\settingsshare%%username%%"
    
 
    
-
    msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\\server\settingsshare\%%username%%"
    
+
    msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\server\settingsshare%%username%%"
    
 
    
 
 
 
    PowerShell
    
 
    When you install the UE-V agent from a PowerShell prompt or PowerShell script, use the %username% variable format.
    
-
    & AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%username%
    
+
    & AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%username%
    
 
    
-
    & msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%username%
    
+
    & msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%username%
    
 
    
 
 
 
    Electronic software distribution, such as deployment of Configuration Manager Software Deployment)
    
 
    When you install the UE-V Agent with Configuration Manager, use the ^%username^% variable format.
    
-
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\^%username^%
    
+
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare^%username^%
    
 
    
-
    msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\^%username^%
    
+
    msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare^%username^%
    
 
 
 
 
- 
+ 
 
 **Note**  
 The installation of the U-EV Agent requires Administrator rights and the computer will require a restart before the UE-V agent can run.
 
- 
+ 
 
 ## UE-V Agent deployment methods from a network share
 
@@ -194,9 +194,9 @@ Updates for the UE-V agent software will be provided through Microsoft Update. D
 [Installing the UE-V Generator](installing-the-ue-v-generator.md)
 
 Deploy the User Experience Virtualization Agent
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/deploying-ue-v-10.md b/mdop/uev-v1/deploying-ue-v-10.md
index 928a24b72e..58a93cbff2 100644
--- a/mdop/uev-v1/deploying-ue-v-10.md
+++ b/mdop/uev-v1/deploying-ue-v-10.md
@@ -56,7 +56,7 @@ If you need to synchronize applications other than the default applications in t
 **Note**  
 Deploying custom templates requires a settings template catalog. The default Microsoft application templates are deployed with the UE-V Agent.
 
- 
+ 
 
 ## Topics for this product
 
@@ -71,9 +71,9 @@ Deploying custom templates requires a settings template catalog. The default Mic
 
 [Troubleshooting UE-V 1.0](troubleshooting-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md b/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md
index 3dfd841807..1d1459418d 100644
--- a/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md
+++ b/mdop/uev-v1/getting-started-with-user-experience-virtualization-10.md
@@ -42,7 +42,7 @@ If you are new to this product, we recommend that you read the documentation car
 **Note**  
 A downloadable version of this administrator’s guide is not available. However, you can learn about a special mode of the TechNet Library that allows you to select articles, group them in a collection, and print them or export them to a file at  (https://go.microsoft.com/fwlink/?LinkId=272497).
 
- 
+ 
 
 ## Getting started with Microsoft User Experience Virtualization topics
 
@@ -76,9 +76,9 @@ A downloadable version of this administrator’s guide is not available. However
 
 -   [Troubleshooting UE-V 1.0](troubleshooting-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/installing-the-ue-v-generator.md b/mdop/uev-v1/installing-the-ue-v-generator.md
index 910994721c..2729e3b8a1 100644
--- a/mdop/uev-v1/installing-the-ue-v-generator.md
+++ b/mdop/uev-v1/installing-the-ue-v-generator.md
@@ -36,7 +36,7 @@ The Microsoft User Experience Virtualization (UE-V) generator can be installed o
     **Note**  
     A prompt for User Account Control appears before the application is installed. Permission is required to install the UE-V generator.
 
-     
+     
 
 7.  Click **Finish** to close the wizard after the installation is complete. You will need to restart your computer before you can run the UE-V Generator.
 
@@ -51,9 +51,9 @@ The Microsoft User Experience Virtualization (UE-V) generator can be installed o
 
 [Planning for Custom Template Deployment for UE-V 1.0](planning-for-custom-template-deployment-for-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md b/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md
index ea00c06740..efb3fdfb94 100644
--- a/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md
+++ b/mdop/uev-v1/managing-the-ue-v-10-agent-and-packages-with-powershell-and-wmi.md
@@ -23,10 +23,10 @@ You can use WMI and PowerShell to manage Microsoft User Experience Virtualizatio
 
 1.  Stage the UE-V installer file in an accessible network share.
 
-    **Note**  
+    **Note**  
     Use AgentSetup.exe to deploy both 32-bit and 64-bit versions of the UE-V Agent. Windows Installer Files versions, AgentSetupx86.msi and AgentSetupx64.msi, are available for each architecture. To uninstall the UE-V Agent at a later time using the installation file, you must use the same file type.
 
-     
+
 
 2.  Use one of the following PowerShell commands to install the agent.
 
@@ -152,7 +152,7 @@ You can use WMI and PowerShell to manage Microsoft User Experience Virtualizatio
     
     
 
-     
+
 
 **How to export UE-V package settings and repair UE-V templates with PowerShell**
 
@@ -185,7 +185,7 @@ You can use WMI and PowerShell to manage Microsoft User Experience Virtualizatio
     
     
 
-     
+
 
 **How to configure the UE-V Agent with WMI**
 
@@ -265,13 +265,15 @@ You can use WMI and PowerShell to manage Microsoft User Experience Virtualizatio
     
     
 
-     
 
-    Upon configuration of the UE-V Agent with WMI and PowerShell, the defined configuration is stored in the registry in the following locations:
 
-    `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+~~~
+Upon configuration of the UE-V Agent with WMI and PowerShell, the defined configuration is stored in the registry in the following locations:
 
-    `\HKEY_CURRENT_USER\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+`\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+
+`\HKEY_CURRENT_USER\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+~~~
 
 ## Related topics
 
@@ -280,9 +282,9 @@ You can use WMI and PowerShell to manage Microsoft User Experience Virtualizatio
 
 [Operations for UE-V 1.0](operations-for-ue-v-10.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md b/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md
index 887f089adc..9bacdae69b 100644
--- a/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md
+++ b/mdop/uev-v1/managing-ue-v-10-settings-location-templates-using-powershell-and-wmi.md
@@ -79,7 +79,7 @@ You must have administrator permissions to update, register, or unregister a set
     
     
 
-     
+     
 
 The UE-V PowerShell features allow you to manage a group of settings templates deployed in your enterprise. To manage a group of templates using PowerShell, do the following.
 
@@ -162,7 +162,7 @@ User Experience Virtualization provides the following set of WMI commands. Admin
     
     
 
-     
+     
 
 **How to deploy the UE-V agent with PowerShell**
 
@@ -171,7 +171,7 @@ User Experience Virtualization provides the following set of WMI commands. Admin
     **Note**  
     Use AgentSetup.exe to deploy both 32-bit and 64-bit versions of the UE-V Agent. Windows Installer Files versions, AgentSetupx86.msi and AgentSetupx64.msi, are available for each architecture. To uninstall the UE-V Agent at a later time using the installation file, you must use the same file type.
 
-     
+     
 
 2.  Use one of the following PowerShell commands to install the agent.
 
@@ -188,9 +188,9 @@ User Experience Virtualization provides the following set of WMI commands. Admin
 
 [Operations for UE-V 1.0](operations-for-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md
index 7cc7609e59..de4bba54f9 100644
--- a/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md
+++ b/mdop/uev-v1/microsoft-user-experience-virtualization--ue-v--10-release-notes.md
@@ -121,9 +121,9 @@ When Internet Explorer bookmarks roam from one computer to another computer, the
 
 WORKAROUND: None
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/migrating-ue-v-settings-packages.md b/mdop/uev-v1/migrating-ue-v-settings-packages.md
index f6ad3233be..0584788218 100644
--- a/mdop/uev-v1/migrating-ue-v-settings-packages.md
+++ b/mdop/uev-v1/migrating-ue-v-settings-packages.md
@@ -40,7 +40,7 @@ Simply copying the files and folders will not preserve the security settings and
     **Note**  
     To monitor the copy progress, open MySettings.txt with a log file reader such as Trace32.
 
-     
+     
 
 4.  Grant share-level permissions to the new share. Leave the NTFS permissions as they were set by Robocopy.
 
@@ -53,9 +53,9 @@ Simply copying the files and folders will not preserve the security settings and
 
 [Operations for UE-V 1.0](operations-for-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md b/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md
index 697b696a44..41e30f2c3a 100644
--- a/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md
+++ b/mdop/uev-v1/planning-for-custom-template-deployment-for-ue-v-10.md
@@ -40,7 +40,7 @@ When you use Group Policy to configure the settings template catalog path, you c
 **Note**  
 If you disable this policy setting after it has been enabled, the UE-V agent will not restore the default Microsoft templates.
 
- 
+ 
 
 If there are customized templates in the settings template catalog that use the same ID as the default Microsoft templates, and the UE-V agent is not configured to replace the default Microsoft templates, the Microsoft templates in the catalog will be ignored.
 
@@ -49,7 +49,7 @@ You can also replace the default templates by using the UE-V PowerShell features
 **Note**  
 Old settings packages remain in the settings storage location even if new settings templates are deployed for an application. These packages are not read by the agent, but neither are they automatically deleted.
 
- 
+ 
 
 ## Related topics
 
@@ -61,9 +61,9 @@ Old settings packages remain in the settings storage location even if new settin
 [Planning for UE-V Configuration Methods](planning-for-ue-v-configuration-methods.md)
 
 Planning for Custom Template Deployment
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/planning-for-ue-v-configuration-methods.md b/mdop/uev-v1/planning-for-ue-v-configuration-methods.md
index 06f0b7cbee..8e5be9114d 100644
--- a/mdop/uev-v1/planning-for-ue-v-configuration-methods.md
+++ b/mdop/uev-v1/planning-for-ue-v-configuration-methods.md
@@ -39,7 +39,7 @@ You can configure UE-V before, during, or after agent installation, depending on
 **Note**  
 Registry modification can result in data loss or the computer becoming unresponsive. We recommend that you use other configuration methods.
 
- 
+ 
 
 ### UE-V configuration settings
 
@@ -66,9 +66,9 @@ The following are examples of UE-V configuration settings:
 
 [Planning for UE-V Configuration](planning-for-ue-v-configuration.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md b/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md
index f1c478da23..79eebd7152 100644
--- a/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md
+++ b/mdop/uev-v1/planning-which-applications-to-synchronize-with-ue-v-10.md
@@ -72,7 +72,7 @@ The UE-V agent installation software installs the agent and registers a default
 
 
 
- 
+ 
 
 Application settings are applied to the application when the application is started. They are saved when the application closes.
 
@@ -117,7 +117,7 @@ User Experience Virtualization includes settings location templates that capture
 
 
 
- 
+ 
 
 The Windows desktop background and Ease of Access settings are applied when the user logs on, when the computer is unlocked, or upon remote connection to another computer. The agent saves these settings when the user logs off, when the computer is locked, or when a remote connection is disconnected. By default, Windows desktop background settings are roamed between computers of the same operating system version.
 
@@ -128,7 +128,7 @@ UE-V does not support the roaming of settings between operating systems with dif
 **Note**  
 If you change the settings location templates that are provided by Microsoft, User Experience Virtualization might not work properly for the designated application or Windows settings group.
 
- 
+ 
 
 ## Prevent unintentional user Settings configuration
 
@@ -165,9 +165,9 @@ For guidance on whether a line-of-business application should be synchronized, s
 
 [Deploying UE-V 1.0](deploying-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/supported-configurations-for-ue-v-10.md b/mdop/uev-v1/supported-configurations-for-ue-v-10.md
index 19a3b73b38..2fca53cc15 100644
--- a/mdop/uev-v1/supported-configurations-for-ue-v-10.md
+++ b/mdop/uev-v1/supported-configurations-for-ue-v-10.md
@@ -22,7 +22,7 @@ Microsoft User Experience Virtualization (UE-V) supports the following described
 **Note**  
 Microsoft provides support for the current service pack, and in some cases, the preceding service pack. To find the support timelines for your product, see the [Lifecycle Supported Service Packs](https://go.microsoft.com/fwlink/p/?LinkId=31975). For more information about Microsoft Support Lifecycle Policy, see [Microsoft Support Lifecycle Support Policy FAQ](https://go.microsoft.com/fwlink/p/?LinkId=31976).
 
- 
+ 
 
 ## Supported configurations for UE-V Agent and UE-V Generator
 
@@ -82,7 +82,7 @@ The following table lists the operating systems that support the User Experience
 
 
 
- 
+ 
 
 There are no special RAM requirements that are specific to UE-V.
 
@@ -91,7 +91,7 @@ The installation of the UE-V agent requires administrative rights and will requi
 **Important**  
 The Sync Your Settings feature in Windows 8 must be disabled to allow UE-V to function properly. Synchronization of settings with both Windows 8 and UE-V will result in unpredictable synchronization behavior.
 
- 
+ 
 
 ### Requirements for the Offline Files feature
 
@@ -171,9 +171,9 @@ Supported Configurations for User Experience Virtualization
 
 [Deploying the UE-V Agent](deploying-the-ue-v-agent.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/ue-v-10-security-considerations.md b/mdop/uev-v1/ue-v-10-security-considerations.md
index 371fc55059..ddbecb7393 100644
--- a/mdop/uev-v1/ue-v-10-security-considerations.md
+++ b/mdop/uev-v1/ue-v-10-security-considerations.md
@@ -57,130 +57,132 @@ Because settings packages may contain personal information, you should take care
         
         
 
-         
 
-    2.  Set the following NTFS permissions for the settings storage location folder:
 
-        
-        -        -        -        -        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
    




    User accountRecommended permissionsFolder
    Creator/Owner
    No Permissions
    No Permissions
    Domain Admins
    Full Control
    This Folder, Subfolders and Files
    Security group of UE-V users
    List Folder/Read Data, Create Folders/Append Data
    This Folder Only
    Everyone
    Remove all Permissions
    No Permissions
    
+~~~
+2.  Set the following NTFS permissions for the settings storage location folder:
 
-         
+    
+    +    +    +    +    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
    




    User accountRecommended permissionsFolder
    Creator/Owner
    No Permissions
    No Permissions
    Domain Admins
    Full Control
    This Folder, Subfolders and Files
    Security group of UE-V users
    List Folder/Read Data, Create Folders/Append Data
    This Folder Only
    Everyone
    Remove all Permissions
    No Permissions
    
 
-    3.  Set the following share-level (SMB) permissions for the settings template catalog folder.
 
-        
-        -        -        -        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
    



    User accountRecommend permissions
    Everyone
    No Permissions
    Domain Computers
    Read Permission Levels
    Administrators
    Read/Write Permission Levels
    
 
-         
+3.  Set the following share-level (SMB) permissions for the settings template catalog folder.
 
-    4.  Set the following NTFS permissions for the settings template catalog folder.
+    
+    +    +    +    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
    



    User accountRecommend permissions
    Everyone
    No Permissions
    Domain Computers
    Read Permission Levels
    Administrators
    Read/Write Permission Levels
    
 
-        
-        -        -        -        -        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
-        
    




    User accountRecommended permissionsApply to
    Creator/Owner
    Full Control
    This Folder, Subfolders and Files
    Domain Computers
    List Folder Contents and Read
    This Folder, Subfolders and Files
    Everyone
    No Permissions
    No Permissions
    Administrators
    Full Control
    This Folder, Subfolders and Files
    
 
-         
 
-### Use Windows Server 2003 or later servers to host redirected file shares
+4.  Set the following NTFS permissions for the settings template catalog folder.
+
+    
+    +    +    +    +    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
    




    User accountRecommended permissionsApply to
    Creator/Owner
    Full Control
    This Folder, Subfolders and Files
    Domain Computers
    List Folder Contents and Read
    This Folder, Subfolders and Files
    Everyone
    No Permissions
    No Permissions
    Administrators
    Full Control
    This Folder, Subfolders and Files
    
+~~~
+
+
+
+### Use Windows Server 2003 or later servers to host redirected file shares
 
 User settings package files contain personal information that is transferred between the client computer and the server that stores the settings packages. Because of this, you should ensure that the data is protected while it travels over the network.
 
 User settings data is vulnerable to these potential threats: interception of the data as it passes over the network; tampering with the data as it passes over the network; and spoofing of the server that hosts the data.
 
-Several features of Windows Server 2003 and above can help to secure user data:
+Several features of Windows Server 2003 and above can help to secure user data:
 
--   **Kerberos** - Kerberos is standard on all versions of Windows 2000 and Windows Server 2003 and later. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client does not know whether the server is valid. This is particularly important if the client is exchanging personal files with the server, as is the case with Roaming Profiles. Kerberos provides better security than NTLM. Kerberos is not available on Windows NT version 4.0 or earlier operating systems.
+-   **Kerberos** - Kerberos is standard on all versions of Windows 2000 and Windows Server 2003 and later. Kerberos ensures the highest level of security to network resources. NTLM authenticates the client only; Kerberos authenticates the server and the client. When NTLM is used, the client does not know whether the server is valid. This is particularly important if the client is exchanging personal files with the server, as is the case with Roaming Profiles. Kerberos provides better security than NTLM. Kerberos is not available on Windows NT version 4.0 or earlier operating systems.
 
 -   **IPsec** - The IP Security Protocol (IPsec) provides network-level authentication, data integrity, and encryption. IPsec ensures the following:
 
@@ -220,7 +222,7 @@ To ensure that UE-V works optimally, create only the root share on the server, a
 
 This permission configuration allows users to create folders for settings storage. The UE-V agent creates and secures a settingspackage folder while running in the context of the user. The user receives full control to their settingspackage folder. Other users do not inherit access to this folder. You do not need to create and secure individual user directories. This will be done automatically by the agent that runs in the context of the user.
 
-**Note**  
+**Note**  
 Additional security can be configured when a Windows server is utilized for the settings storage share. UE-V can be configured to verify that either the local administrator's group or the current user is the owner of the folder where settings packages are stored. To enable additional security use the following command:
 
 1.  Add a REG\_DWORD registry key named "RepositoryOwnerCheckEnabled" to `HKEY_LOCAL_MACHINE\Software\Microsoft\UEV\Agent\Configuration`.
@@ -229,7 +231,7 @@ Additional security can be configured when a Windows server is utilized for the
 
 When this configuration setting is in place, the UE-V agent verifies that the local administrator’s group or current user is the owner of the settingspackage folder. If not, then the UE-V agent will not allow access to the folder.
 
- 
+
 
 If you must create folders for the users and ensure that you have the correct permissions set.
 
@@ -244,9 +246,9 @@ If you redirect UE-V settings to a user’s home directory, be sure that the per
 
 [Security and Privacy for UE-V 1.0](security-and-privacy-for-ue-v-10.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v1/ue-v-checklist.md b/mdop/uev-v1/ue-v-checklist.md
index 048b562a84..03c5bb4c70 100644
--- a/mdop/uev-v1/ue-v-checklist.md
+++ b/mdop/uev-v1/ue-v-checklist.md
@@ -33,42 +33,42 @@ Use this checklist to plan for preparing your computing environment for Microsof
 
 
 
    Review the Getting Started information about UE-V to gain a basic understanding of the product before you begin the deployment planning.
    
-
    [Getting Started With User Experience Virtualization 1.0](getting-started-with-user-experience-virtualization-10.md)
    
+
    Getting Started With User Experience Virtualization 1.0
    
 
 
 
    Prepare your environment for UE-V 1.0 deployment.
    
-
    [Preparing Your Environment for UE-V](preparing-your-environment-for-ue-v.md)
    
+
    Preparing Your Environment for UE-V
    
 
 
 
    Plan which applications end users can synchronize with UE-V 1.0.
    
-
    [Planning Which Applications to Synchronize with UE-V 1.0](planning-which-applications-to-synchronize-with-ue-v-10.md)
    
+
    Planning Which Applications to Synchronize with UE-V 1.0
    
 
 
 
    Custom settings templates only - create custom settings location templates and then define a setting template catalog.
    
-
    [Deploying the Settings Template Catalog for UE-V 1.0](deploying-the-settings-template-catalog-for-ue-v-10.md)
    
-
    [Create UE-V Settings Location Templates with the UE-V Generator](create-ue-v-settings-location-templates-with-the-ue-v-generator.md)
    
+
    Deploying the Settings Template Catalog for UE-V 1.0
    
+
    Create UE-V Settings Location Templates with the UE-V Generator
    
 
 
 
    Decide which method of configuration (Group Policy, PowerShell, ESD-command line, or batch file) works best for your environment and plan how to configure UE-V 1.0.
    
-
    [Planning for UE-V Configuration Methods](planning-for-ue-v-configuration-methods.md)
    
+
    Planning for UE-V Configuration Methods
    
 
 
 
    Deploy the network share to store settings packages.
    
-
    [Deploying the Settings Storage Location for UE-V 1.0](deploying-the-settings-storage-location-for-ue-v-10.md)
    
+
    Deploying the Settings Storage Location for UE-V 1.0
    
 
 
 
    Custom settings templates only – deploy the features that are required to create and store applications other than the UE-V default applications.
    
-
    [Deploying the Settings Template Catalog for UE-V 1.0](deploying-the-settings-template-catalog-for-ue-v-10.md)
    
-
    [Installing the UE-V Generator](installing-the-ue-v-generator.md)
    
+
    Deploying the Settings Template Catalog for UE-V 1.0
    
+
    Installing the UE-V Generator
    
 
 
 
    Familiarize yourself with the administration and management tasks for UE-V.
    
-
    [Administering UE-V 1.0](administering-ue-v-10.md)
    
+
    Administering UE-V 1.0
    
 
 
 
 
- 
+ 
 
 ## Related topics
 
@@ -77,9 +77,9 @@ Use this checklist to plan for preparing your computing environment for Microsof
 
 [Deploying UE-V 1.0](deploying-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v1/user-experience-virtualization-privacy-statement.md b/mdop/uev-v1/user-experience-virtualization-privacy-statement.md
index feb455a3a8..ecbbabaa59 100644
--- a/mdop/uev-v1/user-experience-virtualization-privacy-statement.md
+++ b/mdop/uev-v1/user-experience-virtualization-privacy-statement.md
@@ -163,9 +163,9 @@ For details about what information is collected and how it is used, see the Upda
 
 [Security and Privacy for UE-V 1.0](security-and-privacy-for-ue-v-10.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md
index 5d649c81ef..349a791c43 100644
--- a/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/accessibility-for-ue-v-2x-both-uevv2.md
@@ -61,13 +61,13 @@ For information about the availability of Microsoft product documentation and bo
 
    (609) 987-8116
    
 
 
-
    [http://www.learningally.org/](https://go.microsoft.com/fwlink/p/?linkid=239)
    
+
    http://www.learningally.org/
    
 
    Web addresses can change, so you might be unable to connect to the website or sites that are mentioned here.
    
 
 
 
 
- 
+ 
 
 ### Customer service for people with hearing impairments
 
@@ -94,9 +94,9 @@ For more information about how accessible technology for computers can help to i
 
 [Technical Reference for UE-V 2.x](technical-reference-for-ue-v-2x-both-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md b/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md
index d7376eca87..6acd7dcdd5 100644
--- a/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md
+++ b/mdop/uev-v2/administering-ue-v-2x-with-windows-powershell-and-wmi-both-uevv2.md
@@ -22,7 +22,7 @@ Microsoft User Experience Virtualization (UE-V) 2.0, 2.1, and 2.1 SP1 provide Wi
 **Note**  
 Administering UE-V 2 with Windows PowerShell requires Windows PowerShell 3.0 or higher. For a complete list of UE-V PowerShell cmdlets, see [UE-V 2 Cmdlet Reference](https://go.microsoft.com/fwlink/p/?LinkId=393495).
 
- 
+ 
 
 ## Managing the UE-V 2.x Agent and packages by using Windows PowerShell and WMI
 
@@ -48,9 +48,9 @@ After you create and deploy UE-V settings location templates, you can manage tho
 
 [Administering UE-V 2.x](administering-ue-v-2x-new-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
index db78d96d4b..b972d7f736 100644
--- a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md
@@ -151,7 +151,7 @@ The Process data type is a container used to describe processes to be monitored
 
 
 
- 
+ 
 
 **Processes**
 The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence.
@@ -201,7 +201,7 @@ Settings is a container for all the settings that apply to a particular template
 
 
 
- 
+ 
 
 ### Name Element
 
@@ -216,7 +216,7 @@ UE-V does not reference external DTDs, so it is not possible to use named entiti
 
 See  for a complete list of character entities. UTF-8-encoded documents may include the Unicode characters directly. Saving templates through the UE-V Generator converts character entities to their Unicode representations automatically.
 
- 
+ 
 
 ### ID Element
 
@@ -261,7 +261,7 @@ This value is queried to determine if a new version of a template should be appl
 
 -   When the microsoft\\uev:SettingsLocationTemplate Update method is called through WMI
 
- 
+ 
 
 ### Author Element
 
@@ -327,7 +327,7 @@ A value of **True** indicates that the string contains illegal characters. Here
 **Note**  
 The UE-V Generator encodes the greater than and less than characters as > and < respectively.
 
- 
+ 
 
 In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplictication.exe` should be specified instead of `MyApplictication`. The second example will not apply the template to the process if the actual name of the executable file is “MyApplication.exe”.
 
@@ -344,7 +344,7 @@ If this element is absent, the settings location template ignores the process’
 **Note**  
 UE-V does not support ARM processors in this version.
 
- 
+ 
 
 ### ProductName
 
@@ -493,11 +493,11 @@ Application is a container for settings that apply to a particular application.
 
 
 
    Name
    
-
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).
    
+
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.
    
 
 
 
    ID
    
-
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see [ID](#id21).
    
+
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see ID.
    
 
 
 
    Description
    
@@ -513,7 +513,7 @@ Application is a container for settings that apply to a particular application.
 
 
 
    Version
    
-
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).
    
+
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see Version.
    
 
 
 
    DeferToMSAccount
    
@@ -529,16 +529,16 @@ Application is a container for settings that apply to a particular application.
 
 
 
    Processes
    
-
    A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).
    
+
    A container for a collection of one or more Process elements. For more information, see Processes.
    
 
 
 
    Settings
    
-
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data21).
    
+
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in Data types.
    
 
 
 
 
- 
+ 
 
 ### Common Element
 
@@ -556,11 +556,11 @@ Common is similar to an Application element, but it is always associated with tw
 
 
 
    Name
    
-
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).
    
+
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.
    
 
 
 
    ID
    
-
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see [ID](#id21).
    
+
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see ID.
    
 
 
 
    Description
    
@@ -576,7 +576,7 @@ Common is similar to an Application element, but it is always associated with tw
 
 
 
    Version
    
-
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).
    
+
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see Version.
    
 
 
 
    DeferToMSAccount
    
@@ -592,12 +592,12 @@ Common is similar to an Application element, but it is always associated with tw
 
 
 
    Settings
    
-
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data21).
    
+
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in Data types.
    
 
 
 
 
- 
+ 
 
 ### SettingsLocationTemplate Element
 
@@ -615,11 +615,11 @@ This element defines the settings for a single application or a suite of applica
 
 
 
    Name
    
-
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).
    
+
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.
    
 
 
 
    ID
    
-
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see [ID](#id21).
    
+
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see ID.
    
 
 
 
    Description
    
@@ -636,7 +636,7 @@ This element defines the settings for a single application or a suite of applica
 
 
 
- 
+ 
 
 ### Appendix: SettingsLocationTemplate.xsd
 
@@ -1091,7 +1091,7 @@ The Process data type is a container used to describe processes to be monitored
 
 
 
- 
+ 
 
 **Processes**
 The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence.
@@ -1138,7 +1138,7 @@ Settings is a container for all the settings that apply to a particular template
 
 
 
- 
+ 
 
 ### Name Element
 
@@ -1153,7 +1153,7 @@ UE-V does not reference external DTDs, so it is not possible to use named entiti
 
 See  for a complete list of character entities. UTF-8-encoded documents may include the Unicode characters directly. Saving templates through the UE-V Generator converts character entities to their Unicode representations automatically.
 
- 
+ 
 
 ### ID Element
 
@@ -1198,7 +1198,7 @@ This value is queried to determine if a new version of a template should be appl
 
 -   When the microsoft\\uev:SettingsLocationTemplate Update method is called through WMI
 
- 
+ 
 
 ### Author Element
 
@@ -1264,7 +1264,7 @@ A value of **True** indicates that the string contains illegal characters. Here
 **Note**  
 The UE-V Generator encodes the greater than and less than characters as > and < respectively.
 
- 
+ 
 
 In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplictication.exe` should be specified instead of `MyApplictication`. The second example will not apply the template to the process if the actual name of the executable file is “MyApplication.exe”.
 
@@ -1281,7 +1281,7 @@ If this element is absent, the settings location template ignores the process’
 **Note**  
 UE-V does not support ARM processors in this version.
 
- 
+ 
 
 ### ProductName
 
@@ -1432,11 +1432,11 @@ Application is a container for settings that apply to a particular application.
 
 
 
    Name
    
-
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name).
    
+
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.
    
 
 
 
    ID
    
-
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see [ID](#id).
    
+
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see ID.
    
 
 
 
    Description
    
@@ -1452,7 +1452,7 @@ Application is a container for settings that apply to a particular application.
 
 
 
    Version
    
-
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version).
    
+
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see Version.
    
 
 
 
    DeferToMSAccount
    
@@ -1464,16 +1464,16 @@ Application is a container for settings that apply to a particular application.
 
 
 
    Processes
    
-
    A container for a collection of one or more Process elements. For more information, see [Processes](#processes).
    
+
    A container for a collection of one or more Process elements. For more information, see Processes.
    
 
 
 
    Settings
    
-
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data).
    
+
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in Data types.
    
 
 
 
 
- 
+ 
 
 ### Common Element
 
@@ -1493,11 +1493,11 @@ Common is similar to an Application element, but it is always associated with tw
 
 
 
    Name
    
-
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name).
    
+
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.
    
 
 
 
    ID
    
-
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see [ID](#id).
    
+
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see ID.
    
 
 
 
    Description
    
@@ -1513,7 +1513,7 @@ Common is similar to an Application element, but it is always associated with tw
 
 
 
    Version
    
-
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version).
    
+
    Identifies the version of the settings location template for administrative tracking of changes. For more information, see Version.
    
 
 
 
    DeferToMSAccount
    
@@ -1525,12 +1525,12 @@ Common is similar to an Application element, but it is always associated with tw
 
 
 
    Settings
    
-
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data).
    
+
    A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in Data types.
    
 
 
 
 
- 
+ 
 
 ### SettingsLocationTemplate Element
 
@@ -1550,11 +1550,11 @@ This element defines the settings for a single application or a suite of applica
 
 
 
    Name
    
-
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name).
    
+
    Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.
    
 
 
 
    ID
    
-
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see [ID](#id).
    
+
    Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V Agent uses to reference the template at runtime. For more information, see ID.
    
 
 
 
    Description
    
@@ -1571,7 +1571,7 @@ This element defines the settings for a single application or a suite of applica
 
 
 
- 
+ 
 
 ### Appendix: SettingsLocationTemplate.xsd
 
@@ -1880,9 +1880,9 @@ Here is the SettingsLocationTemplate.xsd file showing its elements, child elemen
 
 [Technical Reference for UE-V 2.x](technical-reference-for-ue-v-2x-both-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md b/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
index de93fbefd9..e6dc6513a3 100644
--- a/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
+++ b/mdop/uev-v2/changing-the-frequency-of-ue-v-2x-scheduled-tasks-both-uevv2.md
@@ -34,7 +34,7 @@ The Microsoft User Experience Virtualization (UE-V) 2.0, 2.1, or 2.1 SP1 Agent i
 **Note**  
 With the exception of Collect CEIP Data, these tasks must remain enabled as UE-V cannot function without them.
 
- 
+ 
 
 These scheduled tasks are not configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options.
 
@@ -70,7 +70,7 @@ If upon installation the user or administrator choses to participate in the Cust
 
 
 
- 
+ 
 
 ### Monitor Application Settings
 
@@ -95,7 +95,7 @@ The **Monitor Application Settings** task is used to synchronize settings for Wi
 
 
 
- 
+ 
 
 ### Sync Controller Application
 
@@ -120,7 +120,7 @@ The **Sync Controller Application** task is used to start the Sync Controller to
 
 
 
- 
+ 
 
 For example, the following command configures the agent to synchronize settings every 15 minutes instead of the default 30 minutes.
 
@@ -151,7 +151,7 @@ The **Synchronize Settings at Logoff** task is used to start an application at l
 
 
 
- 
+ 
 
 ### Template Auto Update
 
@@ -176,7 +176,7 @@ The **Template Auto Update** task checks the settings template catalog for new,
 
 
 
- 
+ 
 
 **Example:** The following command configures the UE-V Agent to check the settings template catalog store every hour.
 
@@ -207,7 +207,7 @@ The **Upload CEIP Data** task runs during the installation if the user or the ad
 
 
 
- 
+ 
 
 ## UE-V 2 Scheduled Task Details
 
@@ -283,7 +283,7 @@ The following chart provides additional information about scheduled tasks for UE
 
 
 
- 
+ 
 
 **Legend**
 
@@ -327,9 +327,9 @@ The following additional information applies to UE-V scheduled tasks:
 
 [Deploy UE-V 2.x for Custom Applications](deploy-ue-v-2x-for-custom-applications-new-uevv2.md#deploycatalogue)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md
index 535aac6765..8b371ea90a 100644
--- a/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/configuring-the-company-settings-center-for-ue-v-2x-both-uevv2.md
@@ -35,7 +35,7 @@ The Company Settings Center desktop application provides users with information
 
     -   Configuration item in the UE-V Configuration Pack for System Center 2012 Configuration Manager: `Tray icon enabled`
 
-     
+     
 
 -   Control Panel application – In Control Panel, browse to **Appearance and Personalization**, and then click **Company Settings Center**.
 
@@ -83,9 +83,9 @@ The Company Settings Center can include a hyperlink that users can click to get
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md b/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md
index 40ed244a0b..94ee14b167 100644
--- a/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md
+++ b/mdop/uev-v2/configuring-ue-v-2x-with-group-policy-objects-both-uevv2.md
@@ -82,13 +82,13 @@ The following policy settings can be configured for UE-V.
 
    Settings storage path
    
 
    Computers and Users
    
 
    This Group Policy setting configures where the user settings are to be stored.
    
-
    Enter a Universal Naming Convention (UNC) path and variables such as \\Server\SettingsShare\%username%.
    
+
    Enter a Universal Naming Convention (UNC) path and variables such as \Server\SettingsShare%username%.
    
 
 
 
    Settings template catalog path
    
 
    Computers Only
    
 
    This Group Policy setting configures where custom settings location templates are stored. This policy setting also configures whether the catalog is to be used to replace the default Microsoft templates that are installed with the UE-V Agent.
    
-
    Enter a Universal Naming Convention (UNC) path such as \\Server\TemplateShare or a folder location on the computer.
    
+
    Enter a Universal Naming Convention (UNC) path such as \Server\TemplateShare or a folder location on the computer.
    
 
    Select the check box to replace the default Microsoft templates.
    
 
 
@@ -124,12 +124,12 @@ The following policy settings can be configured for UE-V.
 
 
 
- 
+ 
 
 **Note**  
 In addition, Group Policy settings are available for many desktop applications and Windows apps. You can use these settings to enable or disable settings synchronization for specific applications.
 
- 
+ 
 
 **Windows App Group Policy settings**
 
@@ -170,7 +170,7 @@ In addition, Group Policy settings are available for many desktop applications a
 
 
 
- 
+ 
 
 For more information about synchronizing Windows apps, see [Windows App List](https://technet.microsoft.com/library/dn458925.aspx#win8applist).
 
@@ -207,9 +207,9 @@ The UE-V Agent uses the following order of precedence to determine synchronizati
 
 [Manage Configurations for UE-V 2.x](manage-configurations-for-ue-v-2x-new-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
index fbaae75c0f..c5936123dc 100644
--- a/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
+++ b/mdop/uev-v2/configuring-ue-v-2x-with-system-center-configuration-manager-2012-both-uevv2.md
@@ -79,7 +79,7 @@ The UE-V Configuration Pack includes tools to perform the following tasks:
     
     
 
-     
+     
 
 -   Verify compliance by confirming that UE-V is running.
 
@@ -238,9 +238,9 @@ The UE-V Configuration Pack for Configuration Manager 2012 SP1 or later can be d
 
 [Manage Configurations for UE-V 2.x](manage-configurations-for-ue-v-2x-new-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md b/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md
index 3a5b5821e0..b88d290654 100644
--- a/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md
+++ b/mdop/uev-v2/deploy-required-features-for-ue-v-2x-new-uevv2.md
@@ -44,10 +44,10 @@ UE-V requires a location in which to store user settings in settings package fil
 
 If you don’t create a settings storage location, the UE-V Agent will use Active Directory (AD) by default.
 
-**Note**  
+**Note**  
 As a matter of [performance and capacity planning](https://technet.microsoft.com/library/dn458932.aspx#capacity) and to reduce problems with network latency, create settings storage locations on the same local networks where the users’ computers reside. We recommend 20 MB of disk space per user for the settings storage location.
 
- 
+
 
 ### Create a UE-V Settings Storage Location
 
@@ -106,7 +106,7 @@ The UE-V Agent dynamically creates a user-specific settings storage path, with a
     
     
 
-     
+
 
 4.  Set the following NTFS file system permissions for the settings storage location folder.
 
@@ -137,18 +137,18 @@ The UE-V Agent dynamically creates a user-specific settings storage path, with a
     
     
 
-     
+
 
 With this configuration, the UE-V Agent creates and secures a Settingspackage folder while it runs in the context of the user, and grants each user permission to create folders for settings storage. Users receive full control to their Settingspackage folder while other users cannot access it.
 
-**Note**  
+**Note**  
 If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor:
 
 1.  Add a **REG\_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\UEV\\Agent\\Configuration**.
 
 2.  Set the registry key value to *1*.
 
- 
+
 
 ### Use Active Directory with UE-V 2.x
 
@@ -167,7 +167,7 @@ You can configure UE-V before, during, or after UE-V Agent installation, dependi
 
     Supported operating systems for the domain controller that deploys the Group Policy Objects include the following:
 
-    Windows Server 2008 R2
+    Windows Server 2008 R2
 
     Windows Server 2012 and Windows Server 2012 R2
 
@@ -175,12 +175,12 @@ You can configure UE-V before, during, or after UE-V Agent installation, dependi
 
 -   [Windows PowerShell and WMI](https://technet.microsoft.com/library/dn458937.aspx)**:** You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify configurations after you install the UE-V Agent.
 
-    **Note**  
+    **Note**  
     Registry modification can result in data loss, or the computer becomes unresponsive. We recommend that you use other configuration methods.
 
-     
 
--   **Command-line or Batch Script Installation:** Parameters that are used when you [Deploy the UE-V Agent](#agent) configure many UE-V settings. Electronic software distribution systems, such as System Center 2012 Configuration Manager, use these parameters to configure their clients when they deploy and install the UE-V Agent software.
+
+-   **Command-line or Batch Script Installation:** Parameters that are used when you [Deploy the UE-V Agent](#agent) configure many UE-V settings. Electronic software distribution systems, such as System Center 2012 Configuration Manager, use these parameters to configure their clients when they deploy and install the UE-V Agent software.
 
 ## Deploy the UE-V 2.x Agent
 
@@ -189,10 +189,10 @@ The UE-V Agent is the core of a UE-V deployment and must run on each computer th
 
 **UE-V Agent Installation Files:** A single installation file, AgentSetup.exe, installs the UE-V Agent on both 32-bit and 64-bit operating systems. In addition, AgentSetupx86.msi or AgentSetupx64.msi architecture-specific Windows Installer files are provided, and since they are smaller, they might streamline the agent deployments. The [command-line parameters for the AgentSetup.exe installer](#params) are supported for the Windows Installer installation as well.
 
-**Important**  
+**Important**  
 During UE-V Agent installation or uninstallation, you can either use the AgentSetup.exe file or the AgentSetup<arch>.msi file, but not both. The same file must be used to uninstall the UE-V Agent that was used to install the UE-V Agent.
 
- 
+
 
 ### To Deploy the UE-V Agent
 
@@ -232,42 +232,42 @@ Use the following procedure to deploy the UE-V Agent from a network share.
 
    Command prompt
    
 
    When you install the UE-V Agent at a command prompt, use the %^username% variable format. If quotation marks are required because of spaces in the settings storage path, use a batch script file for deployment.
    
 
    
-
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%^username%
    
+
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%^username%
    
 
    
-
    msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%^username%
    
+
    msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%^username%
    
 
 
 
    Batch script
    
 
    When you install the UE-V Agent from a batch script file, use the %%username%% variable format. If you use this installation method, you must escape the variable with the %% characters. Without this character, the script expands the username variable at installation time, rather than at run time, which causes UE-V to use a single settings storage location for all users.
    
-
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\\server\settingsshare\%%username%%"
    
+
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\server\settingsshare%%username%%"
    
 
    
-
    msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\\server\settingsshare\%%username%%"
    
+
    msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath="\server\settingsshare%%username%%"
    
 
    
 
 
 
    Windows PowerShell
    
 
    When you install the UE-V Agent from a Windows PowerShell prompt or a Windows PowerShell script, use the %username% variable format.
    
-
    & AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%username%
    
+
    & AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%username%
    
 
    
-
    & msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\%username%
    
+
    & msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare%username%
    
 
    
 
 
 
    Electronic software distribution, such as deployment of Configuration Manager Software Deployment
    
 
    When you install the UE-V Agent by using Configuration Manager, use the ^%username^% variable format.
    
-
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\^%username^%
    
+
    AgentSetup.exe /quiet /norestart /log "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare^%username^%
    
 
    
-
    msiexec.exe /i "<path to msi file>" /quiet /norestart /l*v "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\\server\settingsshare\^%username^%
    
+
    msiexec.exe /i "<path to msi file>" /quiet /norestart /lv "%temp%\UE-VAgentInstaller.log" SettingsStoragePath=\server\settingsshare^%username^%
    
 
 
 
 
- 
 
-**Note**  
+
+**Note**  
 The installation of the UE-V Agent requires administrator rights, and the computer requires a restart before the UE-V Agent can run.
 
- 
+
 
 ### Command-line parameters for UE-V Agent deployment
 
@@ -296,12 +296,11 @@ The command-line parameters of the UE-V Agent are as follows.
 
    SettingsStoragePath
    
 
    Indicates the Universal Naming Convention (UNC) path that defines where settings are stored.
    
 
    
-Important  
-
    You must specify a SettingsStoragePath in UE-V 2.1 and UE-V 2.1 SP1. You can set the AdHomePath string to specify that the user's Active Directory home path is used. For example, SettingsStoragePath = \\share\path|AdHomePath.
    
+Important
    You must specify a SettingsStoragePath in UE-V 2.1 and UE-V 2.1 SP1. You can set the AdHomePath string to specify that the user's Active Directory home path is used. For example, SettingsStoragePath = \share\path|AdHomePath.
    
 
    In UE-V 2.0, you can leave SettingsStoragePath blank to use the Active Directory home path instead.
    
 
    
 
    
- 
+
 
    
 
    %username% or %computername% environment variables are accepted. Scripting can require escaped variables.
    
 
    Default: <none>
    
@@ -372,11 +371,10 @@ The command-line parameters of the UE-V Agent are as follows.
 
    ACCEPTLICENSETERMS
    
 
    Lets UE-V be installed silently. This must be set to True to install UE-V silently and bypass the requirement that the user accepts the UE-V license terms. If set to False or left empty, the user receives an error message and UE-V is not installed.
    
 
    
-Important  
-
    This parameter is required to install UE-V silently.
    
+Important
    This parameter is required to install UE-V silently.
    
 
    
 
    
- 
+
 
    
 
 
@@ -387,7 +385,7 @@ The command-line parameters of the UE-V Agent are as follows.
 
 
 
- 
+
 
 ### Update the UE-V Agent
 
@@ -399,10 +397,10 @@ During a UE-V Agent upgrade, the default group of settings location templates fo
 
 The UE-V 2.x Agent introduces many new features and modifies how and when the agent uploads content to the settings storage share. The upgrade process automates these changes. To upgrade the UE-V Agent, run the UE-V Agent install package (AgentSetup.exe, AgentSetupx86.msi, or AgentSetupx64.msi) on users’ computers.
 
-**Note**  
+**Note**  
 When you upgrade the UE-V Agent, you must use the same installer type (.exe file or .msi packet) that installed the previous UE-V Agent. For example, use the UE-V 2 AgentSetup.exe to upgrade UE-V 1.0 Agents that were installed by using AgentSetup.exe.
 
- 
+
 
 The following configurations are preserved when the Agent Setup program runs:
 
@@ -412,12 +410,12 @@ The following configurations are preserved when the Agent Setup program runs:
 
 -   Scheduled tasks (Interval settings are reset to their defaults)
 
-**Note**  
+**Note**  
 A computer with UE-V 2.x settings location templates that are registered in the UE-V 1.0 Agent register errors in the Windows Event Log.
 
- 
 
-You can use Microsoft System Center 2012 Configuration Manager or another enterprise software distribution tool to automate and distribute the UE-V Agent upgrade.
+
+You can use Microsoft System Center 2012 Configuration Manager or another enterprise software distribution tool to automate and distribute the UE-V Agent upgrade.
 
 **Recommendations:** We recommend that you upgrade all of the UE-V 1.0 Agents in a computing environment, but it is not required. UE-V 2.x settings location templates can interact with a UE-V 1.0 Agent because they only share the settings from the settings storage path. We recommend, however, that you move the deployments to a single agent version to simplify management and to support UE-V.
 
@@ -427,7 +425,7 @@ You might experience errors after you attempt one of the following operations:
 
 -   Upgrade from UE-V 1.0 to UE-V 2
 
--   Upgrade to a newer version of Windows, for example, from Windows 7 to Windows 8 or from Windows 8 to Windows 8.1.
+-   Upgrade to a newer version of Windows, for example, from Windows 7 to Windows 8 or from Windows 8 to Windows 8.1.
 
 -   Uninstall the agent after upgrading the UE-V Agent
 
@@ -451,9 +449,9 @@ You can then retry the uninstall process or upgrade by installing the newer vers
 
 [Deploy UE-V 2.x for Custom Applications](deploy-ue-v-2x-for-custom-applications-new-uevv2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md
index 43f448f724..e86cfa6fc0 100644
--- a/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md
+++ b/mdop/uev-v2/deploy-ue-v-2x-for-custom-applications-new-uevv2.md
@@ -46,7 +46,7 @@ Once you have read through the planning material in [Prepare a UE-V 2.x Deployme
     **Note**  
     Templates that are deployed by using ESD or Group Policy must be registered with UE-V Windows Management Instrumentation (WMI) or Windows PowerShell.
 
-     
+     
 
 ## Prepare to Deploy UE-V 2.x for Custom Applications
 
@@ -68,7 +68,7 @@ The UE-V Generator monitors an application to discover and capture the locations
 **Note**  
 UE-V settings location templates cannot be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V Generator. For more information about synchronizing settings for virtual applications, see [Using UE-V 2.x with Application Virtualization Applications](using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md).
 
- 
+ 
 
 **Excluded Locations:** The discovery process excludes locations that commonly store application software files that do not synchronize settings well between user computers or computing environments. By default, these are excluded:
 
@@ -98,7 +98,7 @@ When you use Group Policy to configure the settings template catalog path, you c
 **Note**  
 If you disable this policy setting after it has been enabled, the UE-V Agent does not restore the default Microsoft templates.
 
- 
+ 
 
 If there are customized templates in the settings template catalog that use the same ID as the default Microsoft templates, and the UE-V Agent is not configured to replace the default Microsoft templates, the Microsoft templates are ignored.
 
@@ -107,7 +107,7 @@ You can also replace the default templates by using the UE-V Windows PowerShell
 **Note**  
 Old settings packages remain in the settings storage location even if you deploy new settings location templates for an application. These packages are not read by the agent, but neither are they automatically deleted.
 
- 
+ 
 
 ## Install the UEV 2.x Generator
 
@@ -131,7 +131,7 @@ Install the Microsoft User Experience Virtualization (UE-V) 2.0 Generator on a c
     **Note**  
     A prompt for **User Account Control** appears before the application is installed. Permission is required to install the UE-V Generator.
 
-     
+     
 
 7.  Click **Finish** to close the wizard after the installation is finished. You must restart your computer before you can run the UE-V Generator.
 
@@ -140,7 +140,7 @@ Install the Microsoft User Experience Virtualization (UE-V) 2.0 Generator on a c
     **Note**  
     The UE-V 2 Generator can only be used to create templates for UE-V 2 Agents. In a mixed deployment of UE-V 1.0 Agents and UE-V 2 Agents, you should continue to use the UE-V 1.0 Generator until you have upgraded all UE-V Agents.
 
-     
+     
 
 ## Deploy a Settings Template Catalog
 
@@ -184,7 +184,7 @@ You can configure the settings template catalog path by using the installation c
     
     
 
-     
+     
 
 3.  Set the following NTFS file system permissions for the settings template catalog folder.
 
@@ -225,7 +225,7 @@ You can configure the settings template catalog path by using the installation c
     
     
 
-     
+     
 
 4.  Click **OK** to close the dialog boxes.
 
@@ -247,7 +247,7 @@ Use the UE-V Generator to create settings location templates for line-of-busines
     **Note**  
     Before the application is started, the system displays a prompt for **User Account Control**. Permission is required to monitor the registry and file locations that the application uses to store settings.
 
-     
+     
 
 4.  After the application starts, close the application. The UE-V Generator records the locations where the application stores its settings.
 
@@ -313,14 +313,14 @@ Templates that are deployed by using an ESD system or Group Policy Objects must
     **Note**  
     Templates on computers are updated daily. The update is based on changes to the settings template catalog.
 
-     
+     
 
 3.  To manually update templates on a computer that runs the UE-V Agent, open an elevated command prompt, and browse to **%Program Files%\\Microsoft User Experience Virtualization \\ Agent \\ <x86 or x64 >**, and then run **ApplySettingsTemplateCatalog.exe**.
 
     **Note**  
     This program runs automatically during computer startup and daily at 3:30 A. M. to gather any new templates that were recently added to the catalog.
 
-     
+     
 
 
 
@@ -334,9 +334,9 @@ Templates that are deployed by using an ESD system or Group Policy Objects must
 
 [Deploy Required Features for UE-V 2.x](deploy-required-features-for-ue-v-2x-new-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
index 27b0dba976..a18ae22ef9 100644
--- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
+++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
@@ -22,7 +22,7 @@ Follow the steps in this guide to quickly deploy Microsoft User Experience Virtu
 **Note**  
 The information in this section is repeated in greater detail throughout the rest of the documentation. So if you already know that UE-V 2 is the right solution and you don’t need to evaluate it, you can just go right to [Prepare a UE-V 2.x Deployment](prepare-a-ue-v-2x-deployment-new-uevv2.md).
 
- 
+ 
 
 The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows app settings. Make sure your test environment includes two or more user computers that share network access and you’ll be evaluating UE-V in just a short time.
 
@@ -160,7 +160,7 @@ You’ll need to deploy a settings storage location, a standard network share wh
         
         
 
-         
+         
 
     2.  Set the following NTFS file system permissions for the settings storage location folder.
 
@@ -191,7 +191,7 @@ You’ll need to deploy a settings storage location, a standard network share wh
         
         
 
-         
+         
 
 **Security Note:  **
 
@@ -259,9 +259,9 @@ You can change the settings in Computer B back to the original Computer A settin
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md
index cf1d9adb63..5e5f69c25f 100644
--- a/mdop/uev-v2/index.md
+++ b/mdop/uev-v2/index.md
@@ -67,24 +67,23 @@ This diagram shows how deployed UE-V components work together to synchronize set
 
 
 
    Settings location templates
    
-
    UE-V uses XML files as settings location templates to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V . You can also create, edit, or validate custom settings location templates by [managing settings synchronization for custom applications](#customapps).
    
+
    UE-V uses XML files as settings location templates to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V . You can also create, edit, or validate custom settings location templates by managing settings synchronization for custom applications.
    
 
    
-Note  
-
    Settings location templates are not required for Windows apps.
    
+Note
    Settings location templates are not required for Windows apps.
    
 
    
 
    
- 
+
 
    
 
 
 
    Windows app list
    
 
    Settings for Windows apps are captured and applied dynamically. The app developer specifies the settings that are synchronized for each app. UE-V determines which Windows apps are enabled for settings synchronization using a managed list of apps. By default, this list includes most Windows apps.
    
-
    You can add or remove applications in the Windows app list by following the procedures shown [here](https://technet.microsoft.com/library/dn458925.aspx).
    
+
    You can add or remove applications in the Windows app list by following the procedures shown here.
    
 
 
 
 
- 
+
 
 ### Managing Settings Synchronization for Custom Applications
 
@@ -103,12 +102,12 @@ Use these UE-V components to create and manage custom templates for your third-p
 
 
    Settings template catalog
    
 
    The settings template catalog is a folder path on UE-V computers or a Server Message Block (SMB) network share that stores the custom settings location templates. The UE-V Agent checks this location once a day, retrieves new or updated templates, and updates its synchronization behavior.
    
-
    If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see [Configure a UE-V settings template catalog](https://technet.microsoft.com/library/dn458942.aspx#deploycatalogue).
    
+
    If you use only the UE-V default settings location templates, then a settings template catalog is unnecessary. For more information about settings deployment catalogs, see Configure a UE-V settings template catalog.
    
 
 
 
 
- 
+
 
 ![ue-v generator process](images/ue-vgeneratorprocess.gif)
 
@@ -133,15 +132,15 @@ Many Windows desktop applications, such as Notepad
 
 Many Windows settings, such as desktop background or wallpaper
 
-**Note**  
+**Note**  
 You can also [customize UE-V to synchronize settings](https://technet.microsoft.com/library/dn458942.aspx) for applications other than those synchronized by default.
 
- 
+
 
 ## Compare UE-V to other Microsoft products
 
 
-Use this table to compare UE-V to Synchronize Profiles in Windows 7, Synchronize Profiles in Windows 8, and the Sync PC Settings feature of Microsoft account.
+Use this table to compare UE-V to Synchronize Profiles in Windows 7, Synchronize Profiles in Windows 8, and the Sync PC Settings feature of Microsoft account.
 
 @@ -156,7 +155,7 @@ Use this table to compare UE-V to Synchronize Profiles in Windows 7, Synchroniz
 
-
+
@@ -276,7 +275,7 @@ Use this table to compare UE-V to Synchronize Profiles in Windows 7, Synchroniz
 
    
 

 
    
 FeatureSynchronize Profiles using Windows 7Synchronize Profiles using Windows 7
 Synchronize Profiles using Windows 8
 Synchronize Profiles using Windows 10
 Microsoft account
 
    
 
- 
+
 
 ## UE-V 2.x Release Notes
 
@@ -315,9 +314,9 @@ Find documentation, videos, and other resources for MDOP technologies. You can a
 
 
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md b/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md
index c43b34ca0d..2716ff5ef7 100644
--- a/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md
+++ b/mdop/uev-v2/manage-administrative-backup-and-restore-in-ue-v-2x-new-topic-for-21.md
@@ -90,10 +90,10 @@ Restoring a user’s device restores the currently registered Template’s setti
 
     If the user’s UE-V settings storage path, domain, and Computer name match the current user then all of the settings for that user are synchronized, with only the latest settings applied. If a user logs on to a new device for the first time and these criteria are met, the settings data is applied to that device.
 
-    **Note**  
+    **Note**  
     Accessibility and Windows Desktop settings require the user to re-logon to Windows to be applied.
 
-     
+
 
 -   **Manual Restore**
 
@@ -129,7 +129,7 @@ WMI and Windows PowerShell commands let you restore application and Windows sett
     
     
 
-     
+
 
 **To restore application settings and Windows settings with WMI**
 
@@ -156,12 +156,14 @@ WMI and Windows PowerShell commands let you restore application and Windows sett
     
     
 
-     
 
-    **Note**  
-    UE-V does not provide a settings rollback for Windows apps.
 
-     
+~~~
+**Note**  
+UE-V does not provide a settings rollback for Windows apps.
+~~~
+
+
 
 
 
@@ -175,9 +177,9 @@ WMI and Windows PowerShell commands let you restore application and Windows sett
 
 [Administering UE-V 2.x](administering-ue-v-2x-new-uevv2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v2/managing-the-ue-v-2x-agent-and-packages-with-windows-powershell-and-wmi-both-uevv2.md b/mdop/uev-v2/managing-the-ue-v-2x-agent-and-packages-with-windows-powershell-and-wmi-both-uevv2.md
index 0bc37f2d0b..ba8db1fb4b 100644
--- a/mdop/uev-v2/managing-the-ue-v-2x-agent-and-packages-with-windows-powershell-and-wmi-both-uevv2.md
+++ b/mdop/uev-v2/managing-the-ue-v-2x-agent-and-packages-with-windows-powershell-and-wmi-both-uevv2.md
@@ -23,10 +23,10 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m
 
 1.  Stage the UE-V installer file in an accessible network share.
 
-    **Note**  
+    **Note**  
     Use AgentSetup.exe to deploy both 32-bit and 64-bit versions of the UE-V Agent. Windows Installer packages, AgentSetupx86.msi and AgentSetupx64.msi, are available for each architecture. To uninstall the UE-V Agent at a later time by using the installation file, you must use the same file type.
 
-     
+
 
 2.  Use one of the following Windows PowerShell commands to install the UE-V Agent.
 
@@ -36,164 +36,164 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m
 
 **To configure the UE-V Agent by using Windows PowerShell**
 
-1.  Open a Windows PowerShell window. To manage computer settings that affect all users of the computer by using the *Computer* parameter, open the window with an account that has administrator rights.
+1. Open a Windows PowerShell window. To manage computer settings that affect all users of the computer by using the *Computer* parameter, open the window with an account that has administrator rights.
 
-2.  Use the following Windows PowerShell commands to configure the agent.
+2. Use the following Windows PowerShell commands to configure the agent.
+
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    Windows PowerShell commandDescription
    Get-UevConfiguration
    
+   
    Gets the effective UE-V Agent settings. User-specific settings have precedence over the computer settings.
    Get-UevConfiguration - CurrentComputerUser
    
+   
    Gets the UE-V Agent settings values for the current user only.
    Get-UevConfiguration -Computer
    Gets the UE-V Agent configuration settings values for all users on the computer.
    Get-UevConfiguration -Details
    Gets the details for each configuration setting. Displays where the setting is configured or if it uses the default value. Is displayed if the current setting is valid.
    Set-UevConfiguration -Computer –ContactITDescription <IT description>
    Sets the text that is displayed in the Company Settings Center for the help link.
    Set-UevConfiguration -Computer -ContactITUrl <string>
    Sets the URL of the link in the Company Settings Center for the help link. Any URL protocol can be used.
    Set-UevConfiguration -Computer –EnableDontSyncWindows8AppSettings
    Configures the UE-V Agent to not synchronize any Windows apps for all users on the computer.
    Set-UevConfiguration -CurrentComputerUser – EnableDontSyncWindows8AppSettings
    Configures the UE-V Agent to not synchronize any Windows apps for the current computer user.
    Set-UevConfiguration -Computer –EnableFirstUseNotification
    Configures the UE-V Agent to display notification the first time the agent runs for all users on the computer.
    Set-UevConfiguration -Computer –DisableFirstUseNotification
    Configures the UE-V Agent to not display notification the first time that the agent runs for all users on the computer.
    Set-UevConfiguration -Computer –EnableSettingsImportNotify
    Configures the UE-V Agent to notify all users on the computer when settings synchronization is delayed.
    
+   
    Use the DisableSettingsImportNotify parameter to disable notification.
    Set-UevConfiguration - CurrentComputerUser -EnableSettingsImportNotify
    Configures the UE-V Agent to notify the current user when settings synchronization is delayed.
    
+   
    Use the DisableSettingsImportNotify parameter to disable notification.
    Set-UevConfiguration -Computer –EnableSyncUnlistedWindows8Apps
    Configures the UE-V Agent to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI.
    
+   
    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V Agent to synchronize only Windows apps that are explicitly enabled by the Windows App List.
    Set-UevConfiguration - CurrentComputerUser - EnableSyncUnlistedWindows8Apps
    Configures the UE-V Agent to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI.
    
+   
    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V Agent to synchronize only Windows apps that are explicitly enabled by the Windows App List.
    Set-UevConfiguration –Computer –DisableSync
    Disables UE-V for all the users on the computer.
    
+   
    Use the EnableSync parameter to enable or re-enable.
    Set-UevConfiguration –CurrentComputerUser -DisableSync
    Disables UE-V for the current user on the computer.
    
+   
    Use the EnableSync parameter to enable or re-enable.
    Set-UevConfiguration -Computer –EnableTrayIcon
    Enables the UE-V icon in the notification area for all users of the computer.
    
+   
    Use the DisableTrayIcon parameter to disable the icon.
    Set-UevConfiguration -Computer -MaxPackageSizeInBytes <size in bytes>
    Configures the UE-V agent to report when a settings package file size reaches the defined threshold for all users on the computer. Sets the threshold package size in bytes.
    Set-UevConfiguration -CurrentComputerUser -MaxPackageSizeInBytes <size in bytes>
    Configures the UE-V agent to report when a settings package file size reaches the defined threshold. Sets the package size warning threshold for the current user.
    Set-UevConfiguration -Computer -SettingsImportNotifyDelayInSeconds
    Specifies the time in seconds before the user is notified for all users of the computer
    Set-UevConfiguration - CurrentComputerUser -SettingsImportNotifyDelayInSeconds
    Specifies the time in seconds before notification for the current user is sent.
    Set-UevConfiguration -Computer -SettingsStoragePath <path to _settings_storage_location>
    Defines a per-computer settings storage location for all users of the computer.
    Set-UevConfiguration -CurrentComputerUser -SettingsStoragePath <path to _settings_storage_location>
    Defines a per-user settings storage location.
    Set-UevConfiguration –Computer –SettingsTemplateCatalogPath <path to catalog>
    Sets the settings template catalog path for all users of the computer.
    Set-UevConfiguration -Computer -SyncMethod <sync method>
    Sets the synchronization method for all users of the computer: SyncProvider or None.
    Set-UevConfiguration -CurrentComputerUser  -SyncMethod <sync method>
    Sets the synchronization method for the current user: SyncProvider or None.
    Set-UevConfiguration -Computer -SyncTimeoutInMilliseconds <timeout in milliseconds>
    Sets the synchronization time-out in milliseconds for all users of the computer
    Set- UevConfiguration -CurrentComputerUser -SyncTimeoutInMilliseconds <timeout in milliseconds>
    Set the synchronization time-out for the current user.
    Clear-UevConfiguration –Computer -<setting name>
    Clears the specified setting for all users on the computer.
    Clear-UevConfiguration –CurrentComputerUser -<setting name>
    Clears the specified setting for the current user only.
    Export-UevConfiguration <settings migration file>
    Exports the UE-V computer configuration to a settings migration file. The file name extension must be .uev.
    
+   
    The Export cmdlet exports all UE-V Agent settings that are configurable with the Computer parameter.
    Import-UevConfiguration <settings migration file>
    Imports the UE-V computer configuration from a settings migration file. The file name extension must be .uev.
    
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    Windows PowerShell commandDescription
    Get-UevConfiguration
    
-    
    Gets the effective UE-V Agent settings. User-specific settings have precedence over the computer settings.
    Get-UevConfiguration - CurrentComputerUser
    
-    
    Gets the UE-V Agent settings values for the current user only.
    Get-UevConfiguration -Computer
    Gets the UE-V Agent configuration settings values for all users on the computer.
    Get-UevConfiguration -Details
    Gets the details for each configuration setting. Displays where the setting is configured or if it uses the default value. Is displayed if the current setting is valid.
    Set-UevConfiguration -Computer –ContactITDescription <IT description>
    Sets the text that is displayed in the Company Settings Center for the help link.
    Set-UevConfiguration -Computer -ContactITUrl <string>
    Sets the URL of the link in the Company Settings Center for the help link. Any URL protocol can be used.
    Set-UevConfiguration -Computer –EnableDontSyncWindows8AppSettings
    Configures the UE-V Agent to not synchronize any Windows apps for all users on the computer.
    Set-UevConfiguration -CurrentComputerUser – EnableDontSyncWindows8AppSettings
    Configures the UE-V Agent to not synchronize any Windows apps for the current computer user.
    Set-UevConfiguration -Computer –EnableFirstUseNotification
    Configures the UE-V Agent to display notification the first time the agent runs for all users on the computer.
    Set-UevConfiguration -Computer –DisableFirstUseNotification
    Configures the UE-V Agent to not display notification the first time that the agent runs for all users on the computer.
    Set-UevConfiguration -Computer –EnableSettingsImportNotify
    Configures the UE-V Agent to notify all users on the computer when settings synchronization is delayed.
    
-    
    Use the DisableSettingsImportNotify parameter to disable notification.
    Set-UevConfiguration - CurrentComputerUser -EnableSettingsImportNotify
    Configures the UE-V Agent to notify the current user when settings synchronization is delayed.
    
-    
    Use the DisableSettingsImportNotify parameter to disable notification.
    Set-UevConfiguration -Computer –EnableSyncUnlistedWindows8Apps
    Configures the UE-V Agent to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md).
    
-    
    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V Agent to synchronize only Windows apps that are explicitly enabled by the Windows App List.
    Set-UevConfiguration - CurrentComputerUser - EnableSyncUnlistedWindows8Apps
    Configures the UE-V Agent to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md).
    
-    
    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V Agent to synchronize only Windows apps that are explicitly enabled by the Windows App List.
    Set-UevConfiguration –Computer –DisableSync
    Disables UE-V for all the users on the computer.
    
-    
    Use the EnableSync parameter to enable or re-enable.
    Set-UevConfiguration –CurrentComputerUser -DisableSync
    Disables UE-V for the current user on the computer.
    
-    
    Use the EnableSync parameter to enable or re-enable.
    Set-UevConfiguration -Computer –EnableTrayIcon
    Enables the UE-V icon in the notification area for all users of the computer.
    
-    
    Use the DisableTrayIcon parameter to disable the icon.
    Set-UevConfiguration -Computer -MaxPackageSizeInBytes <size in bytes>
    Configures the UE-V agent to report when a settings package file size reaches the defined threshold for all users on the computer. Sets the threshold package size in bytes.
    Set-UevConfiguration -CurrentComputerUser -MaxPackageSizeInBytes <size in bytes>
    Configures the UE-V agent to report when a settings package file size reaches the defined threshold. Sets the package size warning threshold for the current user.
    Set-UevConfiguration -Computer -SettingsImportNotifyDelayInSeconds
    Specifies the time in seconds before the user is notified for all users of the computer
    Set-UevConfiguration - CurrentComputerUser -SettingsImportNotifyDelayInSeconds
    Specifies the time in seconds before notification for the current user is sent.
    Set-UevConfiguration -Computer -SettingsStoragePath <path to _settings_storage_location>
    Defines a per-computer settings storage location for all users of the computer.
    Set-UevConfiguration -CurrentComputerUser -SettingsStoragePath <path to _settings_storage_location>
    Defines a per-user settings storage location.
    Set-UevConfiguration –Computer –SettingsTemplateCatalogPath <path to catalog>
    Sets the settings template catalog path for all users of the computer.
    Set-UevConfiguration -Computer -SyncMethod <sync method>
    Sets the synchronization method for all users of the computer: SyncProvider or None.
    Set-UevConfiguration -CurrentComputerUser  -SyncMethod <sync method>
    Sets the synchronization method for the current user: SyncProvider or None.
    Set-UevConfiguration -Computer -SyncTimeoutInMilliseconds <timeout in milliseconds>
    Sets the synchronization time-out in milliseconds for all users of the computer
    Set- UevConfiguration -CurrentComputerUser -SyncTimeoutInMilliseconds <timeout in milliseconds>
    Set the synchronization time-out for the current user.
    Clear-UevConfiguration –Computer -<setting name>
    Clears the specified setting for all users on the computer.
    Clear-UevConfiguration –CurrentComputerUser -<setting name>
    Clears the specified setting for the current user only.
    Export-UevConfiguration <settings migration file>
    Exports the UE-V computer configuration to a settings migration file. The file name extension must be .uev.
    
-    
    The Export cmdlet exports all UE-V Agent settings that are configurable with the Computer parameter.
    Import-UevConfiguration <settings migration file>
    Imports the UE-V computer configuration from a settings migration file. The file name extension must be .uev.
    
 
-     
 
 **To export UE-V package settings and repair UE-V templates by using Windows PowerShell**
 
@@ -222,7 +222,7 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m
     
     
 
-     
+
 
 **To configure the UE-V Agent by using WMI**
 
@@ -318,13 +318,15 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m
     
     
 
-     
 
-    Upon configuration of the UE-V Agent with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations.
 
-    `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+~~~
+Upon configuration of the UE-V Agent with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations.
 
-    `\HKEY_CURRENT_USER\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+`\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+
+`\HKEY_CURRENT_USER\SOFTWARE\Microsoft\UEV\Agent\Configuration`
+~~~
 
 **To export UE-V package settings and repair UE-V templates by using WMI**
 
@@ -355,9 +357,11 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m
     
     
 
-     
 
-    **Got a suggestion for UE-V**? Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). **Got a UE-V issue**? Use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev).
+
+~~~
+**Got a suggestion for UE-V**? Add or vote on suggestions [here](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization). **Got a UE-V issue**? Use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopuev).
+~~~
 
 ## Related topics
 
@@ -366,9 +370,9 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m
 
 [Administering UE-V 2.x](administering-ue-v-2x-new-uevv2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v2/managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md b/mdop/uev-v2/managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md
index fd781f99d3..8de1e74734 100644
--- a/mdop/uev-v2/managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md
+++ b/mdop/uev-v2/managing-ue-v-2x-settings-location-templates-using-windows-powershell-and-wmi-both-uevv2.md
@@ -26,7 +26,7 @@ The WMI and Windows PowerShell features of UE-V include the ability to enable, d
 
 You must have administrator permissions to update, register, or unregister a settings location template. Administrator permissions are not required to enable, disable, or list templates.
 
-****To manage settings location templates by using Windows PowerShell****
+***To manage settings location templates by using Windows PowerShell***
 
 1.  Use an account with administrator rights to open a Windows PowerShell command prompt.
 
@@ -155,7 +155,7 @@ You must have administrator permissions to update, register, or unregister a set
     
     
 
-     
+
 
 The UE-V Windows PowerShell features enable you to manage a group of settings templates that are deployed in your enterprise. Use the following procedure to manage a group of templates by using Windows PowerShell.
 
@@ -334,12 +334,14 @@ User Experience Virtualization provides the following set of WMI commands. Admin
     
     
 
-     
 
-    **Note**  
-    Where a list of Package Family Names is called by the WMI command, the list must be in quotes and separated by a pipe symbol, for example, `""`.
 
-     
+~~~
+**Note**  
+Where a list of Package Family Names is called by the WMI command, the list must be in quotes and separated by a pipe symbol, for example, `""`.
+~~~
+
+
 
 ### Deploying the UE-V Agent using Windows PowerShell
 
@@ -347,10 +349,10 @@ User Experience Virtualization provides the following set of WMI commands. Admin
 
 1.  Stage the UE-V Agent installation package in an accessible network share.
 
-    **Note**  
+    **Note**  
     Use AgentSetup.exe to deploy both 32-bit and 64-bit versions of the UE-V Agent. The Windows Installer packages, AgentSetupx86.msi and AgentSetupx64.msi, are available for each architecture. To uninstall the UE-V Agent at a later time by using the installation file, you must use the same file type.
 
-     
+
 
 2.  Use one of the following Windows PowerShell commands to install the UE-V Agent.
 
@@ -367,9 +369,9 @@ User Experience Virtualization provides the following set of WMI commands. Admin
 
 [Administering UE-V 2.x](administering-ue-v-2x-new-uevv2.md)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md
index e66312a690..72c09ecf9e 100644
--- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md
+++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md
@@ -135,81 +135,81 @@ This section contains hotfixes and KB articles for UE-V 2.0.
 
 
    2927019
    
 
    Hotfix Package 1 for Microsoft User Experience Virtualization 2.0
    
-
    [support.microsoft.com/kb/2927019](https://support.microsoft.com/kb/2927019)
    
+
    support.microsoft.com/kb/2927019
    
 
 
 
    2903501
    
 
    UE-V: User Experience Virtualization (UE-V) compatibility with user profiles
    
-
    [support.microsoft.com/kb/2903501/EN-US](https://support.microsoft.com/kb/2903501/EN-US)
    
+
    support.microsoft.com/kb/2903501/EN-US
    
 
 
 
    2770042
    
 
    UE-V Registry Settings
    
-
    [support.microsoft.com/kb/2770042/EN-US](https://support.microsoft.com/kb/2770042/EN-US)
    
+
    support.microsoft.com/kb/2770042/EN-US
    
 
 
 
    2847017
    
 
    UE-V settings replicated by Internet Explorer
    
-
    [support.microsoft.com/kb/2847017/EN-US](https://support.microsoft.com/kb/2847017/EN-US)
    
+
    support.microsoft.com/kb/2847017/EN-US
    
 
 
 
    2930271
    
 
    Understanding the limitations of roaming Outlook signatures in Microsoft UE-V
    
-
    [support.microsoft.com/kb/2930271/EN-US](https://support.microsoft.com/kb/2930271/EN-US)
    
+
    support.microsoft.com/kb/2930271/EN-US
    
 
 
 
    2769631
    
 
    How to repair a corrupted UE-V install
    
-
    [support.microsoft.com/kb/2769631/EN-US](https://support.microsoft.com/kb/2769631/EN-US)
    
+
    support.microsoft.com/kb/2769631/EN-US
    
 
 
 
    2850989
    
 
    Migrating MAPI profiles with Microsoft UE-V is not supported
    
-
    [support.microsoft.com/kb/2850989/EN-US](https://support.microsoft.com/kb/2850989/EN-US)
    
+
    support.microsoft.com/kb/2850989/EN-US
    
 
 
 
    2769586
    
 
    UE-V roams empty folders and registry keys
    
-
    [support.microsoft.com/kb/2769586/EN-US](https://support.microsoft.com/kb/2769586/EN-US)
    
+
    support.microsoft.com/kb/2769586/EN-US
    
 
 
 
    2782997
    
 
    How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V)
    
-
    [support.microsoft.com/kb/2782997/EN-US](https://support.microsoft.com/kb/2782997/EN-US)
    
+
    support.microsoft.com/kb/2782997/EN-US
    
 
 
 
    2769570
    
 
    UE-V does not update the theme on RDS or VDI sessions
    
-
    [support.microsoft.com/kb/2769570/EN-US](https://support.microsoft.com/kb/2769570/EN-US)
    
+
    support.microsoft.com/kb/2769570/EN-US
    
 
 
 
    2901856
    
 
    Application settings do not sync after you force a restart on a UE-V-enabled computer
    
-
    [support.microsoft.com/kb/2901856/EN-US](https://support.microsoft.com/kb/2901856/EN-US)
    
+
    support.microsoft.com/kb/2901856/EN-US
    
 
 
 
    2850582
    
 
    How To Use Microsoft User Experience Virtualization With App-V Applications
    
-
    [support.microsoft.com/kb/2850582/EN-US](https://support.microsoft.com/kb/2850582/EN-US)
    
+
    support.microsoft.com/kb/2850582/EN-US
    
 
 
 
    3041879
    
 
    Current file versions for Microsoft User Experience Virtualization
    
-
    [support.microsoft.com/kb/3041879/EN-US](https://support.microsoft.com/kb/3041879/EN-US)
    
+
    support.microsoft.com/kb/3041879/EN-US
    
 
 
 
    2843592
    
 
    Information on User Experience Virtualization and High Availability
    
-
    [support.microsoft.com/kb/2843592/EN-US](https://support.microsoft.com/kb/2843592/EN-US)
    
+
    support.microsoft.com/kb/2843592/EN-US
    
 
 
 
 
- 
+ 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md
index 168bcec5f6..d8f9534765 100644
--- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md
+++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md
@@ -68,7 +68,7 @@ WORKAROUND: The UE-V installer (.msi) has two new command-line parameters that s
 
 
 
- 
+ 
 
 ### Registry settings do not synchronize between App-V and native applications on the same computer
 
@@ -156,76 +156,76 @@ This section contains hotfixes and KB articles for UE-V 2.1.
 
 
    3018608
    
 
    UE-V 2.1 - TemplateConsole.exe crashes when UE-V WMI classes are missing
    
-
    [support.microsoft.com/kb/3018608/EN-US](https://support.microsoft.com/kb/3018608/EN-US)
    
+
    support.microsoft.com/kb/3018608/EN-US
    
 
 
 
    2903501
    
 
    UE-V: User Experience Virtualization (UE-V) compatibility with user profiles
    
-
    [support.microsoft.com/kb/2903501/EN-US](https://support.microsoft.com/kb/2903501/EN-US)
    
+
    support.microsoft.com/kb/2903501/EN-US
    
 
 
 
    2770042
    
 
    UE-V Registry Settings
    
-
    [support.microsoft.com/kb/2770042/EN-US](https://support.microsoft.com/kb/2770042/EN-US)
    
+
    support.microsoft.com/kb/2770042/EN-US
    
 
 
 
    2847017
    
 
    UE-V settings replicated by Internet Explorer
    
-
    [support.microsoft.com/kb/2847017/EN-US](https://support.microsoft.com/kb/2847017/EN-US)
    
+
    support.microsoft.com/kb/2847017/EN-US
    
 
 
 
    2769631
    
 
    How to repair a corrupted UE-V install
    
-
    [support.microsoft.com/kb/2769631/EN-US](https://support.microsoft.com/kb/2769631/EN-US)
    
+
    support.microsoft.com/kb/2769631/EN-US
    
 
 
 
    2850989
    
 
    Migrating MAPI profiles with Microsoft UE-V is not supported
    
-
    [support.microsoft.com/kb/2850989/EN-US](https://support.microsoft.com/kb/2850989/EN-US)
    
+
    support.microsoft.com/kb/2850989/EN-US
    
 
 
 
    2769586
    
 
    UE-V roams empty folders and registry keys
    
-
    [support.microsoft.com/kb/2769586/EN-US](https://support.microsoft.com/kb/2769586/EN-US)
    
+
    support.microsoft.com/kb/2769586/EN-US
    
 
 
 
    2782997
    
 
    How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V)
    
-
    [support.microsoft.com/kb/2782997/EN-US](https://support.microsoft.com/kb/2782997/EN-US)
    
+
    support.microsoft.com/kb/2782997/EN-US
    
 
 
 
    2769570
    
 
    UE-V does not update the theme on RDS or VDI sessions
    
-
    [support.microsoft.com/kb/2769570/EN-US](https://support.microsoft.com/kb/2769570/EN-US)
    
+
    support.microsoft.com/kb/2769570/EN-US
    
 
 
 
    2850582
    
 
    How To Use Microsoft User Experience Virtualization With App-V Applications
    
-
    [support.microsoft.com/kb/2850582/EN-US](https://support.microsoft.com/kb/2850582/EN-US)
    
+
    support.microsoft.com/kb/2850582/EN-US
    
 
 
 
    3041879
    
 
    Current file versions for Microsoft User Experience Virtualization
    
-
    [support.microsoft.com/kb/3041879/EN-US](https://support.microsoft.com/kb/3041879/EN-US)
    
+
    support.microsoft.com/kb/3041879/EN-US
    
 
 
 
    2843592
    
 
    Information on User Experience Virtualization and High Availability
    
-
    [support.microsoft.com/kb/2843592/EN-US](https://support.microsoft.com/kb/2843592/EN-US)
    
+
    support.microsoft.com/kb/2843592/EN-US
    
 
 
 
 
- 
+ 
 
 
 
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md
index 5f878e59c4..643bc35ace 100644
--- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md
+++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md
@@ -68,7 +68,7 @@ WORKAROUND: The UE-V installer (.msi) has two new command-line parameters that s
 
 
 
- 
+ 
 
 ### Registry settings do not synchronize between App-V and native applications on the same computer
 
@@ -167,76 +167,76 @@ This section contains hotfixes and KB articles for UE-V 2.1 SP1.
 
 
    3018608
    
 
    UE-V 2.1 - TemplateConsole.exe crashes when UE-V WMI classes are missing
    
-
    [support.microsoft.com/kb/3018608/EN-US](https://support.microsoft.com/kb/3018608/EN-US)
    
+
    support.microsoft.com/kb/3018608/EN-US
    
 
 
 
    2903501
    
 
    UE-V: User Experience Virtualization (UE-V) compatibility with user profiles
    
-
    [support.microsoft.com/kb/2903501/EN-US](https://support.microsoft.com/kb/2903501/EN-US)
    
+
    support.microsoft.com/kb/2903501/EN-US
    
 
 
 
    2770042
    
 
    UE-V Registry Settings
    
-
    [support.microsoft.com/kb/2770042/EN-US](https://support.microsoft.com/kb/2770042/EN-US)
    
+
    support.microsoft.com/kb/2770042/EN-US
    
 
 
 
    2847017
    
 
    UE-V settings replicated by Internet Explorer
    
-
    [support.microsoft.com/kb/2847017/EN-US](https://support.microsoft.com/kb/2847017/EN-US)
    
+
    support.microsoft.com/kb/2847017/EN-US
    
 
 
 
    2769631
    
 
    How to repair a corrupted UE-V install
    
-
    [support.microsoft.com/kb/2769631/EN-US](https://support.microsoft.com/kb/2769631/EN-US)
    
+
    support.microsoft.com/kb/2769631/EN-US
    
 
 
 
    2850989
    
 
    Migrating MAPI profiles with Microsoft UE-V is not supported
    
-
    [support.microsoft.com/kb/2850989/EN-US](https://support.microsoft.com/kb/2850989/EN-US)
    
+
    support.microsoft.com/kb/2850989/EN-US
    
 
 
 
    2769586
    
 
    UE-V roams empty folders and registry keys
    
-
    [support.microsoft.com/kb/2769586/EN-US](https://support.microsoft.com/kb/2769586/EN-US)
    
+
    support.microsoft.com/kb/2769586/EN-US
    
 
 
 
    2782997
    
 
    How To Enable Debug Logging in Microsoft User Experience Virtualization (UE-V)
    
-
    [support.microsoft.com/kb/2782997/EN-US](https://support.microsoft.com/kb/2782997/EN-US)
    
+
    support.microsoft.com/kb/2782997/EN-US
    
 
 
 
    2769570
    
 
    UE-V does not update the theme on RDS or VDI sessions
    
-
    [support.microsoft.com/kb/2769570/EN-US](https://support.microsoft.com/kb/2769570/EN-US)
    
+
    support.microsoft.com/kb/2769570/EN-US
    
 
 
 
    2850582
    
 
    How To Use Microsoft User Experience Virtualization With App-V Applications
    
-
    [support.microsoft.com/kb/2850582/EN-US](https://support.microsoft.com/kb/2850582/EN-US)
    
+
    support.microsoft.com/kb/2850582/EN-US
    
 
 
 
    3041879
    
 
    Current file versions for Microsoft User Experience Virtualization
    
-
    [support.microsoft.com/kb/3041879/EN-US](https://support.microsoft.com/kb/3041879/EN-US)
    
+
    support.microsoft.com/kb/3041879/EN-US
    
 
 
 
    2843592
    
 
    Information on User Experience Virtualization and High Availability
    
-
    [support.microsoft.com/kb/2843592/EN-US](https://support.microsoft.com/kb/2843592/EN-US)
    
+
    support.microsoft.com/kb/2843592/EN-US
    
 
 
 
 
- 
+ 
 
 
 
 
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/migrating-ue-v-2x-settings-packages-both-uevv2.md b/mdop/uev-v2/migrating-ue-v-2x-settings-packages-both-uevv2.md
index 4eb5166780..6b13a80d3d 100644
--- a/mdop/uev-v2/migrating-ue-v-2x-settings-packages-both-uevv2.md
+++ b/mdop/uev-v2/migrating-ue-v-2x-settings-packages-both-uevv2.md
@@ -40,7 +40,7 @@ Simply copying the files and folders does not preserve the security settings and
     **Note**  
     To monitor the copy progress, open MySettings.txt with a log viewer such as Trace32.
 
-     
+     
 
 4.  Grant share-level permissions to the new share. Leave the NTFS file system permissions as they were set by Robocopy.
 
@@ -53,9 +53,9 @@ Simply copying the files and folders does not preserve the security settings and
 
 [Administering UE-V 2.x](administering-ue-v-2x-new-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index 6d11720c7f..9d9a9348ec 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -86,10 +86,10 @@ See [User Experience Virtualization (UE-V) settings templates for Microsoft Offi
 
 When you install the UE-V 2.1 or 2.1 SP1 Agent, it registers a default group of settings location templates that capture settings values for these common Microsoft applications.
 
-**Tip**  
+**Tip**  
 **Microsoft Office 2007 Settings Synchronization** – In UE-V 2.1 and 2.1 SP1, a settings location template is no longer included by default for Office 2007 applications. However, you can still use Office 2007 templates from UE-V 2.0 or earlier and can get the templates from the [UE-V template gallery](https://go.microsoft.com/fwlink/p/?LinkID=246589).
 
- 
+
 
 @@ -105,7 +105,7 @@ When you install the UE-V 2.1 or 2.1 SP1 Agent, it registers a default group of
 
+
    (Download a list of all settings synced)
    
+
    (Download a list of all settings synced)
    
@@ -164,21 +162,21 @@ When you install the UE-V 2.1 or 2.1 SP1 Agent, it registers a default group of
 
    
 

 
    
 
    Microsoft Office 2010 applications
    
-
    ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))
    		
 
    Microsoft Word 2010
    
 
    Microsoft Excel 2010
    
 
    Microsoft Outlook 2010
    
@@ -122,7 +122,7 @@ When you install the UE-V 2.1 or 2.1 SP1 Agent, it registers a default group of
 
    
 
    
 
    Microsoft Office 2013 applications
    
-
    ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))
    		
 
    Microsoft Word 2013
    
 
    Microsoft Excel 2013
    
 
    Microsoft Outlook 2013
    
@@ -139,22 +139,20 @@ When you install the UE-V 2.1 or 2.1 SP1 Agent, it registers a default group of
 
    Microsoft OneDrive for Business 2013
    
 
    The UE-V 2.1 and 2.1 SP1 Microsoft Office 2013 settings location templates include improved Outlook signature support. We’ve added synchronization of default signature settings for new, reply, and forwarded emails.
    
 
    
-Note  
-
    An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
    
+Note
    An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
    
 
    
 
    
- 
+
 
    		
 
    
 
    
 
    Browser options: Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11
    		
 
    Favorites, home page, tabs, and toolbars.
    
 
    
-Note  
-
    UE-V does not roam settings for Internet Explorer cookies.
    
+Note
    UE-V does not roam settings for Internet Explorer cookies.
    
 
    
 
    
- 
+
 
    		
 
    
 
    
 
    
 
- 
 
-**Note**  
+
+**Note**  
 UE-V 2.1 SP1 does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems.
 
- 
+
 
 ### Desktop applications synchronized by default in UE-V 2.0
 
 When you install the UE-V 2.0 Agent, it registers a default group of settings location templates that capture settings values for these common Microsoft applications.
 
-**Tip**  
+**Tip**  
 **Microsoft Office 2013 Settings Synchronization** – In UE-V 2.0, a settings location template is not included by default for Office 2013 applications, but is available for download from the [UE-V template gallery](https://go.microsoft.com/fwlink/p/?LinkID=246589). [Synchronizing Office 2013 with UE-V 2.0](synchronizing-office-2013-with-ue-v-20-both-uevv2.md) provides details about the supported templates that synchronize Office 2013 settings.
 
- 
+
 
 @@ -194,7 +192,7 @@ When you install the UE-V 2.0 Agent, it registers a default group of settings lo
 
+
    (Download a list of all settings synced)
    
+
    (Download a list of all settings synced)
    
@@ -243,7 +240,7 @@ When you install the UE-V 2.0 Agent, it registers a default group of settings lo
 
    
 

 
    
 
    Microsoft Office 2007 applications
    
-
    ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))
    		
 
    Microsoft Access 2007
    
 
    Microsoft Communicator 2007
    
 
    Microsoft Excel 2007
    
@@ -210,7 +208,7 @@ When you install the UE-V 2.0 Agent, it registers a default group of settings lo
 
    
 
    
 
    Microsoft Office 2010 applications
    
-
    ([Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367))
    		
 
    Microsoft Word 2010
    
 
    Microsoft Excel 2010
    
 
    Microsoft Outlook 2010
    
@@ -229,11 +227,10 @@ When you install the UE-V 2.0 Agent, it registers a default group of settings lo
 
    Browser options: Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10
    		
 
    Favorites, home page, tabs, and toolbars.
    
 
    
-Note  
-
    UE-V does not roam settings for Internet Explorer cookies.
    
+Note
    UE-V does not roam settings for Internet Explorer cookies.
    
 
    
 
    
- 
+
 
    		
 
    
 
    
 
    
 
- 
+
 
 ### Windows settings synchronized by default
 
@@ -291,17 +288,17 @@ UE-V includes settings location templates that capture settings values for these
 
 
 
- 
 
-**Note**  
+
+**Note**  
 Starting in Windows 8, UE-V does not roam settings related to the Start screen, such as items and locations. In addition, UE-V does not support synchronization of pinned taskbar items or Windows file shortcuts.
 
- 
 
-**Important**  
+
+**Important**  
 UE-V 2.1 SP1 roams taskbar settings between Windows 10 devices. However, UE-V does not synchronize taskbar settings between Windows 10 devices and devices running previous operating systems.
 
- 
+
 
 @@ -362,7 +359,7 @@ UE-V 2.1 SP1 roams taskbar settings between Windows 10 devices. However, UE-V do
 
    
 

 
    
 
- 
+
 
 ### UE-V-support for Windows Apps
 
@@ -370,10 +367,10 @@ For Windows apps, the app developer specifies the settings that are synchronized
 
 To display a list of Windows apps that can synchronize settings on a computer with their package family name, enabled status, and enabled source, at a Windows PowerShell command prompt, enter: `Get-UevAppxPackage`
 
-**Note**  
+**Note**  
 As of Windows 8, UE-V does not synchronize Windows app settings if the domain user links their sign-in credentials to their Microsoft Account. This linking synchronizes settings to Microsoft OneDrive so UE-V, which disables synchronization of Windows app settings.
 
- 
+
 
 ### UE-V-support for Roaming Printers
 
@@ -387,10 +384,10 @@ Printer roaming in UE-V requires one of these scenarios:
 
 -   The printer driver can be obtained from Windows Update.
 
-**Note**  
+**Note**  
 The UE-V printer roaming feature does **not** roam printer settings or preferences, such as printing double-sided.
 
- 
+
 
 ### Determine whether you need settings synchronized for other applications
 
@@ -440,7 +437,7 @@ If you’ve decided that you need settings synchronized for other applications,
 
 
 Checklist box
-
    Does the application store settings in the Program Files directory or in the file directory that is located in the Users\[User name]\AppData\LocalLow directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize.
    
+
    Does the application store settings in the Program Files directory or in the file directory that is located in the Users[User name]<strong>AppData<strong>LocalLow directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize.
    
 
 
 Checklist box
@@ -453,7 +450,7 @@ If you’ve decided that you need settings synchronized for other applications,
 
 
 
- 
+
 
 ## Other Considerations when Preparing a UE-V Deployment
 
@@ -478,10 +475,10 @@ You should also consider these things when you are preparing to deploy UE-V:
 
 Many enterprise applications, including Microsoft Outlook and Lync, prompt users for their domain credentials at login. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid re-entering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V 2.1 and 2.1 SP1.
 
-**Important**  
+**Important**  
 Credentials synchronization is disabled by default. You must explicitly enable credentials synchronization during deployment to implement this feature.
 
- 
+
 
 UE-V 2.1 and 2.1 SP1 can synchronize enterprise credentials, but do not roam credentials intended only for use on the local computer.
 
@@ -489,10 +486,10 @@ Credentials are synchronous settings, meaning they are applied to your profile t
 
 Credentials synchronization is managed by its own settings location template, which is disabled by default. You can enable or disable this template through the same methods used for other templates. The template identifier for this feature is RoamingCredentialSettings.
 
-**Important**  
+**Important**  
 If you are using Active Directory Credential Roaming in your environment, we recommend that you don’t enable the UE-V credential roaming template.
 
- 
+
 
 Use one of these methods to enable credentials synchronization:
 
@@ -502,10 +499,10 @@ Use one of these methods to enable credentials synchronization:
 
 -   Group Policy
 
-**Note**  
+**Note**  
 Credentials are encrypted during synchronization.
 
- 
+
 
 [Company Settings Center](https://technet.microsoft.com/library/dn458903.aspx)**:** Check the Roaming Credential Settings check box under Windows Settings to enable credential synchronization. Uncheck the box to disable it. This check box only appears in Company Settings Center if your account is not configured to synchronize settings using a Microsoft Account.
 
@@ -645,7 +642,7 @@ Before you proceed, make sure your environment includes these requirements for r
 
 
 
-
    Windows 7
    
+
    Windows 7
    
 
    Ultimate, Enterprise, or Professional Edition
    
 
    SP1
    
 
    32-bit or 64-bit
    
@@ -654,7 +651,7 @@ Before you proceed, make sure your environment includes these requirements for r
 
    .NET Framework 4 or higher for UE-V 2.0.
    
 
 
-
    Windows Server 2008 R2
    
+
    Windows Server 2008 R2
    
 
    Standard, Enterprise, Datacenter, or Web Server
    
 
    SP1
    
 
    64-bit
    
@@ -673,11 +670,10 @@ Before you proceed, make sure your environment includes these requirements for r
 
 
    Windows 10, pre-1607 version
    
 
    
-Note  
-
    Only UE-V 2.1 SP1 supports Windows 10, pre-1607 version
    
+Note
    Only UE-V 2.1 SP1 supports Windows 10, pre-1607 version
    
 
    
 
    
- 
+
 
    
 
    Enterprise or Pro
    
 
    None
    
@@ -704,7 +700,7 @@ Before you proceed, make sure your environment includes these requirements for r
 
 
 
- 
+
 
 Also…
 
@@ -712,16 +708,16 @@ Also…
 
 -   **Administrative Credentials** for any computer on which you’ll be installing
 
-**Note**  
+**Note**  
 
 -   Starting with WIndows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack.
 
 -   The UE-V Windows PowerShell feature of the UE-V Agent requires .NET Framework 4 or higher and Windows PowerShell 3.0 or higher to be enabled. Download Windows PowerShell 3.0 [here](https://go.microsoft.com/fwlink/?LinkId=309609).
 
--   Install .NET Framework 4 or .NET Framework 4.5 on computers that run the Windows 7 or the Windows Server 2008 R2 operating system. The Windows 8, Windows 8.1, and Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
+-   Install .NET Framework 4 or .NET Framework 4.5 on computers that run the Windows 7 or the Windows Server 2008 R2 operating system. The Windows 8, Windows 8.1, and Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
 -   The “Delete Roaming Cache” policy for Mandatory profiles is not supported with UE-V and should not be used.
 
- 
+
 
 There are no special random access memory (RAM) requirements specific to UE-V.
 
@@ -747,30 +743,30 @@ Enable this configuration through one of these methods:
 
 -   During UE-V installation, at the command prompt or in a batch file, set the AgentSetup.exe parameter *SyncMethod = None*. [Deploying the UE-V 2.x Agent](https://technet.microsoft.com/library/dn458891.aspx#agent) provides more information.
 
--   After the UE-V installation, use the Settings Management feature in System Center 2012 Configuration Manager or the MDOP ADMX templates to push the *SyncMethod = None* configuration.
+-   After the UE-V installation, use the Settings Management feature in System Center 2012 Configuration Manager or the MDOP ADMX templates to push the *SyncMethod = None* configuration.
 
 -   Use Windows PowerShell or Windows Management Instrumentation (WMI) to set the *SyncMethod = None* configuration.
 
-    **Note**  
+    **Note**  
     These last two methods do not work for pooled virtual desktop infrastructure (VDI) environments.
 
-     
+
 
 You must restart the computer before the settings start to synchronize.
 
-**Note**  
+**Note**  
 If you set *SyncMethod = None*, any settings changes are saved directly to the server. If the network connection to the settings storage path is not found, then the settings changes are cached on the device and are synchronized the next time that the sync provider runs. If the settings storage path is not found and the user profile is removed from a pooled VDI environment on logoff, settings changes are lost and the user must reapply the change when the computer is reconnected to the settings storage path.
 
- 
+
 
 **Synchronization for external sync engines:** The *SyncMethod=External* parameter specifies that if UE-V settings are written to a local folder on the user computer, then any external sync engine (such as OneDrive for Business, Work Folders, Sharepoint, or Dropbox) can be used to apply these settings to the different computers that users access.
 
 **Support for shared VDI sessions:** UE-V 2.1 and 2.1 SP1 provide support for VDI sessions that are shared among end users. You can register and configure a special VDI template, which ensures that UE-V keeps all of its functionality intact for non-persistent VDI sessions.
 
-**Note**  
+**Note**  
 If you do not enable VDI mode for non-persistent VDI sessions, certain features do not work, such as [back-up/restore and last known good (LKG)](https://technet.microsoft.com/library/dn878331.aspx).
 
- 
+
 
 The VDI template is provided with UE-V 2.1 and 2.1 SP1 and is typically available here after installation: C:\\Program Files\\Microsoft User Experience Virtualization\\Templates\\VdiState.xml
 
@@ -778,7 +774,7 @@ The VDI template is provided with UE-V 2.1 and 2.1 SP1 and is typically availabl
 
 Install the UE-V Generator on the computer that is used to create custom settings location templates. This computer should be able to run the applications whose settings are synchronized. You must be a member of the Administrators group on the computer that runs the UE-V Generator software.
 
-The UE-V Generator must be installed on a computer that uses an NTFS file system. The UE-V Generator software requires .NET Framework 4. For more information, see [Deploy UE-V 2.x for Custom Applications](deploy-ue-v-2x-for-custom-applications-new-uevv2.md).
+The UE-V Generator must be installed on a computer that uses an NTFS file system. The UE-V Generator software requires .NET Framework 4. For more information, see [Deploy UE-V 2.x for Custom Applications](deploy-ue-v-2x-for-custom-applications-new-uevv2.md).
 
 ## Other resources for this product
 
@@ -798,9 +794,9 @@ The UE-V Generator must be installed on a computer that uses an NTFS file system
 
 
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md
index e029566ef1..bc93749e20 100644
--- a/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/security-considerations-for-ue-v-2x-both-uevv2.md
@@ -25,7 +25,7 @@ This topic contains a brief overview of accounts and groups, log files, and othe
 **Important**  
 When you create the settings storage share, limit the share access to users who require access.
 
- 
+ 
 
 Because settings packages might contain personal information, you should take care to protect them as well as possible. In general, do the following:
 
@@ -58,7 +58,7 @@ Because settings packages might contain personal information, you should take ca
         | Everyone | No permissions |
         | Domain computers | Read permission Levels |
         | Administrators | Read/write permission levels |
-         
+         
     4.  Set the following NTFS permissions for the settings template catalog folder.
 
         | User account | Recommended permissions | Apply to |
@@ -113,7 +113,7 @@ Additional security can be configured when a Windows Server is used for the sett
 
 When this configuration setting is in place, the UE-V Agent verifies that the local Administrators group or current user is the owner of the settings package folder. If not, then the UE-V Agent does not grant access to the folder.
 
- 
+ 
 
 If you must create folders for the users, ensure that you have the correct permissions set.
 
@@ -133,9 +133,9 @@ If you redirect UE-V settings to a user’s home directory or a custom Active Di
 
 [Technical Reference for UE-V 2.x](technical-reference-for-ue-v-2x-both-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md
index ef9ba7578a..8b8c565dc8 100644
--- a/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md
+++ b/mdop/uev-v2/sync-trigger-events-for-ue-v-2x-both-uevv2.md
@@ -40,7 +40,7 @@ The following table explains the trigger events for classic applications and Win
 
    Windows Logon
    
 
      
 
    • Application and Windows settings are imported to the local cache from the settings storage location.
      • 
-
    • [Asynchronous Windows settings](https://technet.microsoft.com/library/dn458932.aspx#autosyncsettings2) are applied.
      • 
+
    • Asynchronous Windows settings are applied.
      • 
 
    • Synchronous Windows settings will be applied during the next Windows logon.
      • 
 
    • Application settings will be applied when the application starts.
      • 
 
    
@@ -82,19 +82,18 @@ The following table explains the trigger events for classic applications and Win
 
    
 
    Application and Windows settings are synchronized between the settings storage location and the local cache.
    
 
    
-Note  
-
    Settings changes are not cached locally until an application closes. This trigger will not export changes made to a currently running application.
    
+Note
    Settings changes are not cached locally until an application closes. This trigger will not export changes made to a currently running application.
    
 
    For Windows settings, this means that any changes will not be cached locally and exported until the next Lock (Asynchronous) or Logoff (Asynchronous and Synchronous).
    
 
    
 
    
- 
+
 
    
 
    Settings are applied in these cases:
    
 
      
 
    • Asynchronous Windows settings are applied directly.
      • 
 
    • Application settings are applied when the application starts.
      • 
 
    • Both asynchronous and synchronous Windows settings are applied during the next Windows logon.
      • 
-
    • Windows app (AppX) settings are applied during the next refresh. See [Monitor Application Settings](https://technet.microsoft.com/library/dn458944.aspx) for more information.
      • 
+
    • Windows app (AppX) settings are applied during the next refresh. See Monitor Application Settings for more information.
      • 
 
    
 
    NA
    
 
@@ -106,7 +105,7 @@ The following table explains the trigger events for classic applications and Win
 
 
 
- 
+
 
 
 
@@ -122,9 +121,9 @@ The following table explains the trigger events for classic applications and Win
 
 [Choose the Configuration Method for UE-V 2.x](https://technet.microsoft.com/library/dn458891.aspx#config)
 
- 
-
- 
+
+
+
 
 
 
diff --git a/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md b/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md
index 21679bc60f..16c4897c6f 100644
--- a/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md
+++ b/mdop/uev-v2/using-ue-v-2x-with-application-virtualization-applications-both-uevv2.md
@@ -35,7 +35,7 @@ UE-V monitors when an application opens by the program name and, optionally, by
     **Note**  
     If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**.
 
-     
+     
 
 4.  Start the App-V package.
 
@@ -49,9 +49,9 @@ UE-V monitors when an application opens by the program name and, optionally, by
 
 [Administering UE-V 2.x](administering-ue-v-2x-new-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md b/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md
index 4e7149fbb9..ad1e2132a4 100644
--- a/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md
+++ b/mdop/uev-v2/whats-new-in-ue-v-20-new-uevv2.md
@@ -46,7 +46,7 @@ By default, UE-V synchronizes the settings of many of the Windows apps included
 **Note**  
 UE-V does not synchronize Windows app settings if the domain users link their sign-in credentials to their Microsoft account. This linking synchronizes settings to Microsoft OneDrive so UE-V only synchronizes the desktop applications.
 
- 
+ 
 
 ## Microsoft account linking
 
@@ -78,9 +78,9 @@ Company Settings Center displays which settings are synchronized and lets users
 
 [Microsoft User Experience Virtualization (UE-V) 2.0 Release Notes](microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md b/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md
index f19fec789b..de567fa610 100644
--- a/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md
+++ b/mdop/uev-v2/whats-new-in-ue-v-21-new-uevv2.md
@@ -27,7 +27,7 @@ UE-V 2.1 includes the Microsoft Office 2013 settings location template with impr
 **Note**  
 An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
 
- 
+ 
 
 Previously UE-V included Microsoft Office 2010 settings location templates that were automatically distributed and registered with the UE-V Agent. UE-V 2.1 works with Office 365 to determine whether Office 2013 settings are roamed by Office 365. If settings are roamed by Office 365 they are not roamed by UE-V. [Overview of user and roaming settings for Office 2013](https://go.microsoft.com/fwlink/p/?LinkID=391220) provides more information.
 
@@ -58,7 +58,7 @@ UE-V 2.1 gives customers the ability to synchronize credentials and certificates
 **Note**  
 In Windows 8 and later, Credential Manager contains web credentials. These credentials are not synchronized between users’ devices.
 
- 
+ 
 
 ## UE-V and Microsoft Account Synchronization
 
@@ -78,7 +78,7 @@ UE-V 2.1 includes [support for VDI sessions](https://technet.microsoft.com/libra
 **Note**  
 If you do not enable VDI mode for non-persistent VDI sessions, certain features do not work, such as back-up/restore and LKG.
 
- 
+ 
 
 ## Administrative Backup and Restore
 
@@ -104,9 +104,9 @@ UE-V now synchronizes touch keyboard personalization, the spelling dictionary, a
 
 [Microsoft User Experience Virtualization (UE-V) 2.1 Release Notes](microsoft-user-experience-virtualization--ue-v--21-release-notesuevv21.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md
index 99eab09970..b146bb839e 100644
--- a/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md
+++ b/mdop/uev-v2/whats-new-in-ue-v-21-sp1uevv21-sp1.md
@@ -56,7 +56,7 @@ Printer roaming in UE-V requires one of these scenarios:
 **Note**  
 The UE-V printer roaming feature does **not** roam printer settings or preferences, such as printing double-sided.
 
- 
+ 
 
 ## Office 2013 Settings Location Template
 
@@ -66,7 +66,7 @@ UE-V 2.1 and 2.1 SP1 include the Microsoft Office 2013 settings location templat
 **Note**  
 An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
 
- 
+ 
 
 Previously UE-V included Microsoft Office 2010 settings location templates that were automatically distributed and registered with the UE-V Agent. UE-V 2.1 works with Office 365 to determine whether Office 2013 settings are roamed by Office 365. If settings are roamed by Office 365 they are not roamed by UE-V. [Overview of user and roaming settings for Office 2013](https://go.microsoft.com/fwlink/p/?LinkID=391220) provides more information.
 
@@ -92,9 +92,9 @@ UE-V 2.1 ships [Office 2013 and Office 2010 templates](https://technet.microsoft
 
 [Microsoft User Experience Virtualization (UE-V) 2.1 SP1 Release Notes](microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md
index 17fd946da9..a925e62689 100644
--- a/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md
+++ b/mdop/uev-v2/working-with-custom-ue-v-2x-templates-and-the-ue-v-2x-generator-new-uevv2.md
@@ -64,7 +64,7 @@ Use the UE-V Generator to edit settings location templates. When the revised set
 **Note**  
 If you edit a UE-V 1.0 template by using the UE-V 2 Generator, the template is automatically converted to a UE-V 2 template. UE-V 1.0 Agents can no longer use the edited template.
 
- 
+ 
 
 **To edit a UE-V settings location template with the UE-V Generator**
 
@@ -107,7 +107,7 @@ If you edit a UE-V 1.0 template by using the UE-V 2 Generator, the template is a
     **Note**  
     A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template.
 
-     
+     
 
 2.  Open the settings location template file with an XML editor.
 
@@ -165,9 +165,9 @@ Before you deploy any settings location template that you have downloaded from t
 
 [Deploy UE-V 2.x for Custom Applications](deploy-ue-v-2x-for-custom-applications-new-uevv2.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 43b8400a8a..c2d50ddd02 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -59,58 +59,58 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
 1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**.
 
-  **Figure 1** - Try or buy Office 365
+   **Figure 1** - Try or buy Office 365
 
-  ![Office 365 for business sign up](images/office365_tryorbuy_now.png)
+   ![Office 365 for business sign up](images/office365_tryorbuy_now.png)
 
 2. Fill out the sign up form and provide information about you and your company.
 3. Create a user ID and password to use to sign into your account.
 
-  This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into https://portal.office.com (the admin portal).
+   This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into https://portal.office.com (the admin portal).
 
 4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code.
 5. Select **You're ready to go...** which will take you to the Office 365 portal.
 
-  > [!NOTE]  
-  > In the Office 365 portal, icons that are greyed out are still installing.
+   > [!NOTE]  
+   > In the Office 365 portal, icons that are greyed out are still installing.
 
-  **Figure 2** - Office 365 portal
+   **Figure 2** - Office 365 portal
 
-  ![Office 365 portal](images/office365_portal.png)
+   ![Office 365 portal](images/office365_portal.png)
 
 
 6. Select the **Admin** tile to go to the Office 365 admin center.
 7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup.
 
-  This may take up to a half hour to complete.
+   This may take up to a half hour to complete.
   
-  **Figure 3** - Office 365 admin center
+   **Figure 3** - Office 365 admin center
 
-  ![Office 365 admin center](images/office365_admin_portal.png)
+   ![Office 365 admin center](images/office365_admin_portal.png)
 
 
 8. Go back to the Office 365 admin center to add or buy a domain.
-  1. Select the **Domains** option.
+   1. Select the **Domains** option.
 
-    **Figure 4** - Option to add or buy a domain
+      **Figure 4** - Option to add or buy a domain
 
-    ![Add or buy a domain in Office 365 admin center](images/office365_buy_domain.png)
+      ![Add or buy a domain in Office 365 admin center](images/office365_buy_domain.png)
     
 
-  2.  In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
+   2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
 
-    **Figure 5** - Microsoft-provided domain
+      **Figure 5** - Microsoft-provided domain
 
-    ![Microsoft-provided domain](images/office365_ms_provided_domain.png)
+      ![Microsoft-provided domain](images/office365_ms_provided_domain.png)
 
-    - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
-    - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
+      - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
+      - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
 
-    Once you've added your domain, you'll see it listed in addition to the Microsoft-provided onmicrosoft.com domain.
+      Once you've added your domain, you'll see it listed in addition to the Microsoft-provided onmicrosoft.com domain.
 
-    **Figure 6** - Domains
+      **Figure 6** - Domains
 
-    ![Verify your domains in Office 365 admin center](images/office365_additional_domain.png)
+      ![Verify your domains in Office 365 admin center](images/office365_additional_domain.png)
 
 ### 1.2 Add users and assign product licenses
 Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Office 365 admin center.
@@ -121,32 +121,32 @@ When adding users, you can also assign admin privileges to certain users in your
 
 1. In the Office 365 admin center, select **Users > Active users**.
 
-  **Figure 7** - Add users
+   **Figure 7** - Add users
 
-  ![Add Office 365 users](images/office365_users.png)
+   ![Add Office 365 users](images/office365_users.png)
 
 2. In the **Home > Active users** page, add users individually or in bulk.
-  - To add users one at a time, select **+ Add a user**.
+   - To add users one at a time, select **+ Add a user**.
 
-    If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the Office 365 admin center* in Add users individually or in bulk to Office 365 - Admin Help.
+     If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the Office 365 admin center* in Add users individually or in bulk to Office 365 - Admin Help.
 
-    **Figure 8** - Add an individual user
+     **Figure 8** - Add an individual user
 
-    ![Add an individual user](images/office365_add_individual_user.png)
+     ![Add an individual user](images/office365_add_individual_user.png)
 
-  - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
+   - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
 
-    The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see Add several users at the same time to Office 365 - Admin Help. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
+     The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see Add several users at the same time to Office 365 - Admin Help. Once you've added all the users, don't forget to assign **Product licenses** to the new users.
 
-    **Figure 9** - Import multiple users
+     **Figure 9** - Import multiple users
 
-    ![Import multiple users](images/office365_import_multiple_users.png)
+     ![Import multiple users](images/office365_import_multiple_users.png)
 
 3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
 
-  **Figure 10** - List of active users
+   **Figure 10** - List of active users
 
-  ![Verify users and assigned product licenses](images/o365_active_users.png)
+   ![Verify users and assigned product licenses](images/o365_active_users.png)
 
 ### 1.3 Add Microsoft Intune
 Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see What is Intune?
@@ -158,16 +158,16 @@ Microsoft Intune provides mobile device management, app management, and PC manag
 3. Confirm your order to enable access to Microsoft Intune.
 4. In the admin center, the Intune licenses will show as available and ready to be assigned to users. Select **Users > Active users** and then edit the product licenses assigned to the users to turn on **Intune A Direct**.
 
-  **Figure 11** - Assign Intune licenses
+   **Figure 11** - Assign Intune licenses
 
-  ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png)
+   ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png)
 
 5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
 6. Select **Intune**. This will take you to the Intune management portal.
 
-  **Figure 12** - Microsoft Intune management portal
+   **Figure 12** - Microsoft Intune management portal
 
-  ![Microsoft Intune management portal](images/intune_portal_home.png)
+   ![Microsoft Intune management portal](images/intune_portal_home.png)
 
 Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
 
@@ -178,30 +178,30 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
 
 1. In the Office 365 admin center, select **Admin centers > Azure AD**.
 
-  > [!NOTE]
-  > You will need Azure AD Premium to configure automatic MDM enrollment with Intune.
+   > [!NOTE]
+   > You will need Azure AD Premium to configure automatic MDM enrollment with Intune.
 
 2. If you have not signed up for Azure AD before, you will see the following message. To proceed with the rest of the walkthrough, you need to activate an Azure subscription.
 
-  **Figure 13** - Access to Azure AD is not available
+   **Figure 13** - Access to Azure AD is not available
 
-  ![Access to Azure AD not available](images/azure_ad_access_not_available.png)
+   ![Access to Azure AD not available](images/azure_ad_access_not_available.png)
 
 3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
 4. Click **Azure subscription**. This will take you to a free trial sign up screen.
 
-  **Figure 14** - Sign up for Microsoft Azure
+   **Figure 14** - Sign up for Microsoft Azure
 
-  ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png)
+   ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png)
 
 5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
 6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
 
-  **Figure 15** - Start managing your Azure subscription
+   **Figure 15** - Start managing your Azure subscription
 
-  ![Start managing your Azure subscription](images/azure_ad_successful_signup.png)
+   ![Start managing your Azure subscription](images/azure_ad_successful_signup.png)
 
-  This will take you to the Microsoft Azure portal.
+   This will take you to the Microsoft Azure portal.
 
 ### 1.5 Add groups in Azure AD
 This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see Managing access to resources with Azure Active Directory groups.
@@ -212,38 +212,38 @@ To add Azure AD group(s), we will use the classic Azure portal, you will see a screen informing you that your directory is ready for use.
 
-  Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory.
+   Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory.
 
-  **Figure 16** - Azure first sign-in screen
+   **Figure 16** - Azure first sign-in screen
 
-  ![Select Azure AD](images/azure_portal_classic_configure_directory.png)
+   ![Select Azure AD](images/azure_portal_classic_configure_directory.png)
 
 2. Select the directory (such as Fabrikam Design) to go to the directory's home page.
 
-  **Figure 17** - Directory home page
+   **Figure 17** - Directory home page
 
-  ![Directory home page](images/azure_portal_classic_directory_ready.png)
+   ![Directory home page](images/azure_portal_classic_directory_ready.png)
 
 3. From the menu options on top, select **Groups**.
 
-  **Figure 18** - Azure AD groups
+   **Figure 18** - Azure AD groups
 
-  ![Add groups in Azure AD](images/azure_portal_classic_groups.png)
+   ![Add groups in Azure AD](images/azure_portal_classic_groups.png)
 
 4. Select **Add a group** (from the top) or **Add group** at the bottom.
 5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list.
 
-  **Figure 19** - Newly added group in Azure AD
+   **Figure 19** - Newly added group in Azure AD
 
-  ![Verify the new group appears on the list](images/azure_portal_classic_all_users_group.png)
+   ![Verify the new group appears on the list](images/azure_portal_classic_all_users_group.png)
 
 6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes.
 
-  The members that were added to the group will appear on the list.
+   The members that were added to the group will appear on the list.
 
-  **Figure 20** - Members in the new group
+   **Figure 20** - Members in the new group
 
-  ![Members added to the new group](images/azure_portal_classic_members_added.png)
+   ![Members added to the new group](images/azure_portal_classic_members_added.png)
 
 7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on.
 
@@ -259,37 +259,37 @@ You can read classic Azure portal, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options. 
 
-  The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
+   The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list.
 
-  **Figure 21** - List of applications for your company
+   **Figure 21** - List of applications for your company
 
-  ![List of applications for your company](images/azure_portal_classic_applications.png)
+   ![List of applications for your company](images/azure_portal_classic_applications.png)
 
 2. Select **Microsoft Intune** to configure the application.
 3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune.
 
-  **Figure 22** - Configure Microsoft Intune in Azure
+   **Figure 22** - Configure Microsoft Intune in Azure
 
-  ![Configure Microsoft Intune in Azure](images/azure_portal_classic_configure_intune_app.png)
+   ![Configure Microsoft Intune in Azure](images/azure_portal_classic_configure_intune_app.png)
 
 4. In the Microsoft Intune configuration page:
-  - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance.
+   - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance.
 
-    > [!NOTE]  
-    > The URLs are automatically configured for your Azure AD tenant so you don't need to change them.
+     > [!NOTE]  
+     > The URLs are automatically configured for your Azure AD tenant so you don't need to change them.
 
-  - In the **Manage devices for these users** section, you can specify which users' devices should be managed by Intune.
-    - **All** will enable all users' Windows 10 devices to be managed by Intune.
-    - **Groups** let you select whether only users that belong to a specific group will have their devices managed by Intune.
+   - In the **Manage devices for these users** section, you can specify which users' devices should be managed by Intune.
+     - **All** will enable all users' Windows 10 devices to be managed by Intune.
+     - **Groups** let you select whether only users that belong to a specific group will have their devices managed by Intune.
 
-    > [!NOTE]  
-    > In this step, choose the group that contains all the users in your organization as members. This is the **All** group.
+     > [!NOTE]  
+     > In this step, choose the group that contains all the users in your organization as members. This is the **All** group.
 
 5. After you've chosen how to manage devices for users, select **Save** to enable automatic MDM enrollment with Intune.
 
-  **Figure 23** - Configure Microsoft Intune
+   **Figure 23** - Configure Microsoft Intune
 
-  ![Configure automatic MDM enrollment with Intune](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
+   ![Configure automatic MDM enrollment with Intune](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
 
 ### 1.7 Configure Microsoft Store for Business for app distribution
 Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
@@ -301,33 +301,33 @@ In this part of the walkthrough, we'll be working on the Microsoft Intune management portal, select **Admin**.
 2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first item you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**.
 
-  **Figure 24** - Mobile device management
+   **Figure 24** - Mobile device management
 
-  ![Set up mobile device management in Intune](images/intune_admin_mdm_configure.png)
+   ![Set up mobile device management in Intune](images/intune_admin_mdm_configure.png)
 
 3. Sign into Microsoft Store for Business using the same tenant account that you used to sign into Intune.
 4. Accept the EULA.
 5. In the Store portal, select **Settings > Management tools** to go to the management tools page.
 6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Microsoft Store for Business.
 
-  **Figure 25** - Activate Intune as the Store management tool
+   **Figure 25** - Activate Intune as the Store management tool
 
-  ![Activate Intune from the Store portal](images/wsfb_management_tools_activate.png)
+   ![Activate Intune from the Store portal](images/wsfb_management_tools_activate.png)
 
 7. Go back to the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
 8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
 
-  **Figure 26** - Configure Store for Business sync in Intune
+   **Figure 26** - Configure Store for Business sync in Intune
 
-  ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png)
+   ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png)
 
 9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
 
-  **Figure 27** - Enable Microsoft Store for Business sync in Intune
+   **Figure 27** - Enable Microsoft Store for Business sync in Intune
 
-  ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png)
+   ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png)
 
-  The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
+   The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
 
 **To buy apps from the Store**
 
@@ -346,9 +346,9 @@ In the following example, we'll show you how to buy apps through the Microsoft S
 
 1. In the Microsoft Store for Business portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list.
 
-  **Figure 28** - Shop for Store apps
+   **Figure 28** - Shop for Store apps
 
-  ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png)
+   ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png)
 
 2. Click to select an app, such as **Reader**. This opens the app page.
 3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
@@ -356,12 +356,12 @@ In the following example, we'll show you how to buy apps through the Microsoft S
 5. Next, search for another app by name (such as **InstaNote**) or repeat steps 1-4 for the **InstaNote** app.
 6. Go to **Manage > Inventory** and verify that the apps you purchased appear in your inventory.
 
-  **Figure 29** - App inventory shows the purchased apps
+   **Figure 29** - App inventory shows the purchased apps
 
-  ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png)
+   ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png)
 
-  > [!NOTE]
-  > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
+   > [!NOTE]
+   > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
 
 **To sync recently purchased apps**
 
@@ -370,9 +370,9 @@ If you need to sync your most recently purchased apps and have it appear in your
 1. In the Intune management portal, select **Admin > Mobile Device Management > Windows > Store for Business**.
 2. In the **Microsoft Store for Business** page, click **Sync now** to force a sync.
 
-  **Figure 30** - Force a sync in Intune
+   **Figure 30** - Force a sync in Intune
 
-  ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png)
+   ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png)
 
 **To view purchased apps**
 - In the Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
@@ -387,33 +387,33 @@ To set up new Windows devices, go through the Windows initial device setup or fi
 
 **To set up a device**
 1. Go through the Windows device setup experience. On a new or reset device, this starts with the **Hi there** screen on devices running Windows 10, version 1607 (Anniversary Update). The setup lets you:
-  - Fill in the details in the **Hi there** screen including your home country/region, preferred language, keyboard layout, and timezone
-  - Accept the EULA
-  - Customize the setup or use Express settings
+   - Fill in the details in the **Hi there** screen including your home country/region, preferred language, keyboard layout, and timezone
+   - Accept the EULA
+   - Customize the setup or use Express settings
 
-  **Figure 31** - First screen in Windows device setup
+   **Figure 31** - First screen in Windows device setup
 
-  ![First screen in Windows device setup](images/win10_hithere.png)
+   ![First screen in Windows device setup](images/win10_hithere.png)
 
-  > [!NOTE]  
-  > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
+   > [!NOTE]  
+   > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
 
 2. In the **Who owns this PC?** screen, select **My work or school owns it** and click **Next**.
 3. In the **Choose how you'll connect** screen, select **Join Azure Active Directory** and click **Next**.
 
-  **Figure 32** - Choose how you'll connect your Windows device
+   **Figure 32** - Choose how you'll connect your Windows device
 
-  ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png)
+   ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png)
 
 4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
 
-  **Figure 33** - Sign in using one of the accounts you added
+   **Figure 33** - Sign in using one of the accounts you added
 
-  ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png)
+   ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png)
 
 5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
 
-  Windows will continue with setup and you may be asked to set up a PIN for Windows Hello if your organization has it enabled.
+   Windows will continue with setup and you may be asked to set up a PIN for Windows Hello if your organization has it enabled.
 
 ### 2.2 Verify correct device setup
 Verify that the device is set up correctly and boots without any issues.
@@ -428,20 +428,20 @@ In the Intune management
 **To verify if the device is joined to Azure AD**
 1. Check the device name on your PC. To do this, on your Windows PC, select **Settings > System > About** and then check **PC name**.
 
-  **Figure 34** - Check the PC name on your device
+   **Figure 34** - Check the PC name on your device
 
-  ![Check the PC name on your device](images/win10_settings_pcname.png)
+   ![Check the PC name on your device](images/win10_settings_pcname.png)
   
 2. Log in to the Intune management portal.
 3. Select **Groups** and then go to **Devices**.
 4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. 
-  - Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section.
-  - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**.
-  - Check the **AAD Registered** column and confirm that it says **Yes**.
+   - Check that the device name appears in the list. Select the device and it will also show the current logged-in user in the **General Information** section.
+   - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**.
+   - Check the **AAD Registered** column and confirm that it says **Yes**.
 
-  **Figure 35** - Check that the device appears in Intune
+   **Figure 35** - Check that the device appears in Intune
 
-  ![Check that the device appears in Intune](images/intune_groups_devices_list.png)
+   ![Check that the device appears in Intune](images/intune_groups_devices_list.png)
 
 ## 3. Manage device settings and features
 You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
@@ -458,19 +458,19 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app.
 5. For each group that you selected, set **Approval** to **Required Install**. This automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**.
 
-  **Figure 36** - Reconfigure an app's deployment setting in Intune
+   **Figure 36** - Reconfigure an app's deployment setting in Intune
 
-  ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png)
+   ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png)
 
 6. Click **Finish**.
 7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
-6. Verify that the app shows up on the device. To do this:
-  - Make sure you're logged in to the Windows device.
-  - Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section.
+8. Verify that the app shows up on the device. To do this:
+   - Make sure you're logged in to the Windows device.
+   - Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section.
 
-    **Figure 37** - Confirm that additional apps were deployed to the device
+     **Figure 37** - Confirm that additional apps were deployed to the device
 
-    ![Confirm that additiional apps were deployed to the device](images/win10_deploy_apps_immediately.png)
+     ![Confirm that additiional apps were deployed to the device](images/win10_deploy_apps_immediately.png)
 
 ### 3.2 Configure other settings in Intune
 
@@ -480,36 +480,36 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 3. On the **Create a New Policy** page, click **Windows** to expand the group, select **General Configuration (Windows 10 Desktop and Mobile and later)**, choose **Create and Deploy a Custom Policy**, and then click **Create Policy**.
 4. On the **Create Policy** page, select **Device Capabilities**.
 5. In the **General** section, add a name and description for this policy. For example:
-  - **Name**: Test Policy - Disable Camera
-  - **Description**: Disables the camera
+   - **Name**: Test Policy - Disable Camera
+   - **Description**: Disables the camera
 6. Scroll down to the **Hardware** section, find **Allow camera is not configured**, toggle the button so that it changes to **Allow camera** and choose **No** from the dropdown list.
 
-  **Figure 38** - Add a configuration policy
+   **Figure 38** - Add a configuration policy
 
-  ![Add a configuration policy](images/intune_policy_disablecamera.png)
+   ![Add a configuration policy](images/intune_policy_disablecamera.png)
 
 7. Click **Save Policy**. A confirmation window will pop up.
 8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
 9. On the **Management Deployment** window, select the user group(s) or device group(s) that you want to apply the policy to (for example, **All Users**), and then click **Add**. 
 10. Click **OK** to close the window. 
 
-  **Figure 39** - The new policy should appear in the **Policies** list.
+    **Figure 39** - The new policy should appear in the **Policies** list.
 
-  ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png)
+    ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png)
 
 **To turn off Windows Hello and PINs during device setup**
 1. In the Intune management portal, select **Admin**.
 2. Go to **Mobile Device Management > Windows > Windows Hello for Business**.
 3. In the **Windows Hello for Business** page, select **Disable Windows Hello for Business on enrolled devices**.
 
-  **Figure 40** - Policy to disable Windows Hello for Business
+   **Figure 40** - Policy to disable Windows Hello for Business
 
-  ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png)
+   ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png)
 
 4. Click **Save**.
 
-  > [!NOTE]
-  > This policy is a tenant-wide Intune setting. It disables Windows Hello and required PINs during setup for all enrolled devices in a tenant.
+   > [!NOTE]
+   > This policy is a tenant-wide Intune setting. It disables Windows Hello and required PINs during setup for all enrolled devices in a tenant.
 
 To test whether these policies get successfully deployed to your tenant, go through [4. Add more devices and users](#4-add-more-devices-and-users) and setup another Windows device and login as one of the users. 
 
@@ -529,34 +529,34 @@ For other devices, such as those personally-owned by employees who need to conne
 2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page.
 3. In the **Set up a work or school account** window, click **Join this device to Azure Active Directory** to add an Azure AD account to the device.
 
-  **Figure 41** - Add an Azure AD account to the device
+   **Figure 41** - Add an Azure AD account to the device
 
-  ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png)
+   ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png)
 
 4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
 
-  **Figure 42** - Enter the account details
+   **Figure 42** - Enter the account details
 
-  ![Enter the account details](images/win10_add_new_user_account_aadwork.png)
+   ![Enter the account details](images/win10_add_new_user_account_aadwork.png)
 
 5. You will be asked to update the password so enter a new password.
 6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
 
-  **Figure 43** - Make sure this is your organization
+   **Figure 43** - Make sure this is your organization
 
-  ![Make sure this is your organization](images/win10_confirm_organization_details.png)
+   ![Make sure this is your organization](images/win10_confirm_organization_details.png)
 
 7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
 
-  **Figure 44** - Confirmation that the device is now connected
+   **Figure 44** - Confirmation that the device is now connected
 
-  ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png)
+   ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png)
 
 8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
 
-  **Figure 45** - Device is now enrolled in Azure AD
+   **Figure 45** - Device is now enrolled in Azure AD
 
-  ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png)
+   ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png)
 
 9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
 
diff --git a/smb/docfx.json b/smb/docfx.json
index b86df232d5..5ea640e672 100644
--- a/smb/docfx.json
+++ b/smb/docfx.json
@@ -4,7 +4,7 @@
       {
         "files": [
           "**/*.md",
-		  "**/*.yml"
+          "**/*.yml"
         ],
         "exclude": [
           "**/obj/**",
@@ -29,21 +29,21 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT",
-		"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
-		"feedback_system": "GitHub",
-		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-		"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "TechNet.smb",
-			  "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "TechNet.smb",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
     "dest": "smb",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/smb/index.md b/smb/index.md
index 3f7bb09bc7..4df3e742c1 100644
--- a/smb/index.md
+++ b/smb/index.md
@@ -22,12 +22,12 @@ ms.localizationpriority: medium
 
 
    Windows 10 for business
    Learn how Windows 10 and Windows devices can help your business.
    
 
    SMB blog
    Read about the latest stories, technology insights, and business strategies for SMBs.
    
-
    How to buy
    Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.
    
+
    How to buy
    Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.
    
 
 
 ## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy
 
-
    [Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)
    Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.
    
+
    Get started: Deploy and manage a full cloud IT solution for your business
    Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.
    
 
 
  ## Related topics
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index c7d4d59952..8c1e9402e7 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -93,11 +93,11 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr
 3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files).
 4. After the files are uploaded, click **Sign** to sign the catalog files.
 5. Click Download to download each item:
-    - signed catalog file
-    - default policy
-    - root certificate for your organization
+   - signed catalog file
+   - default policy
+   - root certificate for your organization
 
-    When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
+     When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
 
 6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
 7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with System Center Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index e35e8ab175..2c0e080ed7 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -43,7 +43,7 @@ When you're uploading files for Device Guard signing, there are a few limits for
 | Maximum size for multiple files (uploaded in a group) | 4 MB     |
 | Maximum number of files per upload                    | 15 files |
 
- ## File types
+ ## File types
 Catalog and policy files have required files types.
 
 | File          | Required file type |
@@ -51,7 +51,7 @@ Catalog and policy files have required files types.
 | catalog files | .cat               |
 | policy files  | .bin               |
 
- ##  Store for Business roles and permissions
+ ##  Store for Business roles and permissions
 Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
 
 ## Device Guard signing certificates
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index c36c5dff04..87b1471707 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -4,7 +4,7 @@
       {
         "files": [
           "**/*.md",
-		  "**/**.yml"
+          "**/**.yml"
         ],
         "exclude": [
           "**/obj/**",
@@ -31,26 +31,28 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-		"ms.author": "trudyha",
-		"ms.technology": "windows",
-		"ms.topic": "article",
-		"ms.date": "05/09/2017",
-		"searchScope": ["Store"],
-		"feedback_system": "GitHub",
-		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-		"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.store-for-business",
-                          "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "ms.author": "trudyha",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "ms.date": "05/09/2017",
+      "searchScope": [
+        "Store"
+      ],
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.store-for-business",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
     "dest": "store-for-business",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index dcba0e99ee..c3d282539a 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -18,7 +18,7 @@ manager: dansimp
 # Microsoft Store for Business and Education PowerShell module - preview
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459).
 
@@ -52,7 +52,6 @@ To install **Microsoft Store for Business and Education PowerShell** with PowerS
 # Install the Microsoft Store for Business and Education PowerShell module from PowerShell Gallery
 
 Install-Module -Name MSStore
-
 ```
 
 ## Import Microsoft Store for Business and Education PowerShell module into the PowerShell session
@@ -62,7 +61,6 @@ Once you install the module on your Windows 10 device, you will need to then imp
 # Import the MSStore module into this session
 
 Import-Module -Name MSStore
-
 ```
 
 Next, authorize the module to call **Microsoft Store for Business and Education** on your behalf. This step is required once, per user of the PowerShell module.
@@ -73,7 +71,6 @@ To authorize the PowerShell module, run this command. You'll need to sign-in wit
 # Grant MSStore Access to your Microsoft Store for Business and Education
 
 Grant-MSStoreClientAppAccess
-
 ```
 You will be promted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
 
@@ -84,7 +81,6 @@ Service management should encounter no breaking changes as a result of the separ
 # View items in inventory (Apps & software)
 
 Get-MSStoreInventory
-
 ```
 
 >[!TIP]
@@ -102,7 +98,6 @@ Most items in **Products and Services** in **Microsoft Store for Business and Ed
 # View products assigned to people
 
 Get-MSStoreSeatAssignments -ProductId 9NBLGGH4R2R6 -SkuId 0016
-
 ```
 
 > [!Important]
@@ -129,7 +124,6 @@ Add-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@my
 # Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
 
 Remove-MSStoreSeatAssignment -ProductId 9NBLGGH4R2R6 -SkuId 0016 -Username 'user@myorganization.onmicrosoft.com'
-
 ```
 
 ## Assign or reclaim a product with a .csv file
@@ -145,7 +139,6 @@ Add-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\Pe
 # Reclaim a product (Product ID and SKU ID combination) from a User (user@host.com)
 
 Remove-MSStoreSeatAssignments  -ProductId 9NBLGGH4R2R6 -SkuId 0016 -PathToCsv C:\People.csv -ColumnName UserPrincipalName
-
 ```
 
 ## Uninstall Microsoft Store for Business and Education PowerShell module
@@ -155,5 +148,4 @@ You can remove **Microsoft Store for Business and Education PowerShell** from yo
 # Uninstall the MSStore Module
 
 Get-InstalledModule -Name "MSStore" -RequiredVersion 1.0 | Uninstall-Module
-
 ```
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 56b9e85c28..9bed41bcbd 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -92,7 +92,7 @@ After your admin signs up for the Store for Business and Education, they can ass
 
 > [!NOTE]
 > Currently, the Basic purchaser role is only available for schools using Microsoft Store for Education. For more information, see [Microsoft Store for Education permissions](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business?toc=/microsoft-store/education/toc.json#manage-domain-settings).
- 
+
 In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](manage-users-and-groups-microsoft-store-for-business.md).
 
 Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with Store for Business and Education.
@@ -197,7 +197,7 @@ Store for Business and Education is currently available in these markets.
             
  • Colombia
    • 
             
  • Comoros
    • 
             
  • Costa Rica
    • 
-            
  • Côte D'ivoire
    • 
+            
  • Côte D'ivoire
    • 
             
  • Croatia
    • 
             
  • Curçao
    • 
             
  • Cyprus
    • 
@@ -332,8 +332,7 @@ Store for Business and Education is currently available in these markets.
             
  • Viet Nam
    • 
             
  • Virgin Islands, U.S.
    • 
             
  • Zambia
    • 
-            
  • Zimbabwe
       
    •          
-        
+            
  • Zimbabwe
       

    •         
     
    
 
@@ -374,9 +373,9 @@ This table summarize what customers can purchase, depending on which Microsoft S
 
 > [!NOTE]
 > **Microsoft Store for Education customers with support for free apps and Minecraft: Education Edition**
-- Admins can acquire free apps from **Microsoft Store for Education**.
-- Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices). 
-- Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**. 
+> - Admins can acquire free apps from **Microsoft Store for Education**.
+> - Admins need to use an invoice to purchase **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices). 
+> - Teachers, or people with the Basic Purachaser role, can acquire free apps, but not **Minecraft: Education Edition**. 
 
 ## Privacy notice
 
@@ -384,7 +383,7 @@ Store for Business and Education services get names and email addresses of peopl
 - Granting and managing permissions
 - Managing app licenses 
 - Distributing apps to people (names appear in a list that admins can select from)
- 
+
 Store for Business and Education does not save names, or email addresses.
 
 Your use of Store for Business and Education is also governed by the [Microsoft Store for Business and Education Services Agreement](https://businessstore.microsoft.com/servicesagreement). 
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 2993d15b74..0d054ed947 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -51,20 +51,20 @@ While not required, you can use a management tool to distribute and manage apps.
 
 If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
 
--   login.live.com
--   login.windows.net
--   account.live.com
--   clientconfig.passport.net
--   windowsphone.com
--   \*.wns.windows.com
--   \*.microsoft.com
--   \*.s-microsoft.com
--   www.msftncsi.com (prior to Windows 10, version 1607)
--   www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com
-starting with Windows 10, version 1607)
- 
+- login.live.com
+- login.windows.net
+- account.live.com
+- clientconfig.passport.net
+- windowsphone.com
+- \*.wns.windows.com
+- \*.microsoft.com
+- \*.s-microsoft.com
+- www.msftncsi.com (prior to Windows 10, version 1607)
+- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com
+  starting with Windows 10, version 1607)
+ 
 
- 
+ 
 
 
 
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index fdf61b9b8f..2163e6379a 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -32,7 +32,7 @@ This table lists the global user accounts and the permissions they have in Micro
 | Purchase apps                   |  X                    | X                     |
 | Distribute apps                |  X                    | X                     |
 | Purchase subscription-based software  |  X             | X                     |
- 
+ 
 
 **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
 
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index b8bbce8a9a..5a3a21a49f 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -17,6 +17,7 @@ ms.localizationpriority: medium
 # Change history for Microsoft Store for Business and Microsoft Store for Education  
 
 ## March 2019
+
 | New or changed topic | Description |
 | --- | --- |
 | [Understand your Microsoft Customer Agreement invoice](billing-understand-your-invoice-msfb.md) | New topic |
@@ -26,12 +27,14 @@ ms.localizationpriority: medium
 | [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md) | Add info for purchasing roles and permissions. |
 
 ## April 2018
+
 | New or changed topic | Description |
 | --- | --- |
 | [Configure access to Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store#a-href-idblock-store-group-policyablock-microsoft-store-using-group-policy) | Update on app updates when Microsoft Store is blocked. |
 | [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
 
 ## March 2018
+
 | New or changed topic | Description |
 | --- | --- |
 | [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) | New |
@@ -75,6 +78,7 @@ ms.localizationpriority: medium
 | [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
 
 ## June 2017
+
 | New or changed topic | Description |
 | -------------------- | ----------- |
 | [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
@@ -82,12 +86,12 @@ ms.localizationpriority: medium
 | [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
 
 ## July 2017
- 
+
 | New or changed topic | Description |
 | -------------------- | ----------- |
 | [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education.  |
 | [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |
- 
+
 
 
 
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index f47bb23106..8d06648a0d 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -20,6 +20,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
 ## Latest updates for Store for Business and Education
 
 **October 2018**
+
 |  |  |
 |-----------------------|---------------------------------|
 | ![Security groups](images/security-groups-icon.png) |**Use security groups with Private store apps**

     On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store. 

    [Get more info](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business#private-store-availability)

    **Applies to**:
     Microsoft Store for Business 
     Microsoft Store for Education |
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 23830839a0..3085320530 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -50,12 +50,12 @@ Admins need to invite developer or ISVs to become an LOB publisher.
 
 **To invite a developer to become an LOB publisher**
 
-1.  Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
-2.  Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**.
-3.  On the Line-of business publishers page, click **Invite** to send an email invitation to a developer.
+1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
+2. Click **Manage**, click **Permissions**, and then choose **Line-of-business publishers**.
+3. On the Line-of business publishers page, click **Invite** to send an email invitation to a developer.
  
- >[!Note]
- > This needs to be the email address listed in contact info for the developer account.
+   >[!Note]
+   > This needs to be the email address listed in contact info for the developer account.
   
 ## Submit apps (LOB publisher)
 
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index b394742538..c24fcaa1ed 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -20,7 +20,7 @@
         "files": [
           "**/*.png",
           "**/*.jpg",
-		  "**/*.gif"
+          "**/*.gif"
         ],
         "exclude": [
           "**/obj/**",
@@ -31,20 +31,21 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-		"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
-		"ms.technology": "windows",
-		"ms.topic": "article",
-		"ms.author": "justinha",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.win-access-protection",
-                          "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "ms.author": "justinha",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.win-access-protection",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
-    "dest": "win-access-protection"
+    "dest": "win-access-protection",
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index dfec1f7a3e..f52c78ba07 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -51,8 +51,8 @@ The changes in App-V for Windows 10, version 1607 impact existing implementation
 * The App-V client is installed on user devices automatically with Windows 10, version 1607, and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the App-V client.
 * In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
 
- >[!NOTE]
- >If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release.
+  >[!NOTE]
+  >If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release.
 
 For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](../app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md) and [Migrating to App-V for Windows 10 from a previous version](../app-v/appv-migrating-to-appv-from-a-previous-version.md).
 
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 906530c89d..f852b68c53 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -379,33 +379,33 @@ The process then configures the client for package or connection group additions
 
 3. Configure the packages by identifying the **Add** or **Update** operations.
 
-    1. The App-V Client utilizes the AppX API from Windows and accesses the appv file from the publishing server.
+   1. The App-V Client utilizes the AppX API from Windows and accesses the appv file from the publishing server.
 
-    2. The package file is opened and the **AppXManifest.xml** and **StreamMap.xml** files are downloaded to the Package Store.
+   2. The package file is opened and the **AppXManifest.xml** and **StreamMap.xml** files are downloaded to the Package Store.
 
-    3. Completely stream publishing block data defined in the **StreamMap.xml** file. Publishing block data is stored in Package Store\\PkgGUID\\VerGUID\\Root.
+   3. Completely stream publishing block data defined in the **StreamMap.xml** file. Publishing block data is stored in Package Store\\PkgGUID\\VerGUID\\Root.
 
-        - Icons: Targets of extension points.
-        - Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, accessed directly or through file types.
-        - Scripts: Download scripts directory for use throughout the publishing process.
+       - Icons: Targets of extension points.
+       - Portable Executable Headers (PE Headers): Targets of extension points that contain the base information about the image need on disk, accessed directly or through file types.
+       - Scripts: Download scripts directory for use throughout the publishing process.
 
-    4. Populate the Package store by doing the following:
+   4. Populate the Package store by doing the following:
 
-        1. Create sparse files on disk that represent the extracted package for any directories listed.
+      1. Create sparse files on disk that represent the extracted package for any directories listed.
 
-        2. Stage top-level files and directories under root.
+      2. Stage top-level files and directories under root.
 
-        All other files are created when the directory is listed as sparse on disk and streamed on demand.
+         All other files are created when the directory is listed as sparse on disk and streamed on demand.
 
-    5. Create the machine catalog entries. Create the **Manifest.xml** and **DeploymentConfiguration.xml** files from the package files (if no **DeploymentConfiguration.xml** file in the package a placeholder is created).
+   5. Create the machine catalog entries. Create the **Manifest.xml** and **DeploymentConfiguration.xml** files from the package files (if no **DeploymentConfiguration.xml** file in the package a placeholder is created).
 
-    6. Create location of the package store in the registry **HKLM\\Software\\Microsoft\\AppV\\Client\\Packages\\PkgGUID\\Versions\\VerGUID\\Catalog**.
+   6. Create location of the package store in the registry **HKLM\\Software\\Microsoft\\AppV\\Client\\Packages\\PkgGUID\\Versions\\VerGUID\\Catalog**.
 
-    7. Create the **Registry.dat** file from the package store to **%ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat**.
+   7. Create the **Registry.dat** file from the package store to **%ProgramData%\\Microsoft\\AppV\\Client\\VReg\\{VersionGUID}.dat**.
 
-    8. Register the package with the App-V Kernel Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**.
+   8. Register the package with the App-V Kernel Mode Driver at **HKLM\\Microsoft\\Software\\AppV\\MAV**.
 
-    9. Invoke scripting from the **AppxManifest.xml** or **DeploymentConfig.xml** file for Package Add timing.
+   9. Invoke scripting from the **AppxManifest.xml** or **DeploymentConfig.xml** file for Package Add timing.
 
 4. Configure Connection Groups by adding and enabling or disabling.
 
diff --git a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
index d2746723e5..b6d62b3219 100644
--- a/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
@@ -20,13 +20,13 @@ When you add or set a package to a computer running the App-V client before it's
 
 ## Apply the deployment configuration file with Windows PowerShell
 
->[!NOTE]
->The following example cmdlet uses the following two file paths for the package and configuration files:
-    >
-    >* C:\\Packages\\Contoso\\MyApp.appv
-    >* C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
-    >
->If your package and configuration files use different file paths than the example, feel free to replace them as needed.
+> [!NOTE]
+> The following example cmdlet uses the following two file paths for the package and configuration files:
+> 
+> * C:\\Packages\\Contoso\\MyApp.appv
+> * C:\\Packages\\Contoso\\DynamicConfigurations\\deploymentconfig.xml
+> 
+> If your package and configuration files use different file paths than the example, feel free to replace them as needed.
 
 To specify a new default set of configurations for all users who will run the package on a specific computer, in a Windows PowerShell console, enter the following cmdlet:
 
diff --git a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
index b600093c77..e3abc3524a 100644
--- a/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
+++ b/windows/application-management/app-v/appv-apply-the-user-configuration-file-with-powershell.md
@@ -22,12 +22,12 @@ When you publish a package to a specific user, you'll also need to specify a dyn
 
 Here's how to specify a user-specific configuration file:
 
->[!NOTE]
->The following example cmdlets use this example file path for its package:
-    >
-    >* C:\\Packages\\Contoso\\MyApp.appv.
-    >
->If your package file uses a different file path than the example, feel free to replace it as needed.
+> [!NOTE]
+> The following example cmdlets use this example file path for its package:
+> 
+> * C:\\Packages\\Contoso\\MyApp.appv.
+> 
+> If your package file uses a different file path than the example, feel free to replace it as needed.
 
 1. Enter the following cmdlet in Windows PowerShell to add the package to the computer:
 
diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md
index 51b9aabc7d..3d117f1d01 100644
--- a/windows/application-management/app-v/appv-capacity-planning.md
+++ b/windows/application-management/app-v/appv-capacity-planning.md
@@ -126,11 +126,11 @@ Example: Random delay for 500 clients with 120 requests per second is *4 × 500/
 
 Computers running the App-V client connect to the App-V publishing server to send a publishing refresh request and receive a response. Round trip response time is measured on the computer running the App-V client, while processor time is measured on the publishing server. For more information about App-V Publishing Server supported configurations, see [App-V supported configurations](appv-supported-configurations.md).
 
->[!IMPORTANT]
->The following list displays the main factors to consider when setting up the App-V publishing server:
-  * The number of clients connecting simultaneously to a single publishing server.
-  * The number of packages in each refresh.
-  * The available network bandwidth in your environment between the client and the App-V publishing server.
+> [!IMPORTANT]
+> The following list displays the main factors to consider when setting up the App-V publishing server:
+>   * The number of clients connecting simultaneously to a single publishing server.
+>   * The number of packages in each refresh.
+>   * The available network bandwidth in your environment between the client and the App-V publishing server.
 
 |Scenario|Summary|
 |---|---|
@@ -151,11 +151,11 @@ Computers running the App-V client connect to the App-V publishing server to sen
 
 Computers running the App-V client stream the virtual application package from the streaming server. Round trip response time is measured on the computer running the App-V client, and is the time taken to stream the entire package.
 
->[!IMPORTANT]
->The following list identifies the main factors to consider when setting up the App-V streaming server:
-  * The number of clients streaming application packages simultaneously from a single streaming server.
-  * The size of the package being streamed.
-  * The available network bandwidth in your environment between the client and the streaming server.
+> [!IMPORTANT]
+> The following list identifies the main factors to consider when setting up the App-V streaming server:
+>   * The number of clients streaming application packages simultaneously from a single streaming server.
+>   * The size of the package being streamed.
+>   * The available network bandwidth in your environment between the client and the streaming server.
 
 |Scenario|Summary|
 |---|---|
diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md
index 7e22be31db..1d23aca023 100644
--- a/windows/application-management/app-v/appv-client-configuration-settings.md
+++ b/windows/application-management/app-v/appv-client-configuration-settings.md
@@ -24,93 +24,91 @@ You can use Group Policy to configure App-V client settings by navigating to the
 
 The following table provides information about App-V client configuration settings that can be configured through Windows PowerShell cmdlets:
 
-| Windows PowerShell cmdlet or cmdlets,
    **Option**
    Type  | Description  | Disabled policy state keys and values |
-|------------|------------|------------|------------|
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-PackageInstallationRoot**
    String  | Specifies directory where all new applications and updates will be installed.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-PackageSourceRoot**
    String  | Overrides source location for downloading package content.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-AllowHighCostLaunch**
    True (enabled); False (Disabled state)  | This setting controls whether virtualized applications are launched on Windows 10 machines connected by a metered network connection (for example, 4G).  | 0 |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReestablishmentRetries**
    Integer (0–99)  | Specifies the number of times to retry a dropped session.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReestablishmentInterval**
    Integer (0–3600)  | Specifies the number of seconds between attempts to reestablish a dropped session.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-LocationProvider**
    String  | Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-CertFilterForClientSsl**
    String  | Specifies the path to a valid certificate in the certificate store.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-VerifyCertificateRevocationList**
    True (enabled); False (Disabled state)  | Verifies Server certificate revocation status before streaming with HTTPS.  | 0 |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-SharedContentStoreMode**
    True (enabled); False (Disabled state)  | Specifies that streamed package contents will be not be saved to the local hard disk.  | 0 |
-| Set-AppvPublishingServer

    **-Name**
    String  | Displays the name of publishing server.  | Policy value not written (same as Not Configured) |
-| Set-AppvPublishingServer

    **-URL**
    String  | Displays the URL of publishing server.  | Policy value not written (same as Not Configured) |
-| Set-AppvPublishingServer

    **-GlobalRefreshEnabled**
    True (enabled); False (Disabled state)  | Enables global publishing refresh (Boolean)  | False |
-| Set-AppvPublishingServer

    **-GlobalRefreshOnLogon**
    True (enabled); False (Disabled state)  | Triggers a global publishing refresh on sign in. (Boolean)  | False |
-| Set-AppvPublishingServer

    **-GlobalRefreshInterval**
    Integer (0–744)  | Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, specify 0.  | 0 |
-| Set-AppvPublishingServer

    **-GlobalRefreshIntervalUnit** 
    0 for hour, 1 for day  | Specifies the interval unit (Hour 0–23, Day 0–31).  | 1 |
-| Set-AppvPublishingServer

    **-UserRefreshEnabled**
    True (enabled); False (Disabled state)  | Enables user publishing refresh (Boolean)  | False |
-| Set-AppvPublishingServer

    **-UserRefreshOnLogon**
    True (enabled); False (Disabled state)  | Triggers a user publishing refresh on sign in. (Boolean) Word count (with spaces): 60  | False |
-| Set-AppvPublishingServer

    **-UserRefreshInterval**
    Word count (with spaces): 85
    Integer (0–744 Hours)  | Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.  | 0 |
-| Set-AppvPublishingServer

    **-UserRefreshIntervalUnit**
    0 for hour, 1 for day  | Specifies the interval unit (Hour 0–23, Day 0–31).  | 1 |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-MigrationMode**
    True (enabled state); False (Disabled state)  | Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created by a previous version of App-V.  | |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-EnablePackageScripts**
    True (enabled); False (Disabled state)  | Enables scripts defined in the package manifest of configuration files that should run.  | |
-| Set-AppvClientConfiguration

    **-RoamingFileExclusions**
    String  | Specifies the file paths relative to %userprofile% that do not roam with a user's profile. For example, ```/ROAMINGFILEEXCLUSIONS='desktop;my pictures'```  | |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-RoamingRegistryExclusions**
    String  | Specifies the registry paths that do not roam with a user profile. For example, ```/ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients```  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-IntegrationRootUser**
    String  | Specifies the location to create symbolic links associated with the current version of a per-user published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%localappdata%\\Microsoft\\AppV\\Client\\Integration```.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-IntegrationRootGlobal**
    String  | Specifies the location to create symbolic links associated with the current version of a globally published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%allusersprofile%\\Microsoft\\AppV\\Client\\Integration```.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-VirtualizableExtensions**
    String  | A comma-delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command-line parameter will be added, and the application will run virtually. For more information about the **RunVirtual** parameter, see [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md).  | Policy value not written |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingEnabled**
    True (enabled); False (Disabled state)  | Returns information to a reporting server.  | False |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingServerURL**
    String  | Specifies the location on the reporting server where client information is saved.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingDataCacheLimit**
    Integer \[0–1024\]  | Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingDataBlockSize**
    Integer \[1024 - Unlimited\]  | Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingStartTime**
    Integer (0–23)  | Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0–23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.
    **Note** You should configure this setting to a time when computers running the App-V client are least likely to be offline.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingInterval**
    Integer  | Specifies the retry interval that the client will use to resend data to the reporting server.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingRandomDelay**
    Integer \[0 - ReportingRandomDelay\]  | Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server.  | Policy value not written (same as Not Configured) |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-EnableDynamicVirtualization
    **1 (Enabled), 0 (Disabled)  | Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications.  | |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-EnablePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)  | Enables the publishing refresh progress bar for the computer running the App-V Client.  | |
-| Sync-AppvPublishingServer

    **-HidePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)  | Hides the publishing refresh progress bar.  | |
-| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ProcessesUsingVirtualComponents**
    String  | Specifies a list of process paths (that may contain wildcards) that are candidates for using dynamic virtualization (such as supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization.  | Empty string. |
+
+|                                          Windows PowerShell cmdlet or cmdlets,
    **Option**
    Type                                           |                                                                                                                                                                                                                                                                                                                                                                        Description                                                                                                                                                                                                                                                                                                                                                                        |       Disabled policy state keys and values       |
+|------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|
+|                     Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-PackageInstallationRoot**
    String                     |                                                                                                                                                                                                                                                                                                                                       Specifies directory where all new applications and updates will be installed.                                                                                                                                                                                                                                                                                                                                       | Policy value not written (same as Not Configured) |
+|                        Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-PackageSourceRoot**
    String                        |                                                                                                                                                                                                                                                                                                                                                Overrides source location for downloading package content.                                                                                                                                                                                                                                                                                                                                                 | Policy value not written (same as Not Configured) |
+|       Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-AllowHighCostLaunch**
    True (enabled); False (Disabled state)       |                                                                                                                                                                                                                                                                                                  This setting controls whether virtualized applications are launched on Windows 10 machines connected by a metered network connection (for example, 4G).                                                                                                                                                                                                                                                                                                  |                         0                         |
+|                 Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReestablishmentRetries**
    Integer (0–99)                  |                                                                                                                                                                                                                                                                                                                                                 Specifies the number of times to retry a dropped session.                                                                                                                                                                                                                                                                                                                                                 | Policy value not written (same as Not Configured) |
+|                Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReestablishmentInterval**
    Integer (0–3600)                |                                                                                                                                                                                                                                                                                                                                    Specifies the number of seconds between attempts to reestablish a dropped session.                                                                                                                                                                                                                                                                                                                                     | Policy value not written (same as Not Configured) |
+|                        Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-LocationProvider**
    String                         |                                                                                                                                                                                                                                                                                                                            Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.                                                                                                                                                                                                                                                                                                                             | Policy value not written (same as Not Configured) |
+|                     Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-CertFilterForClientSsl**
    String                      |                                                                                                                                                                                                                                                                                                                                            Specifies the path to a valid certificate in the certificate store.                                                                                                                                                                                                                                                                                                                                            | Policy value not written (same as Not Configured) |
+| Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-VerifyCertificateRevocationList**
    True (enabled); False (Disabled state) |                                                                                                                                                                                                                                                                                                                                        Verifies Server certificate revocation status before streaming with HTTPS.                                                                                                                                                                                                                                                                                                                                         |                         0                         |
+|     Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-SharedContentStoreMode**
    True (enabled); False (Disabled state)      |                                                                                                                                                                                                                                                                                                                                   Specifies that streamed package contents will be not be saved to the local hard disk.                                                                                                                                                                                                                                                                                                                                   |                         0                         |
+|                                              Set-AppvPublishingServer

    **-Name**
    String                                               |                                                                                                                                                                                                                                                                                                                                                          Displays the name of publishing server.                                                                                                                                                                                                                                                                                                                                                          | Policy value not written (same as Not Configured) |
+|                                               Set-AppvPublishingServer

    **-URL**
    String                                               |                                                                                                                                                                                                                                                                                                                                                          Displays the URL of publishing server.                                                                                                                                                                                                                                                                                                                                                           | Policy value not written (same as Not Configured) |
+|                      Set-AppvPublishingServer

    **-GlobalRefreshEnabled**
    True (enabled); False (Disabled state)                       |                                                                                                                                                                                                                                                                                                                                                        Enables global publishing refresh (Boolean)                                                                                                                                                                                                                                                                                                                                                        |                       False                       |
+|                      Set-AppvPublishingServer

    **-GlobalRefreshOnLogon**
    True (enabled); False (Disabled state)                       |                                                                                                                                                                                                                                                                                                                                                Triggers a global publishing refresh on sign in. (Boolean)                                                                                                                                                                                                                                                                                                                                                 |                       False                       |
+|                                 Set-AppvPublishingServer

    **-GlobalRefreshInterval**
    Integer (0–744)                                  |                                                                                                                                                                                                                                                                                                                   Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, specify 0.                                                                                                                                                                                                                                                                                                                   |                         0                         |
+|                            Set-AppvPublishingServer

    **-GlobalRefreshIntervalUnit** 
    0 for hour, 1 for day                            |                                                                                                                                                                                                                                                                                                                                                    Specifies the interval unit (Hour 0–23, Day 0–31).                                                                                                                                                                                                                                                                                                                                                     |                         1                         |
+|                       Set-AppvPublishingServer

    **-UserRefreshEnabled**
    True (enabled); False (Disabled state)                        |                                                                                                                                                                                                                                                                                                                                                         Enables user publishing refresh (Boolean)                                                                                                                                                                                                                                                                                                                                                         |                       False                       |
+|                       Set-AppvPublishingServer

    **-UserRefreshOnLogon**
    True (enabled); False (Disabled state)                        |                                                                                                                                                                                                                                                                                                                                   Triggers a user publishing refresh on sign in. (Boolean) Word count (with spaces): 60                                                                                                                                                                                                                                                                                                                                   |                       False                       |
+|               Set-AppvPublishingServer

    **-UserRefreshInterval**
    Word count (with spaces): 85
    Integer (0–744 Hours)                |                                                                                                                                                                                                                                                                                                                    Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0.                                                                                                                                                                                                                                                                                                                     |                         0                         |
+|                             Set-AppvPublishingServer

    **-UserRefreshIntervalUnit**
    0 for hour, 1 for day                              |                                                                                                                                                                                                                                                                                                                                                    Specifies the interval unit (Hour 0–23, Day 0–31).                                                                                                                                                                                                                                                                                                                                                     |                         1                         |
+|       Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-MigrationMode**
    True (enabled state); False (Disabled state)       |                                                                                                                                                                                                                                                                                                                 Migration mode allows the App-V client to modify shortcuts and FTA’s for packages created by a previous version of App-V.                                                                                                                                                                                                                                                                                                                 |                                                   |
+|      Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-EnablePackageScripts**
    True (enabled); False (Disabled state)       |                                                                                                                                                                                                                                                                                                                                  Enables scripts defined in the package manifest of configuration files that should run.                                                                                                                                                                                                                                                                                                                                  |                                                   |
+|                                    Set-AppvClientConfiguration

    **-RoamingFileExclusions**
    String                                     |                                                                                                                                                                                                                                                                                                Specifies the file paths relative to %userprofile% that do not roam with a user's profile. For example, ```/ROAMINGFILEEXCLUSIONS='desktop;my pictures'```                                                                                                                                                                                                                                                                                                 |                                                   |
+|                    Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-RoamingRegistryExclusions**
    String                    |                                                                                                                                                                                                                                                                                                   Specifies the registry paths that do not roam with a user profile. For example, ```/ROAMINGREGISTRYEXCLUSIONS=software\\classes;software\\clients```                                                                                                                                                                                                                                                                                                    | Policy value not written (same as Not Configured) |
+|                       Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-IntegrationRootUser**
    String                       |                                                                                                                                                                            Specifies the location to create symbolic links associated with the current version of a per-user published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%localappdata%\\Microsoft\\AppV\\Client\\Integration```.                                                                                                                                                                            | Policy value not written (same as Not Configured) |
+|                      Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-IntegrationRootGlobal**
    String                      |                                                                                                                                                                          Specifies the location to create symbolic links associated with the current version of a globally published package. All virtual application extensions, such as shortcuts and file type associations, will point to this path. If you don't specify a path, symbolic links will not be used when you publish the package. For example, ```%allusersprofile%\\Microsoft\\AppV\\Client\\Integration```.                                                                                                                                                                           | Policy value not written (same as Not Configured) |
+|                     Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-VirtualizableExtensions**
    String                     | A comma-delineated list of file name extensions that can be used to determine if a locally installed application can be run in the virtual environment. When shortcuts, FTAs, and other extension points are created during publishing, App-V will compare the file name extension to the list if the application associated with the extension point is locally installed. If the extension is located, the **RunVirtual** command-line parameter will be added, and the application will run virtually. For more information about the **RunVirtual** parameter, see [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md). |             Policy value not written              |
+|        Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingEnabled**
    True (enabled); False (Disabled state)         |                                                                                                                                                                                                                                                                                                                                                        Returns information to a reporting server.                                                                                                                                                                                                                                                                                                                                                         |                       False                       |
+|                       Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingServerURL**
    String                        |                                                                                                                                                                                                                                                                                                                                     Specifies the location on the reporting server where client information is saved.                                                                                                                                                                                                                                                                                                                                     | Policy value not written (same as Not Configured) |
+|               Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingDataCacheLimit**
    Integer \[0–1024\]               |                                                                                                                                                                                                                                                                 Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over. Set between 0 and 1024.                                                                                                                                                                                                                                                                 | Policy value not written (same as Not Configured) |
+|          Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingDataBlockSize**
    Integer \[1024 - Unlimited\]           |                                                                                                                                                                                                                                                               Specifies the maximum size in bytes to transmit to the server for reporting upload requests. This can help avoid permanent transmission failures when the log has reached a significant size. Set between 1024 and unlimited.                                                                                                                                                                                                                                                               | Policy value not written (same as Not Configured) |
+|                   Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingStartTime**
    Integer (0–23)                    |                                                                                                                                                                                 Specifies the time to initiate the client to send data to the reporting server. You must specify a valid integer between 0–23 corresponding to the hour of the day. By default the **ReportingStartTime** will start on the current day at 10 P.M.or 22.
    **Note** You should configure this setting to a time when computers running the App-V client are least likely to be offline.                                                                                                                                                                                  | Policy value not written (same as Not Configured) |
+|                       Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingInterval**
    Integer                        |                                                                                                                                                                                                                                                                                                                               Specifies the retry interval that the client will use to resend data to the reporting server.                                                                                                                                                                                                                                                                                                                               | Policy value not written (same as Not Configured) |
+|       Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ReportingRandomDelay**
    Integer \[0 - ReportingRandomDelay\]        |                                                                                                                                                                                                                     Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and **ReportingRandomDelay** and will wait the specified duration before sending data. This can help to prevent collisions on the server.                                                                                                                                                                                                                     | Policy value not written (same as Not Configured) |
+|   Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    -EnableDynamicVirtualization
    1 (Enabled), 0 (Disabled)   |                                                                                                                                                                                                                                                                                                          Enables supported Shell Extensions, Browser Helper Objects, and Active X controls to be virtualized and run with virtual applications.                                                                                                                                                                                                                                                                                                           |                                                   |
+|          Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-EnablePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)           |                                                                                                                                                                                                                                                                                                                                  Enables the publishing refresh progress bar for the computer running the App-V Client.                                                                                                                                                                                                                                                                                                                                   |                                                   |
+|                           Sync-AppvPublishingServer

    **-HidePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)                           |                                                                                                                                                                                                                                                                                                                                                        Hides the publishing refresh progress bar.                                                                                                                                                                                                                                                                                                                                                         |                                                   |
+|                 Set-AppvClientConfiguration,
    Set-AppvPublishingServer

    **-ProcessesUsingVirtualComponents**
    String                 |                                                                                                                                                                                                                             Specifies a list of process paths (that may contain wildcards) that are candidates for using dynamic virtualization (such as supported shell extensions, browser helper objects, and ActiveX controls). Only processes whose full path matches one of these items can use dynamic virtualization.                                                                                                                                                                                                                             |                   Empty string.                   |
 
 ## App-V client configuration settings: registry keys
 
 The following table provides information about App-V client configuration settings that can be configured through the registry:
 
-| **Setting name**
    Type  | Registry key value  | Disabled policy state keys and values |
-|---------------------------|---------------------|---------------------------------------|
-| **PackageInstallationRoot**
    String  | Streaming\\PackageInstallationRoot  | Policy value not written (same as Not Configured) |
-| **PackageSourceRoot**
    String  | Streaming\\PackageSourceRoot  | Policy value not written (same as Not Configured) |
-| **AllowHighCostLaunch**
    True (Enabled); False (Disabled state)  | Streaming\\AllowHighCostLaunch  | 0 |
-| **ReestablishmentRetries**
    Integer (0–99)  | Streaming\\ReestablishmentRetries  | Policy value not written (same as Not Configured) |
-| **ReestablishmentInterval**
    Integer (0–3600)  | Streaming\\ReestablishmentInterval  | Policy value not written (same as Not Configured) |
-| **LocationProvider**
    String  | Streaming\\LocationProvider  | Policy value not written (same as Not Configured) |
-| **CertFilterForClientSsl**
    String  | Streaming\\CertFilterForClientSsl  | Policy value not written (same as Not Configured) |
-| **VerifyCertificateRevocationList**
    True (Enabled); False (Disabled state)  | Streaming\\VerifyCertificateRevocationList  | 0 |
-| **SharedContentStoreMode**
    True (Enabled); False (Disabled state)  | Streaming\\SharedContentStoreMode  | 0 |
-| **Name**
    String  | Publishing\\Servers{serverId}\\FriendlyName  | Policy value not written (same as Not Configured) |
-| **URL**
    String  | Publishing\\Servers{serverId}\\URL  | Policy value not written (same as Not Configured) |
-| **GlobalRefreshEnabled**
    True (Enabled); False (Disabled state)  | Publishing\\Servers{serverId}\\GlobalEnabled  | False |
-| **GlobalRefreshOnLogon**
    True (Enabled); False (Disabled state)  | Publishing\\Servers{serverId}\\GlobalLogonRefresh  | False |
-| **GlobalRefreshInterval**
    Integer (0–744)  | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshInterval  | 0 |
-| **GlobalRefreshIntervalUnit** 
    0 for hour, 1 for day  | Publishing\\Servers{serverId}\\GlobalPeriodicRefreshIntervalUnit  | 1 |
-| **UserRefreshEnabled**
    True (Enabled); False (Disabled state)  | Publishing\\Servers{serverId}\\UserEnabled  | False |
-| **UserRefreshOnLogon**
    True (Enabled); False (Disabled state)  | Publishing\\Servers{serverId}\\UserLogonRefresh  | False |
-| **UserRefreshInterval**
    Word count (with spaces): 85; Integer (0–744 Hours)  | Publishing\\Servers{serverId}\\UserPeriodicRefreshInterval  | 0 |
-| **UserRefreshIntervalUnit**
    0 for hour, 1 for day  | Publishing\\Servers{serverId}\\UserPeriodicRefreshIntervalUnit  | 1 |
-| **MigrationMode**
    True(Enabled state); False (Disabled state)  | Coexistence\\MigrationMode  | |
-| **EnablePackageScripts**
    True (Enabled); False (Disabled state)  | \\Scripting\\EnablePackageScripts  | |
-| **RoamingFileExclusions**
    String  | | |
-| **RoamingRegistryExclusions**
    String  | Integration\\RoamingReglstryExclusions  | Policy value not written (same as Not Configured) |
-| **IntegrationRootUser**
    String  | Integration\\IntegrationRootUser  | Policy value not written (same as Not Configured) |
-| **IntegrationRootGlobal**
    String  | Integration\\IntegrationRootGlobal  | Policy value not written (same as Not Configured) |
-| **VirtualizableExtensions**
    String  | Integration\\VirtualizableExtensions  | Policy value not written |
-| **ReportingEnabled**
    True (Enabled); False (Disabled state)  | Reporting\\EnableReporting  | False |
-| **ReportingServerURL**
    String  | Reporting\\ReportingServer  | Policy value not written (same as Not Configured) |
-| **ReportingDataCacheLimit**
    Integer \[0–1024\]  | Reporting\\DataCacheLimit  | Policy value not written (same as Not Configured) |
-| **ReportingDataBlockSize**
    Integer \[1024–Unlimited\]  | Reporting\\DataBlockSize  | Policy value not written (same as Not Configured) |
-| **ReportingStartTime**
    Integer (0–23)  | Reporting\\ StartTime  | Policy value not written (same as Not Configured) |
-| **ReportingInterval**
    Integer  | Reporting\\RetryInterval  | Policy value not written (same as Not Configured) |
-| **ReportingRandomDelay**
    Integer \[0 - ReportingRandomDelay\]  | Reporting\\RandomDelay  | Policy value not written (same as Not Configured) |
-| **EnableDynamicVirtualization
    **1 (Enabled), 0 (Disabled)  | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Virtualization  | |
-| **EnablePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)  | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Publishing  | |
-| **HidePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)  | | |
-| **ProcessesUsingVirtualComponents**
    String  | Virtualization\\ProcessesUsingVirtualComponents  | Empty string. |
-
-
-
 
+|                            **Setting name**
    Type                            |                           Registry key value                            |       Disabled policy state keys and values       |
+|--------------------------------------------------------------------------------|-------------------------------------------------------------------------|---------------------------------------------------|
+|                     **PackageInstallationRoot**
    String                      |                   Streaming\\PackageInstallationRoot                    | Policy value not written (same as Not Configured) |
+|                        **PackageSourceRoot**
    String                         |                      Streaming\\PackageSourceRoot                       | Policy value not written (same as Not Configured) |
+|       **AllowHighCostLaunch**
    True (Enabled); False (Disabled state)        |                     Streaming\\AllowHighCostLaunch                      |                         0                         |
+|                  **ReestablishmentRetries**
    Integer (0–99)                  |                    Streaming\\ReestablishmentRetries                    | Policy value not written (same as Not Configured) |
+|                **ReestablishmentInterval**
    Integer (0–3600)                 |                   Streaming\\ReestablishmentInterval                    | Policy value not written (same as Not Configured) |
+|                         **LocationProvider**
    String                         |                       Streaming\\LocationProvider                       | Policy value not written (same as Not Configured) |
+|                      **CertFilterForClientSsl**
    String                      |                    Streaming\\CertFilterForClientSsl                    | Policy value not written (same as Not Configured) |
+| **VerifyCertificateRevocationList**
    True (Enabled); False (Disabled state)  |               Streaming\\VerifyCertificateRevocationList                |                         0                         |
+|      **SharedContentStoreMode**
    True (Enabled); False (Disabled state)      |                    Streaming\\SharedContentStoreMode                    |                         0                         |
+|                               **Name**
    String                               |               Publishing\\Servers{serverId}\\FriendlyName               | Policy value not written (same as Not Configured) |
+|                               **URL**
    String                                |                   Publishing\\Servers{serverId}\\URL                    | Policy value not written (same as Not Configured) |
+|       **GlobalRefreshEnabled**
    True (Enabled); False (Disabled state)       |              Publishing\\Servers{serverId}\\GlobalEnabled               |                       False                       |
+|       **GlobalRefreshOnLogon**
    True (Enabled); False (Disabled state)       |            Publishing\\Servers{serverId}\\GlobalLogonRefresh            |                       False                       |
+|                  **GlobalRefreshInterval**
    Integer (0–744)                  |      Publishing\\Servers{serverId}\\GlobalPeriodicRefreshInterval       |                         0                         |
+|            **GlobalRefreshIntervalUnit** 
    0 for hour, 1 for day             |    Publishing\\Servers{serverId}\\GlobalPeriodicRefreshIntervalUnit     |                         1                         |
+|        **UserRefreshEnabled**
    True (Enabled); False (Disabled state)        |               Publishing\\Servers{serverId}\\UserEnabled                |                       False                       |
+|        **UserRefreshOnLogon**
    True (Enabled); False (Disabled state)        |             Publishing\\Servers{serverId}\\UserLogonRefresh             |                       False                       |
+| **UserRefreshInterval**
    Word count (with spaces): 85; Integer (0–744 Hours) |       Publishing\\Servers{serverId}\\UserPeriodicRefreshInterval        |                         0                         |
+|              **UserRefreshIntervalUnit**
    0 for hour, 1 for day              |     Publishing\\Servers{serverId}\\UserPeriodicRefreshIntervalUnit      |                         1                         |
+|        **MigrationMode**
    True(Enabled state); False (Disabled state)        |                       Coexistence\\MigrationMode                        |                                                   |
+|       **EnablePackageScripts**
    True (Enabled); False (Disabled state)       |                    \\Scripting\\EnablePackageScripts                    |                                                   |
+|                      **RoamingFileExclusions**
    String                       |                                                                         |                                                   |
+|                    **RoamingRegistryExclusions**
    String                     |                 Integration\\RoamingReglstryExclusions                  | Policy value not written (same as Not Configured) |
+|                       **IntegrationRootUser**
    String                        |                    Integration\\IntegrationRootUser                     | Policy value not written (same as Not Configured) |
+|                      **IntegrationRootGlobal**
    String                       |                   Integration\\IntegrationRootGlobal                    | Policy value not written (same as Not Configured) |
+|                     **VirtualizableExtensions**
    String                      |                  Integration\\VirtualizableExtensions                   |             Policy value not written              |
+|         **ReportingEnabled**
    True (Enabled); False (Disabled state)         |                       Reporting\\EnableReporting                        |                       False                       |
+|                        **ReportingServerURL**
    String                        |                       Reporting\\ReportingServer                        | Policy value not written (same as Not Configured) |
+|               **ReportingDataCacheLimit**
    Integer \[0–1024\]                |                        Reporting\\DataCacheLimit                        | Policy value not written (same as Not Configured) |
+|            **ReportingDataBlockSize**
    Integer \[1024–Unlimited\]            |                        Reporting\\DataBlockSize                         | Policy value not written (same as Not Configured) |
+|                    **ReportingStartTime**
    Integer (0–23)                    |                          Reporting\\ StartTime                          | Policy value not written (same as Not Configured) |
+|                        **ReportingInterval**
    Integer                        |                        Reporting\\RetryInterval                         | Policy value not written (same as Not Configured) |
+|        **ReportingRandomDelay**
    Integer \[0 - ReportingRandomDelay\]        |                         Reporting\\RandomDelay                          | Policy value not written (same as Not Configured) |
+|   EnableDynamicVirtualization
    1 (Enabled), 0 (Disabled)    | HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Virtualization |                                                   |
+|           **EnablePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)           |   HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\AppV\\Client\\Publishing   |                                                   |
+|            **HidePublishingRefreshUI**
    1 (Enabled), 0 (Disabled)            |                                                                         |                                                   |
+|                 **ProcessesUsingVirtualComponents**
    String                  |             Virtualization\\ProcessesUsingVirtualComponents             |                   Empty string.                   |
 
 ## Related topics
 
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index a9ee839ed6..27efb333f1 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -38,24 +38,24 @@ The App-V package converter will save the App-V 4.6 installation root folder and
 
 2. You can enter the following cmdlets to check or convert packages:
 
-    - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet:
+   - **Test-AppvLegacyPackage**—This cmdlet checks packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in-depth validation. For information about options and basic functionality for this cmdlet, using Windows PowerShell, enter the following cmdlet:
 
-         ```PowerShell
-         Test-AppvLegacyPackage -?
-         ```
+        ```PowerShell
+        Test-AppvLegacyPackage -?
+        ```
 
-    - **ConvertFrom-AppvLegacyPackage**—This cmdlet converts packages from legacy versions to updated versions. To convert an existing package, enter the following cmdlet:
+   - **ConvertFrom-AppvLegacyPackage**—This cmdlet converts packages from legacy versions to updated versions. To convert an existing package, enter the following cmdlet:
 
-         ```PowerShell
-         ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages
-         ```
+        ```PowerShell
+        ConvertFrom-AppvLegacyPackage C:\contentStore C:\convertedPackages
+        ```
 
      In this cmdlet, `C:\contentStore` represents the location of the existing package and `C:\convertedPackages` is the output directory to which the resulting App-V for Windows 10 virtual application package file will be saved. By default, if you do not specify a new name, the old package name will be used.
 
      Additionally, the package converter optimizes performance of packages in App-V for Windows 10 by setting the package to stream fault the App-V package.  This is more performant than the primary feature block and fully downloading the package. The flag **DownloadFullPackageOnFirstLaunch** allows you to convert the package and set the package to be fully downloaded by default.
 
-      >[!NOTE]  
-      >Before you specify the output directory, you must create the output directory.
+     >[!NOTE]  
+     >Before you specify the output directory, you must create the output directory.
 
 ### Advanced Conversion Tips
 
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 55efbbf729..a33e8e481a 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -27,20 +27,20 @@ App-V Package Accelerators automatically sequence large, complex applications. A
 
     The following parameters are required to use the package accelerator cmdlet:
 
-    - *InstalledFilesPath* specifies the application installation path.
-    - *Installer* specifies the path to the application installer media.
-    - *InputPackagePath* specifies the path to the .appv package.
-    - *Path* specifies the output directory for the package.
+   - *InstalledFilesPath* specifies the application installation path.
+   - *Installer* specifies the path to the application installer media.
+   - *InputPackagePath* specifies the path to the .appv package.
+   - *Path* specifies the output directory for the package.
 
-    The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media:
+     The following example cmdlet shows how you can create a package accelerator with an .appv package and the installation media:
 
-    ```PowerShell
-    New-AppvPackageAccelerator -InputPackagePath  -Installer  -Path 
-    ```
+     ```PowerShell
+     New-AppvPackageAccelerator -InputPackagePath  -Installer  -Path 
+     ```
 
-    You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet:
+     You can also use the following optional parameter with the **New-AppvPackageAccelerator** cmdlet:
 
-    - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator.
+   - *AcceleratorDescriptionFile* specifies the path to user-created package accelerator instructions. The package accelerator instructions are **.txt** or **.rtf** description files that will be included in the package created by the package accelerator.
 
 
 
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index 74c21978be..44920d8d72 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -163,51 +163,51 @@ After you download the Office 2013 applications through the Office Deployment To
 
 1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
 
-    * **SourcePath**: Point to the Office applications downloaded earlier.
-    * **ProductID**: Specify the type of licensing, as shown in the following examples:
-        * Subscription Licensing:
-        ```XML
-        
-           
-            
-              
-            
-            
-              
-            
-          
-        
-        ```
-        In this example, the following changes were made to create a package with Subscription licensing:
+   * **SourcePath**: Point to the Office applications downloaded earlier.
+   * **ProductID**: Specify the type of licensing, as shown in the following examples:
+     * Subscription Licensing:
+       ```XML
+       
+        
+         
+           
+         
+         
+           
+         
+       
+       
+       ```
+       In this example, the following changes were made to create a package with Subscription licensing:
         
-        * **SourcePath** is the path, which was changed to point to the Office applications that were downloaded earlier.
-        * **Product ID** for Office was changed to `O365ProPlusRetail`.
-        * **Product ID** for Visio was changed to `VisioProRetail`.
-        * Volume Licensing
-        ```XML
-        
-           
-            
-              
-            
-            
-              
-            
-          
-        
-        ```
-        In this example, the following changes were made to create a package with Volume licensing:
+     * **SourcePath** is the path, which was changed to point to the Office applications that were downloaded earlier.
+     * **Product ID** for Office was changed to `O365ProPlusRetail`.
+     * **Product ID** for Visio was changed to `VisioProRetail`.
+     * Volume Licensing
+       ```XML
+       
+        
+         
+           
+         
+         
+           
+         
+       
+       
+       ```
+       In this example, the following changes were made to create a package with Volume licensing:
         
-        * **SourcePath** is the source's path, which was changed to point to the Office applications that were downloaded earlier.
-        * **Product ID** for Office was changed to `ProPlusVolume`.
-        * **Product ID** for Visio was changed to `VisioProVolume`.
-    * **ExcludeApp** (optional) lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
-    * **PACKAGEGUID** (optional)—By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
+     * **SourcePath** is the source's path, which was changed to point to the Office applications that were downloaded earlier.
+     * **Product ID** for Office was changed to `ProPlusVolume`.
+     * **Product ID** for Visio was changed to `VisioProVolume`.
+   * **ExcludeApp** (optional) lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.
+   * **PACKAGEGUID** (optional)—By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.
         
-        An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
+       An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2013 for some users, and create another package with Office 2013 and Visio 2013 for another set of users.
         
-        >[!NOTE]
-        >Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+       >[!NOTE]
+       >Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
 2. Use the **/packager** command to convert the Office applications to an Office 2013 App-V package.
 
     For example:
@@ -228,11 +228,11 @@ After you download the Office 2013 applications through the Office Deployment To
 
     After you run the **/packager** command, the following folders will appear in the directory where you specified the package should be saved:
 
-    * **App-V Packages**, which contains an Office 2013 App-V package and two deployment configuration files.
    
-    * **WorkingDir**
+   * **App-V Packages**, which contains an Office 2013 App-V package and two deployment configuration files.
    
+   * **WorkingDir**
     
-    >[!NOTE]
-    >To troubleshoot any issues, see the log files in the %temp% directory (default).
+     >[!NOTE]
+     >To troubleshoot any issues, see the log files in the %temp% directory (default).
 3. Verify that the Office 2013 App-V package works correctly:
 
     1. Publish the Office 2013 App-V package that you created globally to a test computer and verify that the Office 2013 shortcuts appear.
@@ -381,10 +381,10 @@ To upgrade an Office 2013 package, use the Office Deployment Tool. To upgrade a
 
 1. Create a new Office 2013 package through the Office Deployment Tool that uses the most recent Office 2013 application software. The most recent Office 2013 bits can always be obtained through the download stage of creating an Office 2013 App-V Package. The newly created Office 2013 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage.
 
-    >[!NOTE]
-    >Office App-V packages have two Version IDs:
-      * An Office 2013 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
-      * A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2013 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2013 package.
+   > [!NOTE]
+   > Office App-V packages have two Version IDs:
+   >    * An Office 2013 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
+   >    * A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2013 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2013 package.
 2. Globally publish the newly created Office 2013 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2013 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast.
 3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted.
 
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index 210ae0a677..d38f80fbd5 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -95,8 +95,8 @@ After you download the Office Deployment Tool, you can use it to get the latest
 The XML file included in the Office Deployment Tool specifies the product details, such as the languages and Office applications included.
 
 1. **Customize the sample XML configuration file:** Use the sample XML configuration file that you downloaded with the Office Deployment Tool to customize the Office applications:
-  1. Open the sample XML file in Notepad or your favorite text editor.
-  2. With the sample **configuration.xml** file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the **configuration.xml** file:
+   1. Open the sample XML file in Notepad or your favorite text editor.
+   2. With the sample **configuration.xml** file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the **configuration.xml** file:
 
       ```XML
       
@@ -129,16 +129,16 @@ The XML file included in the Office Deployment Tool specifies the product detail
 After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml."
 2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command:
 
-  `\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml`
+   `\\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml`
 
-  The following table describes the example command's elements:
+   The following table describes the example command's elements:
 
-  | Element | Description |
-  |-------------------------------|--------------------------------------|
-  | ```\\server\Office2016```    | This is the network share location that contains the Office Deployment Tool and the custom **Configuration.xml** file, which in this example is **Customconfig.xml**.    |
-  | ``Setup.exe``   | This is the Office Deployment Tool.     |
-  | ```/download```  | Downloads the Office 2016 applications that you specify in the **Customconfig.xml** file.  |
-  | ```\\server\Office2016\Customconfig.xml```| This passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After using the download command, Office applications should be found in the location specified in the configuration file, which in this example is ```\\Server\Office2016```. |
+   | Element | Description |
+   |-------------------------------|--------------------------------------|
+   | ```\\server\Office2016```    | This is the network share location that contains the Office Deployment Tool and the custom **Configuration.xml** file, which in this example is **Customconfig.xml**.    |
+   | ``Setup.exe``   | This is the Office Deployment Tool.     |
+   | ```/download```  | Downloads the Office 2016 applications that you specify in the **Customconfig.xml** file.  |
+   | ```\\server\Office2016\Customconfig.xml```| This passes the XML configuration file required to complete the download process. In this example, the file used is **Customconfig.xml**. After using the download command, Office applications should be found in the location specified in the configuration file, which in this example is ```\\Server\Office2016```. |
 
 ### Convert the Office applications into an App-V package
 
@@ -164,34 +164,34 @@ After you download the Office 2016 applications through the Office Deployment To
 
 1. In Notepad, reopen the CustomConfig.xml file, and make the following changes to the file:
 
-    * **SourcePath**: Change to the location where you saved the Office applications you downloaded during setup.
-    * **ProductID**: Specify the type of licensing, as shown in the following example:
+   * **SourcePath**: Change to the location where you saved the Office applications you downloaded during setup.
+   * **ProductID**: Specify the type of licensing, as shown in the following example:
 
-        * Subscription Licensing:
-        ```XML
-        
-           
-            
-              
-            
-            
-              
-            
-          
-        
-        ```
-        This example made the following changes to create this Subscription Licensing package:
+     * Subscription Licensing:
+       ```XML
+       
+        
+         
+           
+         
+         
+           
+         
+       
+       
+       ```
+       This example made the following changes to create this Subscription Licensing package:
         
-        * **SourcePath** was changed to point to the Office applications that were downloaded earlier.
-        * **Product ID** for Office was changed to `O365ProPlusRetail`.
-        * **Product ID** for Visio was changed to `VisioProRetail`.
-    * **ExcludeApp** (optional): Lets you specify Office programs that you don’t want included in the App-V package created by the Office Deployment Tool. For example, you can exclude Access.
-    * **PACKAGEGUID** (optional): By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use **PACKAGEGUID** to specify a different package ID for each package, which allows you to publish multiple App-V packages created by the Office Deployment Tool, and then manage your published packages with the App-V Server.
+     * **SourcePath** was changed to point to the Office applications that were downloaded earlier.
+     * **Product ID** for Office was changed to `O365ProPlusRetail`.
+     * **Product ID** for Visio was changed to `VisioProRetail`.
+   * **ExcludeApp** (optional): Lets you specify Office programs that you don’t want included in the App-V package created by the Office Deployment Tool. For example, you can exclude Access.
+   * **PACKAGEGUID** (optional): By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use **PACKAGEGUID** to specify a different package ID for each package, which allows you to publish multiple App-V packages created by the Office Deployment Tool, and then manage your published packages with the App-V Server.
         
-        An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
+       An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.
         
-        >[!NOTE]
-        >Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
+       >[!NOTE]
+       >Even if you use unique package IDs, you can still deploy only one App-V package to a single device.
 2. Use the /packager command to convert the Office applications to an Office 2016 App-V package.
 
     The following is an example packager command:
@@ -212,11 +212,11 @@ After you download the Office 2016 applications through the Office Deployment To
 
     After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved:
     
-    * **App-V Packages**—contains an Office 2016 App-V package and two deployment configuration files.
-    * **WorkingDir**
+   * **App-V Packages**—contains an Office 2016 App-V package and two deployment configuration files.
+   * **WorkingDir**
 
-    >[!NOTE]
-    >To troubleshoot any issues, see the log files in the %temp% directory (default).
+     >[!NOTE]
+     >To troubleshoot any issues, see the log files in the %temp% directory (default).
 3. Verify that the Office 2016 App-V package works correctly:
 
     1. Publish the Office 2016 App-V package that you created globally to a test computer and verify that the Office 2016 shortcuts appear.
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 1132ba2453..0827190013 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -35,7 +35,7 @@ App-V offers the following five server components, each of which serves a specif
 
 * **Management server.** Use the App-V management server and console to manage your App-V infrastructure. See [Administering App-V with the management console](appv-administering-virtual-applications-with-the-management-console.md) for more information about the management server.
 
- >[!NOTE]
+  >[!NOTE]
     >If you are using App-V with your electronic software distribution solution, you don’t need to use the management server and console. However, you may want to take advantage of the reporting and streaming capabilities in App-V.
 * **Management database.** Use the App-V management database to facilitate database pre-deployments for App-V management. For more information about the management database, see [How to deploy the App-V server](appv-deploy-the-appv-server.md).
 * **Publishing server.** Use the App-V publishing server to host and stream virtual applications. The publishing server supports the HTTP and HTTPS protocols and does not require a database connection. To learn how to configure the publishing server, see [How to install the App-V publishing server](appv-install-the-publishing-server-on-a-remote-computer.md).
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 71e125f5e4..cbaef2e7a4 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -21,65 +21,64 @@ Use the following procedure to configure the App-V for reporting.
 
 **To configure the computer running the App-V client for reporting**
 
-1.  Enable the App-V client. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).
+1. Enable the App-V client. For more information, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).
 
-2.  After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings:
+2. After you have enabled the App-V client, use the **Set-AppvClientConfiguration** cmdlet to configure appropriate Reporting Configuration settings:
 
-    
-    -    -    -    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
-    
    



    SettingDescription
    ReportingEnabled
    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
    ReportingServerURL
    Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
    
-    
    
-    Note  
-    
    This is the port number that was assigned during the Reporting Server setup
    
-    
    
-    
    
-     
-    
    Reporting Start Time
    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
    ReportingRandomDelay
    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
    ReportingInterval
    Specifies the retry interval that the client will use to resend data to the reporting server.
    ReportingDataCacheLimit
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    ReportingDataBlockSize
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    
+   
+   +   +   +   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
    



    SettingDescription
    ReportingEnabled
    Enables the client to return information to a reporting server. This setting is required for the client to collect the reporting data on the client.
    ReportingServerURL
    Specifies the location on the reporting server where client information is saved. For example, https://<reportingservername>:<reportingportnumber>.
    
+   
    
+   Note
    This is the port number that was assigned during the Reporting Server setup
    
+   
    
+   
    
 
-     
+   
    Reporting Start Time
    This is set to schedule the client to automatically send the data to the server. This setting will indicate the hour at which the reporting data will start to send. It is in the 24 hour format and will take a number between 0-23.
    ReportingRandomDelay
    Specifies the maximum delay (in minutes) for data to be sent to the reporting server. When the scheduled task is started, the client generates a random delay between 0 and ReportingRandomDelay and will wait the specified duration before sending data.
    ReportingInterval
    Specifies the retry interval that the client will use to resend data to the reporting server.
    ReportingDataCacheLimit
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    ReportingDataBlockSize
    Specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The size applies to the cache in memory. When the limit is reached, the log file will roll over.
    
 
-3.  After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server.
 
-    Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** cmdlet.
+
+3. After the appropriate settings have been configured, the computer running the App-V client will automatically collect data and will send the data back to the reporting server.
+
+   Additionally, administrators can manually send the data back in an on-demand manner using the **Send-AppvClientReport** cmdlet.
 
 
 
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index edebf0f9c5..ab69c602ad 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -29,8 +29,8 @@ Use the following procedure to install the database server and management server
 4. On the **Feature selection** page, select the components you want to install by first selecting the **Management Server Database** checkbox, then selecting **Next**.
 5. On the **Installation location** page, accept the default location and select **Next**.
 6. On the initial **Create new management server database** page, accept the default selections if appropriate, then select **Next**.
-  * If you are using a custom SQL Server instance, select **Use a custom instance** and enter the name of the instance.
-  * If you are using a custom database name, select **Custom configuration** and enter the database name.
+   * If you are using a custom SQL Server instance, select **Use a custom instance** and enter the name of the instance.
+   * If you are using a custom database name, select **Custom configuration** and enter the database name.
 7. On the next **Create new management server database** page, select **Use a remote computer**, then enter the remote machine account using the following format: ```Domain\MachineAccount```.
 
     >[!NOTE]
@@ -45,8 +45,8 @@ Use the following procedure to install the database server and management server
 4. On the **Feature selection** page, select the components you want to install by first selecting the **Reporting Server Database** checkbox, then selecting **Next**.
 5. On the **Installation Location** page, accept the default location and select **Next**.
 6. On the initial **Create new management server database** page, accept the default selections if appropriate, then select **Next**.
- * If you're using a custom SQL Server instance, select **Use a custom instance** and enter the instance name.
- * If you're using a custom database name, select **Custom configuration** and enter the database name.
+   * If you're using a custom SQL Server instance, select **Use a custom instance** and enter the instance name.
+   * If you're using a custom database name, select **Custom configuration** and enter the database name.
 7. On the next **Create new management server database** page, select **Use a remote computer**, and enter the remote machine account using the following format: ```Domain\MachineAccount```.
 
     >[!NOTE]
@@ -58,18 +58,18 @@ Use the following procedure to install the database server and management server
 1. Copy the App-V server installation files to the computer on which you want to install it on.
 2. To extract the App-V database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
 
-  ```SQL
+   ```SQL
     appv\_server\_setup.exe /LAYOUT /LAYOUTDIR=”InstallationExtractionLocation”
-  ```
+   ```
   
 3. After the extraction has been completed, to access the App-V database scripts and instructions readme file:
 
- * The App-V Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**.
- * The App-V Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
+   * The App-V Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**.
+   * The App-V Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
 4. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
 
- >[!NOTE]
- >For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
+   >[!NOTE]
+   >For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md).
 5. Run the scripts on the computer running Microsoft SQL Server.
 
 
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index e1fc8c81c8..a1a2580c13 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -25,12 +25,12 @@ To install the management server on a standalone computer and connect it to the
 5. On the **Installation Location** page, accept the default location, then select **Next**.
 6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```.
 
- >[!NOTE]
- >If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance**, then enter the instance's name. Specify the **SQL Server Database name** that this management server will use, such as ```AppvManagement```.
+   >[!NOTE]
+   >If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance**, then enter the instance's name. Specify the **SQL Server Database name** that this management server will use, such as ```AppvManagement```.
 7. On the **Configure management server configuration** page, specify the following items:
-  * The AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
-  * The **Website Name** you want to use for the management service. Accept the default if you do not have a custom name.
-  * For the **Port Binding**, specify a unique port number, such as **12345**.
+   * The AD group or account that will connect to the management console for administrative purposes for example **MyDomain\\MyUser** or **MyDomain\\AdminGroup**. The account or AD group you specify will be enabled to manage the server through the management console. You can add additional users or groups using the management console after installation
+   * The **Website Name** you want to use for the management service. Accept the default if you do not have a custom name.
+   * For the **Port Binding**, specify a unique port number, such as **12345**.
 8. Select **Install**.
 9. To confirm that the setup has completed successfully, open a web browser and enter the following URL: https://managementserver:portnumber/Console. If the installation was successful, you should see the **Management Console** appear without any error messages or warnings displayed.
 
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index 6c5e554c0b..c2f081dd15 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -27,16 +27,16 @@ Use the following procedure to install the publishing server on a separate compu
 5. On the **Installation location** page, accept the default location, then select **Next**.
 6. On the **Configure publishing server configuration** page, specify the following items:
 
- * The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**.
- * Specify the website name that you want to use for the publishing service. If you don't have a custom name, then use the default name.
- * For the **Port binding**, specify a unique port number that will be used by App-V. For example, **54321**.
+   * The URL for the management service that the publishing server will connect to. For example, **http://ManagementServerName:12345**.
+   * Specify the website name that you want to use for the publishing service. If you don't have a custom name, then use the default name.
+   * For the **Port binding**, specify a unique port number that will be used by App-V. For example, **54321**.
 7. On the **Ready to install** page, select **Install**.
 8. After the installation is complete, the publishing server must be registered with the management server. In the App-V management console, use the following steps to register the server:
 
     1. Open the App-V management server console.
     2. In the left pane, select **Servers**, then select **Register New Server**.
     3. Enter the server name and a description (if required), then select **Add**.
-9. To verify that the publishing server is running correctly, you should import a package to the management server, entitle that package to an AD group, then publish it. Using an internet browser, open the following URL: **https://publishingserver:pubport**. If the server is running correctly, information like the following example should appear.
+9. To verify that the publishing server is running correctly, you should import a package to the management server, entitle that package to an AD group, then publish it. Using an internet browser, open the following URL: https://publishingserver:pubport. If the server is running correctly, information like the following example should appear.
 
     ```SQL
     
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 5ba868c2b4..76ced5b4de 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -32,40 +32,40 @@ In some previous versions of App-V, connection groups were referred to as Dynami
 
 
 
-
    [About the Connection Group Virtual Environment](appv-connection-group-virtual-environment.md)
    
+
    About the Connection Group Virtual Environment
    
 
    Describes the connection group virtual environment.
    
 
 
-
    [About the Connection Group File](appv-connection-group-file.md)
    
+
    About the Connection Group File
    
 
    Describes the connection group file.
    
 
 
-
    [How to Create a Connection Group](appv-create-a-connection-group.md)
    
+
    How to Create a Connection Group
    
 
    Explains how to create a new connection group.
    
 
 
-
    [How to Create a Connection Group with User-Published and Globally Published Packages](appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)
    
+
    How to Create a Connection Group with User-Published and Globally Published Packages
    
 
    Explains how to create a new connection group that contains a mix of packages that are published to the user and published globally.
    
 
 
-
    [How to Delete a Connection Group](appv-delete-a-connection-group.md)
    
+
    How to Delete a Connection Group
    
 
    Explains how to delete a connection group.
    
 
 
-
    [How to Publish a Connection Group](appv-publish-a-connection-group.md)
    
+
    How to Publish a Connection Group
    
 
    Explains how to publish a connection group.
    
 
 
-
    [How to Make a Connection Group Ignore the Package Version](appv-configure-connection-groups-to-ignore-the-package-version.md)
    
+
    How to Make a Connection Group Ignore the Package Version
    
 
    Explains how to configure a connection group to accept any version of a package, which simplifies package upgrades and reduces the number of connection groups you need to create.
    
 
 
-
    [How to Allow Only Administrators to Enable Connection Groups](appv-allow-administrators-to-enable-connection-groups.md)
    
+
    How to Allow Only Administrators to Enable Connection Groups
    
 
    Explains how to configure the App-V client so that only administrators (not end users) can enable or disable connection groups.
    
 
 
 
- 
+ 
 
 
 
@@ -77,9 +77,9 @@ In some previous versions of App-V, connection groups were referred to as Dynami
 
 -   [Operations for App-V](appv-operations.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 6f716b335e..cd519bf28a 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -55,7 +55,7 @@ You can also use the `–OSDsToIncludeInPackage` parameter with the `ConvertFrom
 
 
 
- 
+ 
 
 ### Example conversion statement
 
@@ -161,7 +161,7 @@ ConvertFrom-AppvLegacyPackage –SourcePath \\OldPkgStore\ContosoApp\
 
 
 
- 
+ 
 
 ## Converting packages created using a prior version of App-V
 
@@ -172,7 +172,7 @@ Use the package converter utility to upgrade virtual application packages create
 **Important**  
 After you convert an existing package you should test the package prior to deploying the package to ensure the conversion process was successful.
 
- 
+ 
 
 **What to know before you convert existing packages**
 
@@ -190,7 +190,7 @@ After you convert an existing package you should test the package prior to deplo
 
 
 
    Virtual packages using DSC are not linked after conversion.
    
-
    Link the packages using connection groups. See [Managing Connection Groups](appv-managing-connection-groups.md).
    
+
    Link the packages using connection groups. See Managing Connection Groups.
    
 
 
 
    Environment variable conflicts are detected during conversion.
    
@@ -203,7 +203,7 @@ After you convert an existing package you should test the package prior to deplo
 
 
 
- 
+ 
 
 When converting a package check for failing files or shortcuts, locate the item in App-V 4.6 package. It could possibly be a hard-coded path. Convert the path.
 
@@ -233,19 +233,19 @@ There is no direct method to upgrade to a full App-V infrastructure. Use the inf
 
 
 
    Review prerequisites.
    
-
    [App-V Server prerequisite software](appv-prerequisites.md#app-v-server-prerequisite-software).
    
+
    App-V Server prerequisite software.
    
 
 
 
    Enable the App-V client.
    
-
    [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md).
    
+
    Enable the App-V desktop client.
    
 
 
 
    Install App-V Server.
    
-
    [How to Deploy the App-V Server](appv-deploy-the-appv-server.md).
    
+
    How to Deploy the App-V Server.
    
 
 
 
    Migrate existing packages.
    
-
    See [Converting packages created using a prior version of App-V](#converting-packages-created-using-a-prior-version-of-app-v) earlier in this topic.
    
+
    See Converting packages created using a prior version of App-V earlier in this topic.
    
 
 
 
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 35ac85427d..40047a8bd9 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -89,7 +89,7 @@ Deployment Environment
 
 
 
- 
+ 
 
 Expected Configuration
 
@@ -110,7 +110,7 @@ Expected Configuration
 
 
 
- 
+ 
 
 IT Administration
 
@@ -127,7 +127,7 @@ IT Administration
 
 
 
- 
+ 
 
 ### Usage Scenarios
 
@@ -147,14 +147,14 @@ As you review the two scenarios, keep in mind that these approach the extremes.
 
 
 
    To provide the most optimal user experience, this approach leverages the capabilities of a UPM solution and requires additional image preparation and can incur some additional image management overhead.
    
-
    The following describes many performance improvements in stateful non-persistent deployments. For more information, see [Sequencing Steps to Optimize Packages for Publishing Performance](#sequencing-steps-to-optimize-packages-for-publishing-performance) later in this topic.
    
+
    The following describes many performance improvements in stateful non-persistent deployments. For more information, see Sequencing Steps to Optimize Packages for Publishing Performance later in this topic.
    
 
    The general expectations of the previous scenario still apply here. However, keep in mind that VM images are typically stored in very costly arrays; a slight alteration has been made to the approach. Do not pre-configure user-targeted virtual application packages in the base image.
    
-
    The impact of this alteration is detailed in the [User Experience Walk-through](#bkmk-uewt) section of this document.
    
+
    The impact of this alteration is detailed in the User Experience Walk-through section of this document.
    
 
 
 
 
- 
+ 
 
 ### Preparing your Environment
 
@@ -177,9 +177,9 @@ The following table displays the required steps to prepare the base image and th
 
 
    
 
      
-
    • Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
      • 
+
    • Enable the App-V client as described in Enable the App-V in-box client.
      • 
 
    • Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
      • 
-
    • Configure for Shared Content Store (SCS) mode. For more information see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
      • 
+
    • Configure for Shared Content Store (SCS) mode. For more information see Deploying the App-V Sequencer and Configuring the Client.
      • 
 
    • Configure Preserve User Integrations on Login Registry DWORD.
      • 
 
    • Pre-configure all user- and global-targeted packages for example, Add-AppvClientPackage.
      • 
 
    • Pre-configure all user- and global-targeted connection groups for example, Add-AppvClientConnectionGroup.
      • 
@@ -197,9 +197,9 @@ The following table displays the required steps to prepare the base image and th
 
    
 
    
 
      
-
    • Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
      • 
+
    • Enable the App-V client as described in Enable the App-V in-box client.
      • 
 
    • Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
      • 
-
    • Configure for Shared Content Store (SCS) mode. For more information see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
      • 
+
    • Configure for Shared Content Store (SCS) mode. For more information see Deploying the App-V Sequencer and Configuring the Client.
      • 
 
    • Configure Preserve User Integrations on Login Registry DWORD.
      • 
 
    • Pre-configure all global-targeted packages for example, Add-AppvClientPackage.
      • 
 
    • Pre-configure all global-targeted connection groups for example, Add-AppvClientConnectionGroup.
      • 
@@ -210,7 +210,7 @@ The following table displays the required steps to prepare the base image and th
 
 
 
- 
+ 
 
 **Configurations** - For critical App-V Client configurations and for a little more context and how-to, review the following information:
 
@@ -231,7 +231,7 @@ The following table displays the required steps to prepare the base image and th
 
 
      Shared Content Store (SCS) Mode
      
 
        
-
      • Configurable in Windows PowerShell with `Set-AppvClientConfiguration -SharedContentStoreMode 1`
        or configurable with Group Policy, as described in [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
        • 
+
      • Configurable in Windows PowerShell with Set-AppvClientConfiguration -SharedContentStoreMode 1
        or configurable with Group Policy, as described in Deploying the App-V Sequencer and Configuring the Client.
        • 
 
      
 
      When running the shared content store only publishing data is maintained on hard disk; other virtual application assets are maintained in memory (RAM).
      
 
      This helps to conserve local storage and minimize disk I/O per second (IOPS).
      
@@ -262,7 +262,7 @@ The following table displays the required steps to prepare the base image and th
 
 
 
- 
+ 
 
 ### Configure UE-V solution for App-V Approach
 
@@ -288,7 +288,7 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
 **Important**  
 This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
 
- 
+ 
 
 Using the Microsoft Registry Editor (regedit.exe), navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **UEV** \\ **Agent** \\ **Configuration** \\ **ExcludedFileTypes** and remove **.lnk** from the excluded file types.
 
@@ -311,7 +311,7 @@ To enable an optimized login experience, for example the App-V approach for the
 
     App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver does not handle UPD selected folders.
 
-     
+     
 
 -   Capturing changes to the locations, which constitute the user integrations, prior to session logoff.
 
@@ -404,7 +404,7 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
 
 
 
- 
+ 
 
 @@ -429,7 +429,7 @@ This following is a step-by-step walk-through of the App-V and UPM operations an
 
      
 

 
      
 
- 
+ 
 
 ### Impact to Package Life Cycle
 
@@ -516,7 +516,7 @@ Several App-V features facilitate new scenarios or enable new customer deploymen
 
 
 
- 
+ 
 
 ### Removing FB1
 
@@ -555,7 +555,7 @@ Removing FB1 does not require the original application installer. After completi
     **Note**  
     This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
 
-     
+     
 
 @@ -582,7 +582,7 @@ Removing FB1 does not require the original application installer. After completi
 
      
 

 
      
 
- 
+ 
 
 ### Creating a new virtual application package on the sequencer
 
@@ -619,7 +619,7 @@ When publishing a virtual application package, the App-V Client will detect if a
 
 
 
- 
+ 
 
 ### Disabling a Dynamic Configuration by using Windows PowerShell
 
@@ -669,7 +669,7 @@ For documentation on How to Apply a Dynamic Configuration, see:
 
 
 
- 
+ 
 
 ### Determining what virtual fonts exist in the package
 
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index 09b74e41a0..178c952b5a 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -87,8 +87,8 @@ Use the following steps to modify the connection string to include ```failover p
 2. Navigate to **HKEY\_LOCAL\_MACHINE** \\ **Software** \\ **Microsoft** \\ **AppV** \\ **Server** \\ **ManagementService**.
 3. Modify the **MANAGEMENT\_SQL\_CONNECTION\_STRING** value with the ```failover partner = ``` value.
 4. Restart management service using the IIS console.
- >[!NOTE]
- >Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012]() due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
+   >[!NOTE]
+   >Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012]() due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
 
 Click any of the following links for more information:
 
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index b3e784acf9..ae79aea7c4 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -90,11 +90,11 @@ To bypass the auto-registration operation for native Word 2010, follow these ste
 1. Exit Word 2010.
 2. Start the Registry Editor by doing the following:
 
-    * In Windows 7k, select **Start**, type **regedit** in the Start Search box, then select the Enter key.
+   * In Windows 7k, select **Start**, type **regedit** in the Start Search box, then select the Enter key.
 
-    * In Windows 8.1 or Windows 10, enter **regedit**, select **Enter** on the Start page, then select the Enter key.
+   * In Windows 8.1 or Windows 10, enter **regedit**, select **Enter** on the Start page, then select the Enter key.
 
-    If you're prompted for an administrator password, enter the password. If you're prompted for a confirmation, select **Continue**.
+     If you're prompted for an administrator password, enter the password. If you're prompted for a confirmation, select **Continue**.
 3. Locate and then select the following registry subkey:
 
     ``` syntax
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index 4ca7815a6d..9179e46022 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -28,7 +28,7 @@ The following are known issues and workarounds for Application Virtualization (A
     
         
             Unable to manually create a system-owned folder needed for the set-AppVClientConfiguration PowerShell cmdlet when using the PackageInstallationRoot, IntegrationRootUser, or IntegrationRootGlobal parameters.
-            Don't create this file manually, instead let the Add-AppVClientPackage cmdlet auto-generate it.
+            Don't create this file manually, instead let the Add-AppVClientPackage cmdlet auto-generate it.
         
         
             Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.
@@ -36,71 +36,70 @@ The following are known issues and workarounds for Application Virtualization (A
         
         
             Unable to modify the locale for auto-sequencing.
-            Open the C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: es-ES.
+            Open the C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: es-ES.
         
         
-            Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the Settings > Apps> Default Apps area.
+            Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the Settings > Apps> Default Apps area.
             The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the <appv:Extensions> tag:
 
      
 <appv:Extension Category="AppV.URLProtocol">
-	<appv:URLProtocol>
-		<appv:Name>ftp</appv:Name>
-		<appv:ApplicationURLProtocol>
-			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
-			<appv:ShellCommands>
-				<appv:DefaultCommand>open</appv:DefaultCommand>
-				<appv:ShellCommand>
-					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
-					<appv:Name>open</appv:Name>
-					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
-					<appv:DdeExec>
-						<appv:DdeCommand />
-					</appv:DdeExec>
-				</appv:ShellCommand>
-			</appv:ShellCommands>
-		</appv:ApplicationURLProtocol>
-	</appv:URLProtocol>
+    <appv:URLProtocol>
+        <appv:Name>ftp</appv:Name>
+        <appv:ApplicationURLProtocol>
+            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+            <appv:ShellCommands>
+                <appv:DefaultCommand>open</appv:DefaultCommand>
+                <appv:ShellCommand>
+                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                    <appv:Name>open</appv:Name>
+                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                    <appv:DdeExec>
+                        <appv:DdeCommand />
+                    </appv:DdeExec>
+                </appv:ShellCommand>
+            </appv:ShellCommands>
+        </appv:ApplicationURLProtocol>
+    </appv:URLProtocol>
 </appv:Extension>
 <appv:Extension Category="AppV.URLProtocol">
-	<appv:URLProtocol>
-		<appv:Name>http</appv:Name>
-		<appv:ApplicationURLProtocol>
-			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
-			<appv:ShellCommands>
-				<appv:DefaultCommand>open</appv:DefaultCommand>
-				<appv:ShellCommand>
-					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
-					<appv:Name>open</appv:Name>
-					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
-					<appv:DdeExec>
-						<appv:DdeCommand />
-					</appv:DdeExec>
-				</appv:ShellCommand>
-			</appv:ShellCommands>
-		</appv:ApplicationURLProtocol>
-	</appv:URLProtocol>
+    <appv:URLProtocol>
+        <appv:Name>http</appv:Name>
+        <appv:ApplicationURLProtocol>
+            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+            <appv:ShellCommands>
+                <appv:DefaultCommand>open</appv:DefaultCommand>
+                <appv:ShellCommand>
+                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                    <appv:Name>open</appv:Name>
+                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                    <appv:DdeExec>
+                        <appv:DdeCommand />
+                    </appv:DdeExec>
+                </appv:ShellCommand>
+            </appv:ShellCommands>
+        </appv:ApplicationURLProtocol>
+    </appv:URLProtocol>
 </appv:Extension>
 <appv:Extension Category="AppV.URLProtocol">
-	<appv:URLProtocol>
-		<appv:Name>https</appv:Name>
-		<appv:ApplicationURLProtocol>
-			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
-			<appv:ShellCommands>
-				<appv:DefaultCommand>open</appv:DefaultCommand>
-				<appv:ShellCommand>
-					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
-					<appv:Name>open</appv:Name>
-					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
-					<appv:DdeExec>
-						<appv:DdeCommand />
-					</appv:DdeExec>
-				</appv:ShellCommand>
-			</appv:ShellCommands>
-		</appv:ApplicationURLProtocol>
-	</appv:URLProtocol>
+    <appv:URLProtocol>
+        <appv:Name>https</appv:Name>
+        <appv:ApplicationURLProtocol>
+            <appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+            <appv:ShellCommands>
+                <appv:DefaultCommand>open</appv:DefaultCommand>
+                <appv:ShellCommand>
+                    <appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+                    <appv:Name>open</appv:Name>
+                    <appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+                    <appv:DdeExec>
+                        <appv:DdeCommand />
+                    </appv:DdeExec>
+                </appv:ShellCommand>
+            </appv:ShellCommands>
+        </appv:ApplicationURLProtocol>
+    </appv:URLProtocol>
 </appv:Extension>
-
                  
-            
+

    diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index 610d4de61b..86d4b51e2a 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -36,7 +36,7 @@ MSI packages that were generated using an App-V sequencer from previous versions 4. From an elevated Windows PowerShell prompt, navigate to the following folder: - <Windows Kits 10 installation folder>**\Microsoft Application Virtualization\Sequencer\** + <Windows Kits 10 installation folder>**\Microsoft Application Virtualization\Sequencer\\** By default, this path will be:
    **C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer** diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index f5f4db7791..1bb9d254d7 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -24,11 +24,11 @@ The following list displays the end–to-end high-level workflow for reporting i 1. The App-V Reporting server requires the following things: - * Internet Information Service (IIS) web server role - * Windows Authentication role (under **IIS / Security**) - * SQL Server installed and running with SQL Server Reporting Services (SSRS) + * Internet Information Service (IIS) web server role + * Windows Authentication role (under **IIS / Security**) + * SQL Server installed and running with SQL Server Reporting Services (SSRS) - To confirm SQL Server Reporting Services is running, enter in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear. + To confirm SQL Server Reporting Services is running, enter in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear. 2. Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server. 3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/en-us/download/details.aspx?id=42630). diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 45613b165c..9a36a05933 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -23,7 +23,7 @@ Use the following procedure to create a new App-V package using Windows PowerShe > [!NOTE]   > Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md). -  + **To create a new virtual application by using Windows PowerShell** 1. Install the App-V sequencer. For more information about installing the sequencer see [How to Install the Sequencer](appv-install-the-sequencer.md). diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index edd0412abe..83bfa11219 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -24,8 +24,8 @@ This topic provides information about using the Application Virtualization (App- The client management console is separate from the App-V client itself. You can download the client management console from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=41186). -> [!NOTE] -To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V client. +> [!NOTE] +> To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V client. ## Options for managing the App-V client diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 5c7e9bdead..5ce9e92dc8 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -155,32 +155,34 @@ System apps are integral to the operating system. Here are the typical system ap Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, and 1809. -| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? | -|--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| -| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes | -| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes | -| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes | -| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes | -| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes | -| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes | -| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | -| Sway | Microsoft.Office.Sway | x | x | x | Yes | -| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes | -| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes | -| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes | -| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes | -| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes | -| | Microsoft.Services.Store.Engagement | x | x | | Yes | -| | Microsoft.VCLibs.120.00 | x | x | | Yes | -| | Microsoft.VCLibs.140.00 | x | x | x | Yes | -| | Microsoft.VCLibs.120.00.Universal | x | | | Yes | -| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | + +| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? | +|-----------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| +| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | +| Sway | Microsoft.Office.Sway | x | x | x | Yes | +| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes | +| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes | +| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes | +| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes | +| | Microsoft.Services.Store.Engagement | x | x | | Yes | +| | Microsoft.VCLibs.120.00 | x | x | | Yes | +| | Microsoft.VCLibs.140.00 | x | x | x | Yes | +| | Microsoft.VCLibs.120.00.Universal | x | | | Yes | +| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes | + --- diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index cf14d39f29..c2200ff029 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -20,7 +20,7 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -31,24 +31,24 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "ms.author": "elizapo", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-app-management", - "folder_relative_path_in_docset": "./" - } - } - }, + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows", + "ms.topic": "article", + "ms.author": "elizapo", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-app-management", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], "dest": "win-app-management", - "markdownEngineName": "dfm" + "markdownEngineName": "markdig" } } diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 927a41a102..a5970e3852 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -17,7 +17,7 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update. @@ -30,24 +30,24 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 1. [Check your version of Windows 10.](https://support.microsoft.com/help/13443/windows-which-operating-system) - >[!NOTE] - >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality. + >[!NOTE] + >You must be on at least Windows 10, version 1709, to run Windows Mixed Reality. 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). - >[!NOTE] - >You must download the FOD .cab file that matches your operating system version. + >[!NOTE] + >You must download the FOD .cab file that matches your operating system version. - b. Use `Add-Package` to add Windows Mixed Reality FOD to the image. + b. Use `Add-Package` to add Windows Mixed Reality FOD to the image. ``` Add-Package Dism /Online /add-package /packagepath:(path) ``` - c. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**. + c. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**. IT admins can also create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) to allow access to the Windows Mixed Reality FOD. @@ -96,7 +96,6 @@ In the following example, the **Id** can be any generated GUID and the **Name** - ``` diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index a3f7008ec9..371e401c1a 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -41,12 +41,12 @@ Use the following steps to create a registry key: 1. Identify any provisioned apps you want removed. Record the package name for each app. 2. Create a .reg file to generate a registry key for each app. Use [this list of Windows 10, version 1709 registry keys](#registry-keys-for-provisioned-apps) as your starting point. - 1. Paste the list of registry keys into Notepad (or a text editor). - 2. Remove the registry keys belonging to the apps you want to keep. For example, if you want to keep the Bing Weather app, delete this registry key: - ```yaml - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\A ppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe] - ``` - 3. Save the file with a .txt extension, then right-click the file and change the extension to .reg. + 1. Paste the list of registry keys into Notepad (or a text editor). + 2. Remove the registry keys belonging to the apps you want to keep. For example, if you want to keep the Bing Weather app, delete this registry key: + ```yaml + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\A ppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe] + ``` + 3. Save the file with a .txt extension, then right-click the file and change the extension to .reg. 3. Double-click the .reg file to create the registry keys. You can see the new keys in HKLM\\path-to-reg-keys. You're now ready to update your computer. After the update, check the list of apps in the computer to confirm the removed apps are still gone. diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 1e6517c181..48150a2940 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -31,7 +31,7 @@ The tools in the folder might vary depending on which edition of Windows you are These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool. -  + - [Component Services]( https://go.microsoft.com/fwlink/p/?LinkId=708489) - [Computer Management](https://support.microsoft.com/kb/308423) @@ -58,7 +58,7 @@ These tools were included in previous versions of Windows and the associated doc [Diagnostic Data Viewer](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overview) -  + diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 7e806f846f..e83a4bf8bd 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -21,13 +21,13 @@ ms.topic: troubleshooting There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: -| **Phase** | **Boot Process** | **BIOS** | **UEFI** | -|--------|----------------------|------------------------------| | -| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | -| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi | -| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi | -| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | | +| **Phase** | **Boot Process** | **BIOS** | **UEFI** | +|-----------|----------------------|------------------------------------|-----------------------------------| +| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | +| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi | +| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi | +| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | | **1. PreBoot** @@ -177,7 +177,7 @@ After you run the command, you receive the following output: Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows Add installation to boot list? Yes/No/All: Y -5. Try again to start the system. +5. Try again to start the system. ### Method 4: Replace Bootmgr diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index 2eb1a09534..02586be4b6 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -38,6 +38,7 @@ The intention of this troubleshooter is to show how to find a starting point in ### Known Issues and fixes ** ** + | **OS version** | **Fixed in** | | --- | --- | | **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) | @@ -54,7 +55,7 @@ Make sure that you install the latest Windows updates, cumulative updates, and r - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470) - [Windows Server 2012](https://support.microsoft.com/help/4009471) - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469) - + ## Data Collection 1. Network Capture with ETW. Enter the following at an elevated command prompt: diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index b6095ae643..e1365a820c 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -37,17 +37,17 @@ From its release, Windows 10 has supported remote connections to PCs that are jo 1. Open system properties for the remote PC. 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. - ![Allow remote connections to this computer](images/allow-rdp.png) + ![Allow remote connections to this computer](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. - >[!NOTE] - >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet: - > - >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. - > - >In Windows 10, version 1709, the user does not have to sign in to the remote device first. - > - >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + >[!NOTE] + >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet: + > + >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. + > + >In Windows 10, version 1709, the user does not have to sign in to the remote device first. + > + >In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. @@ -90,9 +90,9 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC -  + -  + diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index 7168cd15ba..e866b0d7c4 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -74,7 +74,7 @@ Use the following steps to collect wireless and wired logs on Windows and Window ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true wevtutil sl Microsoft-Windows-CAPI2/Operational /ms:104857600 - ``` + ``` 7. Run the following command from the command prompt on the client machine and start PSR to capture screen images: > [!NOTE] @@ -92,13 +92,13 @@ Use the following steps to collect wireless and wired logs on Windows and Window 10. Run the following commands from the command prompt on the NPS server. - - To stop RAS trace log and wireless scenario log: + - To stop RAS trace log and wireless scenario log: ``` netsh trace stop netsh ras set tracing * disabled ``` - - To disable and copy CAPI2 log: + - To disable and copy CAPI2 log: ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false @@ -106,13 +106,13 @@ Use the following steps to collect wireless and wired logs on Windows and Window ``` 11. Run the following commands on the client PC. - - To stop RAS trace log and wireless scenario log: + - To stop RAS trace log and wireless scenario log: ``` netsh trace stop netsh ras set tracing * disabled ``` - - To disable and copy the CAPI2 log: + - To disable and copy the CAPI2 log: ``` wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx @@ -120,14 +120,14 @@ Use the following steps to collect wireless and wired logs on Windows and Window 12. Save the following logs on the client and the NPS: - **Client** + **Client** - C:\MSLOG\%computername%_psr.zip - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab - All log files and folders in %Systemroot%\Tracing - **NPS** + **NPS** - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 54140237f9..e896532c51 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -20,7 +20,7 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -31,23 +31,23 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-client-management", - "folder_relative_path_in_docset": "./" - } - } - }, + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows", + "ms.topic": "article", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-client-management", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], "dest": "win-client-management", - "markdownEngineName": "dfm" + "markdownEngineName": "markdig" } } diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index b5519bc436..5e56cfbd09 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -18,7 +18,7 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 @@ -56,66 +56,68 @@ First, you create a default user profile with the customizations that you want, > [!NOTE] > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. - + 2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. >[!NOTE] >Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). 3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. - + 3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). - - >[!NOTE] - >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. + +~~~ + >[!NOTE] + >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. +~~~ 3. At a command prompt, type the following command and press **ENTER**. `sysprep /oobe /reboot /generalize /unattend:unattend.xml` (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) - - >[!TIP] - >If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following: - - >![Microsoft Bing Translator package](images/sysprep-error.png) - - >Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. - -5. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. -6. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. - -7. In **User Profiles**, click **Default Profile**, and then click **Copy To**. + > [!TIP] + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following: + > + > ![Microsoft Bing Translator package](images/sysprep-error.png) + > + > Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. + +4. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. + +5. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. + +6. In **User Profiles**, click **Default Profile**, and then click **Copy To**. ![Example of UI](images/copy-to.png) -8. In **Copy To**, under **Permitted to use**, click **Change**. +7. In **Copy To**, under **Permitted to use**, click **Change**. ![Example of UI](images/copy-to-change.png) - -9. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. -10. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607. +8. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. + +9. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - + ![Example of UI](images/copy-to-path.png) -9. Click **OK** to copy the default user profile. +10. Click **OK** to copy the default user profile. **To make the user profile mandatory** - + 3. In File Explorer, open the folder where you stored the copy of the profile. >[!NOTE] >If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. -1. Rename `Ntuser.dat` to `Ntuser.man`. +4. Rename `Ntuser.dat` to `Ntuser.man`. ## How to apply a mandatory user profile to users diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 008cd950bc..810e5c83fa 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -31,6 +31,7 @@ Interior node for the account domain information. This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters. Available naming macros: + |Macro|Description|Example|Generated Name| |:---|:---|:---|:---| |%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456| diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 5a7cd8bce5..f8b87748fa 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -26,7 +26,7 @@ On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is s The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. -  + The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. @@ -42,7 +42,7 @@ On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is s The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. -  + The supported operation is Get. @@ -205,7 +205,7 @@ Valid values are one of the following: - 5 – Email up to a month old is synced to the device. -**Options/ContentTypes/****_Content Type GUID_** +**Options/ContentTypes/***Content Type GUID* Defines the type of content to be individually enabled/disabled for sync. The *GUID* values allowed are one of the following: @@ -233,7 +233,7 @@ Required. A character string that specifies the name of the content type. > **Note**  In Windows 10, this node is currently not working. -  + Supported operations are Get, Replace, and Add (cannot Add after the account is created). @@ -257,9 +257,9 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md index a04f018252..174966d463 100644 --- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -19,43 +19,43 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a > **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription) -1. Sign-up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. +1. Sign-up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. - ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png) + ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png) -2. Enter the information for your organization. Click **check availability** to verify that domain name that you selected is available. +2. Enter the information for your organization. Click **check availability** to verify that domain name that you selected is available. - ![sign up for azure ad](images/azure-ad-add-tenant2.png) + ![sign up for azure ad](images/azure-ad-add-tenant2.png) -3. Complete the login and country information. You must provide a valid phone number, then click **Send text message** or **Call me**. +3. Complete the login and country information. You must provide a valid phone number, then click **Send text message** or **Call me**. - ![create azure account](images/azure-ad-add-tenant3.png) + ![create azure account](images/azure-ad-add-tenant3.png) -4. Enter the code that you receive and then click **Verify code**. After the code is verified and the continue button turns green, click **continue**. +4. Enter the code that you receive and then click **Verify code**. After the code is verified and the continue button turns green, click **continue**. - ![add aad tenant](images/azure-ad-add-tenant3-b.png) + ![add aad tenant](images/azure-ad-add-tenant3-b.png) -5. After you finish creating your Azure account, you are ready to add an Azure AD subscription. +5. After you finish creating your Azure account, you are ready to add an Azure AD subscription. - If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to Office 356 portal, and then sign in using the admin account that you just created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). + If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to Office 356 portal, and then sign in using the admin account that you just created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). - ![login to office 365](images/azure-ad-add-tenant4.png) + ![login to office 365](images/azure-ad-add-tenant4.png) -6. Click **Install software**. +6. Click **Install software**. - ![login to office 365](images/azure-ad-add-tenant5.png) + ![login to office 365](images/azure-ad-add-tenant5.png) -7. In the Office 365 portal, select **Purchase Services** from the left nagivation. +7. In the Office 365 portal, select **Purchase Services** from the left nagivation. - ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png) + ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png) -8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then click to purchase. +8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then click to purchase. - ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png) + ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png) -9. Continue with your purchase. +9. Continue with your purchase. - ![azure active directory premium payment page](images/azure-ad-add-tenant8.png) + ![azure active directory premium payment page](images/azure-ad-add-tenant8.png) 10. After the purchase is completed, you can login to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc...). @@ -91,7 +91,7 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent ![register azuread](images/azure-ad-add-tenant15.png) -  + diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index 0c270b6acf..c2b7e64c26 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -22,7 +22,7 @@ The AllJoynManagement configuration service provider (CSP) is only supported in This CSP was added in Windows 10, version 1511. -  + For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877). @@ -38,19 +38,19 @@ The root node for the AllJoynManagement configuration service provider. **Services** List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included. -**Services/****_Node name_** +**Services/***Node name* The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. **Services/*Node name*/Port** The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports. -**Services/*Node name*/Port/****_Node name_** +**Services/*Node name*/Port/***Node name* Port number used for communication. This is specified by the configurable AllJoyn object and reflected here. **Services/*Node name*/Port/*Node name*/CfgObject** The set of configurable interfaces that are available on the port of the AllJoyn object. -**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_** +**Services/*Node name*/Port/*Node name*/CfgObject/***Node name* The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum. For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig. @@ -60,7 +60,7 @@ This is the credential store. An administrator can set credentials for each AllJ When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. -**Credentials/****_Node name_** +**Credentials/***Node name* This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID. **Credentials/*Node name*/Key** @@ -139,9 +139,9 @@ Get the firewall PrivateProfile ``` -  + -  + diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 92817f962b..3422279612 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -17,10 +17,10 @@ ms.date: 04/30/2018 The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. -> **Note**   +> **Note** > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > -> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. +> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. > > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. @@ -35,10 +35,10 @@ Defines the root node for the AppLocker configuration service provider. **ApplicationLaunchRestrictions** Defines restrictions for applications. -> [!NOTE]   +> [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > -> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. +> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. Additional information: @@ -64,7 +64,7 @@ Exempt examples: Additional information: -- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. Each of the previously listed nodes contains a **Grouping** node. @@ -89,7 +89,7 @@ Each of the previously listed nodes contains a **Grouping** node. -  + In addition, each **Grouping** node contains one or more of the following nodes: @@ -137,7 +137,7 @@ In addition, each **Grouping** node contains one or more of the following nodes: -  + Each of the previous nodes contains one or more of the following leaf nodes: @@ -157,7 +157,7 @@ Each of the previous nodes contains one or more of the following leaf nodes:

    Policy

    Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

    Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.

    -

    For CodeIntegrity/Policy, you can use the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.

    +

    For CodeIntegrity/Policy, you can use the certutil -encode command line tool to encode the data to base-64.

    Here is a sample certutil invocation:

    ``` @@ -186,16 +186,16 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer -  + ## Find publisher and product name of apps -You can pair a Windows Phone (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. +You can pair a Windows Phone (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. If this procedure does not work for you, try the other methods for pairing described in [Device Portal for Mobile](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal-mobile). -**To find Publisher and PackageFullName for apps installed on Windows 10 Mobile** +**To find Publisher and PackageFullName for apps installed on Windows 10 Mobile** 1. On your Windows Phone, go to **Settings**. Choose **Update & security**. Then choose **For developers**. 2. Choose **Developer mode**. @@ -255,7 +255,7 @@ The following table show the mapping of information to the AppLocker publisher r -  + Here is an example AppLocker publisher rule: @@ -289,26 +289,28 @@ You can get the publisher name and product name of apps using a web API. -   - Here is the example for Microsoft OneNote: - Request +~~~ +Here is the example for Microsoft OneNote: - ``` syntax - https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata - ``` +Request - Result +``` syntax +https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata +``` - ``` syntax - { - "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe", - "packageIdentityName": "Microsoft.Office.OneNote", - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` +Result + +``` syntax +{ + "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe", + "packageIdentityName": "Microsoft.Office.OneNote", + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" +} +``` +~~~ @@ -339,12 +341,12 @@ You can get the publisher name and product name of apps using a web API.
    -  + ## Settings apps that rely on splash apps -When you create a list of allowed apps in Windows 10 Mobile, you must also include the subset of Settings apps that rely on splash apps in your list of allowed apps. These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps . +When you create a list of allowed apps in Windows 10 Mobile, you must also include the subset of Settings apps that rely on splash apps in your list of allowed apps. These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps . The product name is first part of the PackageFullName followed by the version number. @@ -366,16 +368,16 @@ The product name is first part of the PackageFullName followed by the version nu | SettingsPageAppsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea580a\_1.0.0.0\_neutral\_\_4vefaa8deck74 | 5b04b775-356b-4aa0-aaf8-6491ffea580a | | SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 | -  + ## Inbox apps and components The following list shows the apps that may be included in the inbox. -> **Note**  This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. +> **Note** This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. + -  @@ -589,7 +591,7 @@ The following list shows the apps that may be included in the inbox. +

    PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

    @@ -834,7 +836,7 @@ The following list shows the apps that may be included in the inbox.
    Microsoft Frameworks ProductID = 00000000-0000-0000-0000-000000000000 -

    PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
    -  + ## Whitelist examples @@ -941,7 +943,7 @@ The following example disables the Mixed Reality Portal. In the example, the **I ``` -The following example for Windows 10 Mobile denies all apps and allows the following apps: +The following example for Windows 10 Mobile denies all apps and allows the following apps: - [settings app that rely on splash apps](#settingssplashapps) - most of the [inbox apps](#inboxappsandcomponents), but not all. @@ -1657,7 +1659,7 @@ The following example for Windows 10 Holographic for Business denies all apps an ``` ## Recommended deny list for Windows Information Protection -The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. @@ -1817,9 +1819,9 @@ In this example, Contoso is the node name. We recommend using a GUID for this no [Configuration service provider reference](configuration-service-provider-reference.md) -  - -  + + + diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 4d815371a0..644edc9197 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -60,7 +60,7 @@ Here's an example: > [!Tip] > In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\. -> +> > This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string.  When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name. @@ -393,51 +393,51 @@ KioskModeApp Replace ``` syntax -    -      -        -          -          -          -          -          -          -          -        -      -      -        -                      -                      -                        -                          -                            -                              -                              -                              -                              -                              -                            -                            -                              -                              -                            -                          -                        -                      -                    -                ]]> -      -      -    -    -      MultiAppKioskUser -      -    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + MultiAppKioskUser + + + ``` diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index a2bb7eec9f..6b89551570 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -43,7 +43,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in > **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. -  + ### BYOD scenario Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. It’s important to note that in the BYOD case, users can reject the MDM Terms of Use—in which case the device is not enrolled in MDM and access to corporate resources is typically restricted. @@ -66,7 +66,7 @@ Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, th > **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. -  + ### MDM endpoints involved in Azure AD integrated enrollment Azure AD MDM enrollment is a two-step process: @@ -109,7 +109,7 @@ The MDM vendor must first register the application in their home tenant and mark > **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. -  + The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs. Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. @@ -204,7 +204,7 @@ You should work with the Azure AD engineering team if your MDM application is cl -  + ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant. @@ -265,7 +265,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is -  + ## Terms of Use protocol semantics The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows performs a full-page redirect to this endpoint. This enables the MDM to display the terms and conditions that apply and allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. @@ -307,7 +307,7 @@ The following parameters are passed in the query string: -  + ### Access token A bearer access token is issued by Azure AD is passed in the authorization header of the HTTP request. Here is a typical format: @@ -338,7 +338,7 @@ The following claims are expected in the access token passed by Windows to the T

    TID

    -

    A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.

    +

    A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.

    Resource

    @@ -346,10 +346,10 @@ The following claims are expected in the access token passed by Windows to the T -  -> **Note**  There is no device ID claim in the access token because the device may not yet be enrolled at this time. + +> Note There is no device ID claim in the access token because the device may not yet be enrolled at this time. -  + To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). Here's an example URL. @@ -450,7 +450,7 @@ The following table shows the error codes. -  + ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there is no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. @@ -590,7 +590,7 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov -  + ## Management protocol with Azure AD @@ -918,9 +918,9 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di -  + -  + diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index bfe7a92369..43e5c83627 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -38,22 +38,22 @@ The following diagram shows the BitLocker configuration service provider in tree - - - - - - - + + + + + + + - - - - - - - + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcross markcross markcross markcross markcheck markcheck markcross markcross markcross markcross markcross markcheck markcheck mark
    @@ -63,7 +63,7 @@ The following diagram shows the BitLocker configuration service provider in tree - 1 – Require Storage cards to be encrypted.

    Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.

    - +

    If you want to disable this policy use the following SyncML:

    ``` syntax @@ -93,22 +93,22 @@ The following diagram shows the BitLocker configuration service provider in tree - - - - - - - + + + + + + + - - - - - - - + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcheck markcheck markcross markcheck markcheck markcheck markcheck markcheck markcheck mark
    @@ -138,33 +138,33 @@ The following diagram shows the BitLocker configuration service provider in tree

    Data type is integer. Supported operations are Add, Get, Replace, and Delete.

    **EncryptionMethodByDriveType** -

    Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".

    +

    Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".

    - - - - - - - + + + + + + + - - - - - - - + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

    ADMX Info:

      -
    • GP English name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*
      • -
    • GP name: *EncryptionMethodWithXts_Name*
      • -
    • GP path: *Windows Components/Bitlocker Drive Encryption*
      • -
    • GP ADMX file name: *VolumeEncryption.admx*
      • +
    • GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
      • +
    • GP name: EncryptionMethodWithXts_Name
      • +
    • GP path: Windows Components/Bitlocker Drive Encryption
      • +
    • GP ADMX file name: VolumeEncryption.admx
    > [!Tip] @@ -186,7 +186,7 @@ The following diagram shows the BitLocker configuration service provider in tree

    EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.

    EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.

    -

    The possible values for 'xx' are:

    +

    The possible values for 'xx' are:

    - 3 = AES-CBC 128 - 4 = AES-CBC 256 @@ -216,33 +216,33 @@ The following diagram shows the BitLocker configuration service provider in tree

    Data type is string. Supported operations are Add, Get, Replace, and Delete.

    **SystemDrivesRequireStartupAuthentication** -

    This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".

    +

    This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".

    - - - - - - - + + + + + + + - - - - - - - + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

    ADMX Info:

      -
    • GP English name: *Require additional authentication at startup*
      • -
    • GP name: *ConfigureAdvancedStartup_Name*
      • -
    • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
      • -
    • GP ADMX file name: *VolumeEncryption.admx*
      • +
    • GP English name: Require additional authentication at startup
      • +
    • GP name: ConfigureAdvancedStartup_Name
      • +
    • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
      • +
    • GP ADMX file name: VolumeEncryption.admx
    > [!Tip] @@ -253,7 +253,7 @@ The following diagram shows the BitLocker configuration service provider in tree > [!Note] > Only one of the additional authentication options can be required at startup, otherwise an error occurs. -

    If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

    +

    If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

    On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.

    @@ -281,13 +281,13 @@ The following diagram shows the BitLocker configuration service provider in tree
  • ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
    • -

    The possible values for 'xx' are:

    +

    The possible values for 'xx' are:

    • true = Explicitly allow
    • false = Policy not set
    -

    The possible values for 'yy' are:

    +

    The possible values for 'yy' are:

    • 2 = Optional
    • 1 = Required
      • @@ -313,33 +313,33 @@ The following diagram shows the BitLocker configuration service provider in tree

      Data type is string. Supported operations are Add, Get, Replace, and Delete.

      **SystemDrivesMinimumPINLength** -

      This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".

      +

      This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".

      - - - - - - - + + + + + + + - - - - - - - + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

      ADMX Info:

        -
      • GP English name:*Configure minimum PIN length for startup*
        • -
      • GP name: *MinimumPINLength_Name*
        • -
      • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
        • -
      • GP ADMX file name: *VolumeEncryption.admx*
        • +
      • GP English name:Configure minimum PIN length for startup
        • +
      • GP name: MinimumPINLength_Name
        • +
      • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
        • +
      • GP ADMX file name: VolumeEncryption.admx
      > [!Tip] @@ -382,33 +382,33 @@ The following diagram shows the BitLocker configuration service provider in tree

      Data type is string. Supported operations are Add, Get, Replace, and Delete.

      **SystemDrivesRecoveryMessage** -

      This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).

      +

      This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).

      - - - - - - - + + + + + + + - - - - - - - + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

      ADMX Info:

        -
      • GP English name: *Configure pre-boot recovery message and URL*
        • -
      • GP name: *PrebootRecoveryInfo_Name*
        • -
      • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
        • -
      • GP ADMX file name: *VolumeEncryption.admx*
        • +
      • GP English name: Configure pre-boot recovery message and URL
        • +
      • GP name: PrebootRecoveryInfo_Name
        • +
      • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
        • +
      • GP ADMX file name: VolumeEncryption.admx
      > [!Tip] @@ -417,18 +417,18 @@ The following diagram shows the BitLocker configuration service provider in tree

      This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.

      -

      If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). - -

      If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

      - -

      If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

      - +

      If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). + +

      If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

      + +

      If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

      +

      Sample value for this node to enable this policy is:

      ``` syntax ``` -

      The possible values for 'xx' are:

      +

      The possible values for 'xx' are:

      - 0 = Empty - 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). @@ -463,33 +463,33 @@ The following diagram shows the BitLocker configuration service provider in tree

      Data type is string. Supported operations are Add, Get, Replace, and Delete.

      **SystemDrivesRecoveryOptions** -

      This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).

      +

      This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).

      - - - - - - - + + + + + + + - - - - - - - + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

      ADMX Info:

        -
      • GP English name: *Choose how BitLocker-protected operating system drives can be recovered*
        • -
      • GP name: *OSRecoveryUsage_Name*
        • -
      • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
        • -
      • GP ADMX file name: *VolumeEncryption.admx*
        • +
      • GP English name: Choose how BitLocker-protected operating system drives can be recovered
        • +
      • GP name: OSRecoveryUsage_Name
        • +
      • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
        • +
      • GP ADMX file name: VolumeEncryption.admx
      > [!Tip] @@ -497,18 +497,17 @@ The following diagram shows the BitLocker configuration service provider in tree

      This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.

      -

      The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

      - -

      In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

      - -

      Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

      - -

      Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.

      - -

      Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

      - -> [!Note] -> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. +

      The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

      + +

      In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

      + +

      Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

      + +

      Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.

      + +

      Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

      + +> [!Note]
      > If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.

      If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

      @@ -520,21 +519,21 @@ The following diagram shows the BitLocker configuration service provider in tree ``` -

      The possible values for 'xx' are:

      +

      The possible values for 'xx' are:

      • true = Explicitly allow
      • false = Policy not set
      -

      The possible values for 'yy' are:

      +

      The possible values for 'yy' are:

      • 2 = Allowed
      • 1 = Required
      • 0 = Disallowed
      -

      The possible values for 'zz' are:

      +

      The possible values for 'zz' are:

      • 2 = Store recovery passwords only
      • 1 = Store recovery passwords and key packages
        • @@ -561,33 +560,33 @@ The following diagram shows the BitLocker configuration service provider in tree

        Data type is string. Supported operations are Add, Get, Replace, and Delete.

        **FixedDrivesRecoveryOptions** -

        This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().

        +

        This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().

        - - - - - - - + + + + + + + - - - - - - - + + + + + + +
        HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
        cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

        ADMX Info:

          -
        • GP English name: *Choose how BitLocker-protected fixed drives can be recovered*
          • -
        • GP name: *FDVRecoveryUsage_Name*
          • -
        • GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*
          • -
        • GP ADMX file name: *VolumeEncryption.admx*
          • +
        • GP English name: Choose how BitLocker-protected fixed drives can be recovered
          • +
        • GP name: FDVRecoveryUsage_Name
          • +
        • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
          • +
        • GP ADMX file name: VolumeEncryption.admx
        > [!Tip] @@ -595,20 +594,19 @@ The following diagram shows the BitLocker configuration service provider in tree

        This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.

        -

        The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

        - -

        In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

        - -

        Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

        - -

        Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.

        - -

        Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

        +

        The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

        -

        Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.

        - -> [!Note] -> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. +

        In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

        + +

        Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

        + +

        Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.

        + +

        Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

        + +

        Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.

        + +> [!Note]
        > If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.

        If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

        @@ -620,13 +618,13 @@ The following diagram shows the BitLocker configuration service provider in tree ``` -

        The possible values for 'xx' are:

        +

        The possible values for 'xx' are:

        • true = Explicitly allow
        • false = Policy not set
        -

        The possible values for 'yy' are:

        +

        The possible values for 'yy' are:

        • 2 = Allowed
        • 1 = Required
          • @@ -634,7 +632,7 @@ The following diagram shows the BitLocker configuration service provider in tree
        -

        The possible values for 'zz' are:

        +

        The possible values for 'zz' are:

        • 2 = Store recovery passwords only
        • 1 = Store recovery passwords and key packages
          • @@ -660,33 +658,33 @@ The following diagram shows the BitLocker configuration service provider in tree

          Data type is string. Supported operations are Add, Get, Replace, and Delete.

          **FixedDrivesRequireEncryption** -

          This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).

          +

          This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).

          - - - - - - - + + + + + + + - - - - - - - + + + + + + +
          HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
          cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

          ADMX Info:

            -
          • GP English name: *Deny write access to fixed drives not protected by BitLocker*
            • -
          • GP name: *FDVDenyWriteAccess_Name*
            • -
          • GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*
            • -
          • GP ADMX file name: *VolumeEncryption.admx*
            • +
          • GP English name: Deny write access to fixed drives not protected by BitLocker
            • +
          • GP name: FDVDenyWriteAccess_Name
            • +
          • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
            • +
          • GP ADMX file name: VolumeEncryption.admx
          > [!Tip] @@ -722,33 +720,33 @@ The following diagram shows the BitLocker configuration service provider in tree

          Data type is string. Supported operations are Add, Get, Replace, and Delete.

          **RemovableDrivesRequireEncryption** -

          This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).

          +

          This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).

          - - - - - - - + + + + + + + - - - - - - - + + + + + + +
          HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
          cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark

          ADMX Info:

            -
          • GP English name: *Deny write access to removable drives not protected by BitLocker*
            • -
          • GP name: *RDVDenyWriteAccess_Name*
            • -
          • GP path: *Windows Components/Bitlocker Drive Encryption/Removeable Drives*
            • -
          • GP ADMX file name: *VolumeEncryption.admx*
            • +
          • GP English name: Deny write access to removable drives not protected by BitLocker
            • +
          • GP name: RDVDenyWriteAccess_Name
            • +
          • GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
            • +
          • GP ADMX file name: VolumeEncryption.admx
          > [!Tip] @@ -758,12 +756,11 @@ The following diagram shows the BitLocker configuration service provider in tree

          If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

          -

          If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.

          - +

          If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.

          +

          If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.

          - -> [!Note] -> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. + +> [!Note]
          > This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.

          Sample value for this node to enable this policy is:

          @@ -771,7 +768,7 @@ The following diagram shows the BitLocker configuration service provider in tree ``` -

          The possible values for 'xx' are:

          +

          The possible values for 'xx' are:

          • true = Explicitly allow
          • false = Policy not set
            • @@ -806,22 +803,22 @@ The following diagram shows the BitLocker configuration service provider in tree - - - - - - - + + + + + + + - - - - - - - + + + + + + +
            HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
            cross markcheck markcheck markcheck markcheck markcross markcross markcross markcheck markcheck markcheck markcheck markcross markcross mark
            @@ -832,16 +829,16 @@ The following diagram shows the BitLocker configuration service provider in tree ``` syntax - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - - 0 - + 110 + + + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption + + + int + + 0 + ``` @@ -860,9 +857,9 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol > [!Note] > This policy is only supported in Azure AD accounts. - + "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced. - + If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. The expected values for this policy are: @@ -936,7 +933,7 @@ The following example is provided to show proper format and should not be taken - + $CmdID$ @@ -953,7 +950,7 @@ The following example is provided to show proper format and should not be taken - + $CmdID$ @@ -966,7 +963,7 @@ The following example is provided to show proper format and should not be taken - + $CmdID$ @@ -981,7 +978,7 @@ The following example is provided to show proper format and should not be taken - + $CmdID$ @@ -1031,7 +1028,7 @@ The following example is provided to show proper format and should not be taken - + $CmdID$ @@ -1044,7 +1041,7 @@ The following example is provided to show proper format and should not be taken - + diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 52b621e4c6..509638a1e4 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -18,12 +18,12 @@ ms.date: 06/26/2017 The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device. > **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile. - -  - +> +> +> > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -  + The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. @@ -40,9 +40,9 @@ Required. Specifies the location of a Trusted Provisioning Server (TPS). The PRO [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 5cec6c34a5..c2cbd2a8d2 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -19,14 +19,14 @@ The BrowserFavorite configuration service provider is used to add and remove URL > **Note**  BrowserFavorite CSP is only supported in Windows Phone 8.1. -  + The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder. > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application. -  + The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. @@ -37,7 +37,7 @@ Required. Specifies the user-friendly name of the favorite URL that is displayed > **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > | -  + Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite. @@ -98,16 +98,16 @@ The following table shows the Microsoft custom elements that this configuration -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md index 1eb1da0ded..9e077af341 100644 --- a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -37,7 +37,7 @@ The **Bulk assign and reclaim seats from users** operation returns reclaimed or -  + ### URI parameters The following parameters may be specified in the request URI. @@ -73,13 +73,13 @@ The following parameters may be specified in the request URI.

            seatAction

            -

            [SeatAction](data-structures-windows-store-for-business.md#seataction)

            +

            SeatAction

            -  + ## Response ### Response body @@ -112,9 +112,9 @@ The response body contains [BulkSeatOperationResultSet](data-structures-windows- -  + -  + diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 66ba8aace8..6e07079869 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -37,7 +37,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console. -  + ## What you need @@ -53,27 +53,27 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. -1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Click **Advanced Provisioning**. +1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +2. Click **Advanced Provisioning**. - ![icd start page](images/bulk-enrollment7.png) -3. Enter a project name and click **Next**. -4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**. -5. Skip **Import a provisioning package (optional)** and click **Finish**. -6. Expand **Runtime settings** > **Workplace**. -7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". -8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here is the list of available settings: - - **AuthPolicy** - Select **OnPremise**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - Password - For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). - Here is the screenshot of the ICD at this point. - ![bulk enrollment screenshot](images/bulk-enrollment.png) -9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). + ![icd start page](images/bulk-enrollment7.png) +3. Enter a project name and click **Next**. +4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**. +5. Skip **Import a provisioning package (optional)** and click **Finish**. +6. Expand **Runtime settings** > **Workplace**. +7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**. + The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". +8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. + Here is the list of available settings: + - **AuthPolicy** - Select **OnPremise**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - Password + For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). + Here is the screenshot of the ICD at this point. + ![bulk enrollment screenshot](images/bulk-enrollment.png) +9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. 11. On the main menu click **Export** > **Provisioning package**. @@ -93,34 +93,34 @@ Using the ICD, create a provisioning package using the enrollment information re Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. -1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Click **Advanced Provisioning**. -3. Enter a project name and click **Next**. -4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions. -5. Skip **Import a provisioning package (optional)** and click **Finish**. -6. Specify the certificate. - 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. - 2. Enter a **CertificateName** and then click **Add**. - 3. Enter the **CertificatePasword**. - 4. For **CertificatePath**, browse and select the certificate to be used. - 5. Set **ExportCertificate** to False. - 6. For **KeyLocation**, select **Software only**. +1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +2. Click **Advanced Provisioning**. +3. Enter a project name and click **Next**. +4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions. +5. Skip **Import a provisioning package (optional)** and click **Finish**. +6. Specify the certificate. + 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. + 2. Enter a **CertificateName** and then click **Add**. + 3. Enter the **CertificatePasword**. + 4. For **CertificatePath**, browse and select the certificate to be used. + 5. Set **ExportCertificate** to False. + 6. For **KeyLocation**, select **Software only**. - ![icd certificates section](images/bulk-enrollment8.png) -7. Specify the workplace settings. - 1. Got to **Workplace** > **Enrollments**. - 2. Enter the **UPN** for the enrollment and then click **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". - 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here is the list of available settings: - - **AuthPolicy** - Select **Certificate**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - the certificate thumbprint. - For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). -8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -9. When you are done adding all the settings, on the **File** menu, click **Save**. + ![icd certificates section](images/bulk-enrollment8.png) +7. Specify the workplace settings. + 1. Got to **Workplace** > **Enrollments**. + 2. Enter the **UPN** for the enrollment and then click **Add**. + The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". + 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. + Here is the list of available settings: + - **AuthPolicy** - Select **Certificate**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - the certificate thumbprint. + For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). +8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +9. When you are done adding all the settings, on the **File** menu, click **Save**. 10. Export and build the package (steps 10-13 in the procedure above). 11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). 12. Apply the package to your devices. @@ -163,7 +163,7 @@ Here are links to step-by-step provisioning topics in Technet. - [Provision PCs with apps and certificates for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-with-apps-and-certificates) - [Provision PCs with common settings for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment) -  + diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index f8fa543dde..d982a50e25 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -53,16 +53,16 @@ The following image shows the CellularSettings CSP in tree format as used by Ope -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index eb1f7be7c5..514837edc2 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -19,7 +19,7 @@ The CertificateStore configuration service provider is used to add secure socket > **Note**   The CertificateStore configuration service provider does not support installing client certificates. -  + For the CertificateStore CSP, you cannot use the Replace command unless the node already exists. @@ -34,7 +34,7 @@ Supported operation is Get. > **Note**  Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates. -  + **CA/System** Defines the certificate store that contains cryptographic information, including intermediary certification authorities. @@ -43,7 +43,7 @@ Supported operation is Get. > **Note**  CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates. -  + **My/User** Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. @@ -52,7 +52,7 @@ Supported operation is Get. > **Note**  My/User is case sensitive. -  + **My/System** Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. @@ -61,7 +61,7 @@ Supported operation is Get. > **Note**  My/System is case sensitive. -  + ***CertHash*** Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. @@ -105,9 +105,9 @@ Supported operation is Get. > **Note**  Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP. -  + -**My/SCEP/****_UniqueID_** +**My/SCEP/***UniqueID* Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node. Supported operations are Get, Add, Replace, and Delete. @@ -119,7 +119,7 @@ Supported operations are Add, Replace, and Delete. > **Note**   Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values. -  + **My/SCEP/*UniqueID*/Install/ServerURL** Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string. @@ -213,7 +213,7 @@ Valid values are one of the following: > **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server. -  + **My/SCEP/*UniqueID*/Install/ValidPeriodUnits** Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer. @@ -222,7 +222,7 @@ Supported operations are Get, Add, Delete, and Replace. > **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server. -  + **My/SCEP/*UniqueID*/Install/Enroll** Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value. @@ -279,7 +279,7 @@ Optional. Specifies the URL of certificate renewal server. If this node does not > **Note**  The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service. -  + Supported operations are Add, Get, Delete, and Replace. @@ -292,7 +292,7 @@ Supported operations are Add, Get, Delete, and Replace. > **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. -  + **My/WSTEP/Renew/RetryInterval** Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date. @@ -307,7 +307,7 @@ Supported operations are Add, Get, Delete, and Replace. > **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. -  + **My/WSTEP/Renew/ROBOSupport** Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool. @@ -318,7 +318,7 @@ Supported operations are Add, Get, Delete, and Replace. > **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. -  + **My/WSTEP/Renew/Status** Required. Shows the latest action status for this certificate. Value type is an integer. @@ -629,9 +629,9 @@ Configure the device to automatically renew an MDM client certificate with the s [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 34a5bf1526..d80e8b3401 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -30,7 +30,7 @@ The following image shows the ClientCertificateInstall configuration service pro ![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png) **Device or User** -

            For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path. +

            For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path. **ClientCertificateInstall**

            The root node for the ClientCertificateInstaller configuration service provider. @@ -40,7 +40,7 @@ The following image shows the ClientCertificateInstall configuration service pro

            Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/****_UniqueID_** +**ClientCertificateInstall/PFXCertInstall/***UniqueID*

            Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.

            The data type format is node. @@ -72,7 +72,7 @@ The following image shows the ClientCertificateInstall configuration service pro

            Supported operations are Get, Add, Delete, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** -

            CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. +

            CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.

            The data type format is binary. @@ -82,7 +82,7 @@ The following image shows the ClientCertificateInstall configuration service pro

            If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. -

            In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](https://go.microsoft.com/fwlink/p/?LinkId=523871). +

            In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**

            Password that protects the PFX blob. This is required if the PFX is password protected. @@ -109,7 +109,7 @@ The following image shows the ClientCertificateInstall configuration service pro > **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. -  +

            The data type bool.

            Supported operations are Get, Add, and Replace. @@ -140,8 +140,8 @@ The following image shows the ClientCertificateInstall configuration service pro > **Note**  An alert is sent after the SCEP certificate is installed. -  -**ClientCertificateInstall/SCEP/****_UniqueID_** + +**ClientCertificateInstall/SCEP/***UniqueID*

            A unique ID to differentiate different certificate installation requests. @@ -152,7 +152,7 @@ The following image shows the ClientCertificateInstall configuration service pro > **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. -  + **ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**

            Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. @@ -168,7 +168,7 @@ The following image shows the ClientCertificateInstall configuration service pro

            Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** -

            Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*. +

            Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3. Data type is string.

            Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail. @@ -189,7 +189,7 @@ Data type is string. > **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN. -  +

            The data type is an integer corresponding to one of the following values: | Value | Description | @@ -199,7 +199,7 @@ Data type is string. | 3 | (Default) Private key saved in software KSP. | | 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. | -  +

            Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** @@ -236,7 +236,7 @@ Data type is string. > **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. -  +

            Data type is string.

            Supported operations are Add, Get, Delete, and Replace. @@ -253,7 +253,7 @@ Data type is string.

            Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** -

            Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**. +

            Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +.

            For Windows Hello for Business, only SHA256 is the supported algorithm. @@ -271,7 +271,7 @@ Data type is string. **ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**

            Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. -

            Each pair is separated by semicolon. For example, multiple SANs are presented in the format of *\[name format1\]*+*\[actual name1\]*;*\[name format 2\]*+*\[actual name2\]*. +

            Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].

            Data type is string. @@ -290,7 +290,7 @@ Data type is string. > **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. -  +

            Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** @@ -300,7 +300,7 @@ Data type is string. >**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. -  +

            Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** @@ -354,7 +354,7 @@ Data type is string. | 16 | Action failed | | 32 | Unknown | -  + **ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**

            Optional. An integer value that indicates the HRESULT of the last enrollment error code. @@ -668,9 +668,9 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 17fd331461..4e20e3ff3e 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -22,24 +22,24 @@ The following diagram shows the CM\_CellularEntries configuration service provid ![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png) -**_entryname_** +***entryname***

            Defines the name of the connection.

            -

            The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of *entryname* to identify the connection that is associated with a policy and [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) uses the value of *entryname* to identify the connection that is associated with a proxy.

            +

            The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.

            **AlwaysOn**

            Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. -

            A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. +

            A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. -

            A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. +

            A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.

            There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. **AuthType**

            Optional. Type: String. Specifies the method of authentication used for a connection. -

            A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". +

            A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". **ConnectionType**

            Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: @@ -77,48 +77,48 @@ The following diagram shows the CM\_CellularEntries configuration service provid -  + **Desc.langid**

            Optional. Specifies the UI display string used by the defined language ID. -

            A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry. +

            A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry. **Enabled**

            Specifies if the connection is enabled. -

            A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled. +

            A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled. **IpHeaderCompression**

            Optional. Specifies if IP header compression is enabled. -

            A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled. +

            A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled. **Password** -

            Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN. +

            Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN. **SwCompression**

            Optional. Specifies if software compression is enabled. -

            A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled. +

            A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled. **UserName** -

            Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN. +

            Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN. **UseRequiresMappingsPolicy**

            Optional. Specifies if the connection requires a corresponding mappings policy. -

            A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. +

            A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. -

            For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. +

            For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. **Version** -

            Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. +

            Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. -

            This value must be "1" if included. +

            This value must be "1" if included. **GPRSInfoAccessPointName** -

            Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT". +

            Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT". **Roaming**

            Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available: @@ -134,20 +134,20 @@ The following diagram shows the CM\_CellularEntries configuration service provid

            Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. **ApnId** -

            Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. +

            Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. **IPType** -

            Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". +

            Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". > [!Warning]   > Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6. -  + **ExemptFromDisablePolicy** -

            Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). +

            Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). -

            To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. +

            To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. > [!Important]   > Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections. @@ -157,26 +157,26 @@ The following diagram shows the CM\_CellularEntries configuration service provid - Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1) - Set AllowMMSIfDataIsOff to 1 (default is 0) -  + **ExemptFromRoaming** -

            Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). +

            Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). **TetheringNAI** -

            Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". +

            Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". **IdleDisconnectTimeout**

            Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds. -> [!Important]   -

            You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. - -  - -> [!Note]   +> [!Important] +>

            You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. +> +> +> +> [!Note] > If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds. -  + **SimIccId**

            For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. @@ -300,16 +300,16 @@ The following table shows the Microsoft custom elements that this configuration -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 839a08ea47..ef176f2dab 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -18,12 +18,12 @@ ms.date: 06/26/2017 The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device. > **Note**  CM\_ProxyEntries CSP is only supported in Windows 10 Mobile. - -  - +> +> +> > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -  + The following diagram shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607. @@ -135,16 +135,16 @@ The following table shows the Microsoft custom elements that this configuration -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index 19649e2df9..d8cf450f41 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -20,7 +20,7 @@ The CMPolicy configuration service provider defines rules that the Connection Ma > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -  + Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies @@ -63,7 +63,7 @@ Specifies whether the list of connections is in preference order. A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. -**Conn****_XXX_** +**Conn***XXX* Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** @@ -112,7 +112,7 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th -  + For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available: @@ -187,7 +187,7 @@ For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network typ -  + For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available: @@ -222,7 +222,7 @@ For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. -  + **Type** Specifies the type of connection being referenced. The following list describes the available connection types: @@ -498,16 +498,16 @@ Adding a host-based mapping policy: -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 8deba5ec39..3c64181792 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -20,7 +20,7 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -  + Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies @@ -63,7 +63,7 @@ Specifies whether the list of connections is in preference order. A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. -**Conn****_XXX_** +**Conn***XXX* Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** @@ -112,7 +112,7 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th -  + For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available: @@ -187,7 +187,7 @@ For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network typ -  + For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available: @@ -222,7 +222,7 @@ For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. -  + **Type** Specifies the type of connection being referenced. The following list describes the available connection types: @@ -498,16 +498,16 @@ Adding a host-based mapping policy: -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 678e970022..5aaeaf180d 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2712,7 +2712,7 @@ The following list shows the configuration service providers supported in Window | [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | -  + ## CSPs supported in Microsoft Surface Hub - [AccountManagement CSP](accountmanagement-csp.md) @@ -2769,7 +2769,7 @@ The following list shows the configuration service providers supported in Window

            - Footnotes: + Footnotes: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md index d1295f8c05..b87b2182df 100644 --- a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md @@ -45,11 +45,11 @@ This code must be compiled into a single .dll file and added to a package by usi

            File location

            -

            %DataDrive%\SharedData\OEM\CSP\

            +

            %DataDrive%\SharedData\OEM\CSP</p>

            Registry location

            -

            $(HKLM.SOFTWARE)\OEM\CSP\

            +

            $(HKLM.SOFTWARE)\OEM\CSP</p> @@ -88,7 +88,7 @@ To make the configuration service provider accessible from WAP XML, you must reg ``` -  + diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 97492e0648..180daaf203 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -30,7 +30,7 @@ AppID string value is the default appid/AUMID to launch during startup. The supp **BackgroundTasksToLaunch** List of package names of background tasks that need to be launched on device startup. The supported operation is Get. -**BackgroundTasksToLaunch/****_BackgroundTaskPackageName_** +**BackgroundTasksToLaunch/***BackgroundTaskPackageName* Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace. ## SyncML examples @@ -98,9 +98,9 @@ Package Full Name of the App that needs be launched in the background. This can ``` -  + -  + diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 79812fc3b7..52f529971f 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -81,7 +81,7 @@ Specifies the properties of the alternate identifier. -  + ## BulkSeatOperationResultSet @@ -100,16 +100,16 @@ Specifies the properties of the alternate identifier.

            seatDetails

            -

            collection of [SeatDetails](#seatdetails)

            +

            collection of SeatDetails

            failedSeatOperations

            -

            collection of [FailedSeatRequest](#failedseatrequest)

            +

            collection of FailedSeatRequest

            -  + ## FailedSeatRequest @@ -132,7 +132,7 @@ Specifies the properties of the alternate identifier.

            productKey

            -

            [ProductKey](#productkey)

            +

            ProductKey

            userName

            @@ -141,7 +141,7 @@ Specifies the properties of the alternate identifier. -  + ## FrameworkPackageDetails @@ -172,7 +172,7 @@ Specifies the properties of the alternate identifier.

            location

            -

            [PackageLocation](#packagelocation)

            +

            PackageLocation

            @@ -187,17 +187,17 @@ Specifies the properties of the alternate identifier.

            architectures

            -

            collection of [ProductArchitectures](#productarchitectures)

            +

            collection of ProductArchitectures

            packageFormat

            -

            [ProductPackageFormat](#productpackageformat)

            +

            ProductPackageFormat

            platforms

            -

            collection of [ProductPlatform](#productplatform)

            +

            collection of ProductPlatform

            @@ -213,7 +213,7 @@ Specifies the properties of the alternate identifier. -  + ## InventoryDistributionPolicy @@ -241,7 +241,7 @@ Specifies the properties of the alternate identifier. -  + ## InventoryEntryDetails @@ -262,7 +262,7 @@ Specifies the properties of the alternate identifier.

            productKey

            -

            [ProductKey](#productkey)

            +

            ProductKey

            Identifier used on subsequent requests to get additional content including product descriptions, offline license, and download URLs.

            @@ -282,23 +282,23 @@ Specifies the properties of the alternate identifier.

            licenseType

            -

            [LicenseType](#licensetype)

            +

            LicenseType

            Indicates whether the set of seats for a given application supports online or offline licensing.

            distributionPolicy

            -

            [InventoryDistributionPolicy](#inventorydistributionpolicy)

            +

            InventoryDistributionPolicy

            status

            -

            [InventoryStatus](#inventorystatus)

            +

            InventoryStatus

            -  + ## InventoryResultSet @@ -324,13 +324,13 @@ Specifies the properties of the alternate identifier.

            inventoryEntries

            -

            collection of [InventoryEntryDetails](#inventoryentrydetails)

            +

            collection of InventoryEntryDetails

            -  + ## InventoryStatus @@ -358,7 +358,7 @@ Specifies the properties of the alternate identifier. -  + ## LicenseType @@ -386,7 +386,7 @@ Specifies the properties of the alternate identifier. -  + ## LocalizedProductDetail @@ -424,18 +424,18 @@ Specifies the properties of the localized product.

            images

            -

            collection of [ProductImage](#productimage)

            +

            collection of ProductImage

            Artwork and icon associated with the application.

            publisher

            -

            [PublisherDetails](#publisherdetails)

            +

            PublisherDetails

            Publisher of the application.

            -  + ## OfflineLicense @@ -456,7 +456,7 @@ Specifies the properties of the localized product.

            productKey

            -

            [ProductKey](#productkey)

            +

            ProductKey

            Identifies a set of seats associated with an application.

            @@ -482,7 +482,7 @@ Specifies the properties of the localized product. -  + ## PackageContentInfo @@ -501,7 +501,7 @@ Specifies the properties of the localized product.

            productPlatforms

            -

            collection of [ProductPlatform](#productplatform)

            +

            collection of ProductPlatform

            packageFormat

            @@ -510,7 +510,7 @@ Specifies the properties of the localized product. -  + ## PackageLocation @@ -537,7 +537,7 @@ Specifies the properties of the localized product. -  + ## ProductArchitectures @@ -567,7 +567,7 @@ Specifies the properties of the localized product. -  + ## ProductDetails @@ -588,7 +588,7 @@ Specifies the properties of the localized product.

            productKey

            -

            [ProductKey](#productkey)

            +

            ProductKey

            Identifier used on subsequent requests to get additional content including product descriptions, offline license, and download URLs.

            @@ -613,7 +613,7 @@ Specifies the properties of the localized product.

            alternateIds

            -

            collection of [AlternateIdentifier](#alternateidentifier)

            +

            collection of AlternateIdentifier

            The identifiers that can be used to instantiate the installation of on online application.

            @@ -623,13 +623,13 @@ Specifies the properties of the localized product.

            supportedPlatforms

            -

            collection of [ProductPlatform](#productplatform)

            +

            collection of ProductPlatform

            -  + ## ProductImage @@ -658,7 +658,7 @@ Specifies the properties of the product image.

            purpose

            string

            -

            Tag for the purpose of the image, e.g. "screenshot" or "logo".

            +

            Tag for the purpose of the image, e.g. "screenshot" or "logo".

            height

            @@ -678,12 +678,12 @@ Specifies the properties of the product image.

            backgroundColor

            string

            -

            Format "#RRGGBB"

            +

            Format "#RRGGBB"

            foregroundColor

            string

            -

            Format "#RRGGBB"

            +

            Format "#RRGGBB"

            fileSize

            @@ -693,7 +693,7 @@ Specifies the properties of the product image. -  + ## ProductKey @@ -727,7 +727,7 @@ Specifies the properties of the product key. -  + ## ProductPackageDetails @@ -748,7 +748,7 @@ Specifies the properties of the product key.

            frameworkDependencyPackages

            -

            collection of [FrameworkPackageDetails](#frameworkpackagedetails)

            +

            collection of FrameworkPackageDetails

            @@ -763,7 +763,7 @@ Specifies the properties of the product key.

            location

            -

            [PackageLocation](#packagelocation)

            +

            PackageLocation

            @@ -778,17 +778,17 @@ Specifies the properties of the product key.

            architectures

            -

            collection of [ProductArchitectures](#productarchitectures)

            +

            collection of ProductArchitectures

            Values {x86, x64, arm, neutral}

            packageFormat

            -

            [ProductPackageFormat](#productpackageformat)

            +

            ProductPackageFormat

            Extension of the package file.

            platforms

            -

            collection of [ProductPlatform](#productplatform)

            +

            collection of ProductPlatform

            @@ -804,7 +804,7 @@ Specifies the properties of the product key. -  + ## ProductPackageFormat @@ -831,7 +831,7 @@ Specifies the properties of the product key. -  + ## ProductPackageSet @@ -857,13 +857,13 @@ Specifies the properties of the product key.

            productPackages

            -

            collection of [ProductPackageDetails](#productpackagedetails)

            +

            collection of ProductPackageDetails

            A collection of application packages.

            -  + ## ProductPlatform @@ -886,16 +886,16 @@ Specifies the properties of the product key.

            minVersion

            -

            [VersionInfo](#versioninfo)

            +

            VersionInfo

            maxTestedVersion

            -

            [VersionInfo](#versioninfo)

            +

            VersionInfo

            -  + ## PublisherDetails @@ -929,7 +929,7 @@ Specifies the properties of the publisher details. -  + ## SeatAction @@ -953,7 +953,7 @@ Specifies the properties of the publisher details. -  + ## SeatDetails @@ -975,7 +975,7 @@ Specifies the properties of the publisher details.

            assignedTo

            string

            -

            Format = UPN (user@domain)

            +

            Format = UPN (user

            dateAssigned

            @@ -984,18 +984,18 @@ Specifies the properties of the publisher details.

            state

            -

            [SeatState](#seatstate)

            +

            SeatState

            productKey

            -

            [ProductKey](#productkey)

            +

            ProductKey

            -  + ## SeatDetailsResultSet @@ -1014,7 +1014,7 @@ Specifies the properties of the publisher details.

            seats

            -

            collection of [SeatDetails](#seatdetails)

            +

            collection of SeatDetails

            continuationToken

            @@ -1023,7 +1023,7 @@ Specifies the properties of the publisher details. -  + ## SeatState @@ -1047,7 +1047,7 @@ Specifies the properties of the publisher details. -  + ## SupportedProductPlatform @@ -1070,20 +1070,20 @@ Specifies the properties of the publisher details.

            minVersion

            -

            [VersionInfo](#versioninfo)

            +

            VersionInfo

            maxTestedVersion

            -

            [VersionInfo](#versioninfo)

            +

            VersionInfo

            architectures

            -

            collection of [ProductArchitecture](#productarchitecture)

            +

            collection of ProductArchitecture

            -  + ## VersionInfo diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 85cb718fbc..c0c253a025 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -28,7 +28,7 @@ An interior node to group all threats detected by Windows Defender. Supported operation is Get. -**Detections/****_ThreatId_** +**Detections/***ThreatId* The ID of a threat that has been detected by Windows Defender. Supported operation is Get. @@ -122,7 +122,7 @@ The following table describes the supported values: | 50 | Ransomware | | 51 | ASR Rule | -  + Supported operation is Get. diff --git a/windows/client-management/mdm/design-a-custom-windows-csp.md b/windows/client-management/mdm/design-a-custom-windows-csp.md index 4816f6f2a1..52c0a36f2f 100644 --- a/windows/client-management/mdm/design-a-custom-windows-csp.md +++ b/windows/client-management/mdm/design-a-custom-windows-csp.md @@ -36,13 +36,13 @@ Nodes can represent anything from abstract concepts or collections (such as emai For example, a hypothetical Email configuration service provider might have these nodes: -- Account: The name of the email account (such as "Hotmail") +- Account: The name of the email account (such as "Hotmail") -- Username: The user name or email address ("exampleAccount@hotmail.com") +- Username: The user name or email address ("exampleAccount@hotmail.com") -- Password: The user's password +- Password: The user's password -- Server: The DNS address of the server ("mail-serv1-example.mail.hotmail.com") +- Server: The DNS address of the server ("mail-serv1-example.mail.hotmail.com") The `Account`, `Username`, and `Server` nodes would hold text-based information about the email account, the user's email address, and the server address associated with that account. The `Password` node, however, might hold a binary hash of the user's password. @@ -159,9 +159,9 @@ For internally transactioned nodes, the practice of implementing the contrary co -  + -  + diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index dd95bb64f2..1fe3abbba1 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -39,9 +39,9 @@ The following diagram shows the DevDetail configuration service provider managem

            Supported operation is Get. **FwV** -

            Required. Returns the firmware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneFirmwareRevision. +

            Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision. -

            For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion. +

            For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.

            Supported operation is Get. @@ -51,9 +51,9 @@ The following diagram shows the DevDetail configuration service provider managem

            Supported operation is Get. **HwV** -

            Required. Returns the hardware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneRadioHardwareRevision. +

            Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision. -

            For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion. +

            For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.

            Supported operation is Get. @@ -96,12 +96,12 @@ The following diagram shows the DevDetail configuration service provider managem

            Supported operation is Get. **Ext/Microsoft/OSPlatform** -

            Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName. +

            Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.

            Supported operation is Get. **Ext/Microsoft/ProcessorType** -

            Required. Returns the processor type of the device as documented in SYSTEM\_INFO. +

            Required. Returns the processor type of the device as documented in SYSTEM_INFO.

            Supported operation is Get. @@ -111,7 +111,7 @@ The following diagram shows the DevDetail configuration service provider managem

            Supported operation is Get. **Ext/Microsoft/Resolution** -

            Required. Returns the UI screen resolution of the device (example: "480x800"). +

            Required. Returns the UI screen resolution of the device (example: "480x800").

            Supported operation is Get. @@ -121,7 +121,7 @@ The following diagram shows the DevDetail configuration service provider managem

            Supported operation is Get. **Ext/Microsoft/ProcessorArchitecture** -

            Required. Returns the processor architecture of the device as "arm" or "x86". +

            Required. Returns the processor architecture of the device as "arm" or "x86".

            Supported operation is Get. @@ -197,9 +197,9 @@ Value type is string. Supported operation is Get. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 877fddd7c3..0d4d601d86 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -17,7 +17,7 @@ ms.date: 06/26/2018 The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. > [!NOTE] -The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM. +> The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM. The following diagram shows the DeveloperSetup configuration service provider in tree format. @@ -61,7 +61,7 @@ The user name must contain only ASCII characters and cannot contain a colon (:). **DevicePortal/Connection/HttpPort**

            An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service. -If authentication is enabled, **HttpPort** will redirect the user to the (required) **HttpsPort**. +If authentication is enabled, HttpPort will redirect the user to the (required) HttpsPort.

            The only supported operation is Replace. diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 8a69b42281..be9b52c3f1 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -146,7 +146,7 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -

            Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. +

            Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. @@ -171,7 +171,7 @@ The following diagram shows the Update policies in a tree format. > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise -

            Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. +

            Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. @@ -200,7 +200,7 @@ The following diagram shows the Update policies in a tree format. > [!IMPORTANT] > This option should be used only for systems under regulatory compliance, as you will not get security updates as well. -  +

            If the policy is not configured, end-users get the default behavior (Auto install and restart). @@ -290,7 +290,7 @@ The following diagram shows the Update policies in a tree format. **Update/DeferFeatureUpdatesPeriodInDays** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

            Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +>

            Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

            Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. @@ -322,9 +322,9 @@ The following diagram shows the Update policies in a tree format. - Update/RequireDeferUpgrade must be set to 1 - System/AllowTelemetry must be set to 1 or higher -

            If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

            If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

            If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

            If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. @@ -391,9 +391,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego

            Supported values are 0-8, which refers to the number of months to defer upgrades. -

            If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

            If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

            If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

            If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. **Update/EngagedRestartDeadline** > [!NOTE] @@ -496,14 +496,14 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego - 0 (default) – Deferrals are not paused. - 1 – Deferrals are paused. -

            If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

            If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. -

            If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. +

            If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. **Update/PauseFeatureUpdates** > [!NOTE] > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -

            Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +>

            Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.

            Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. @@ -674,7 +674,7 @@ Example

            To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. -

            Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +

            Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. > [!Note] > If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. @@ -703,11 +703,11 @@ The update approval list enables IT to approve individual updates and update cla > **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added. -  + Supported operations are Get and Add. -**ApprovedUpdates/****_Approved Update Guid_** +**ApprovedUpdates/***Approved Update Guid* Specifies the update GUID. To auto-approve a class of updates, you can specify the [Update Classifications](https://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. @@ -730,7 +730,7 @@ Specifies the approved updates that failed to install on a device. Supported operation is Get. -**FailedUpdates/****_Failed Update Guid_** +**FailedUpdates/***Failed Update Guid* Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install. Supported operation is Get. @@ -750,7 +750,7 @@ The updates that are installed on the device. Supported operation is Get. -**InstalledUpdates/****_Installed Update Guid_** +**InstalledUpdates/***Installed Update Guid* UpdateIDs that represent the updates installed on a device. Supported operation is Get. @@ -760,7 +760,7 @@ The updates that are applicable and not yet installed on the device. This includ Supported operation is Get. -**InstallableUpdates/****_Installable Update Guid_** +**InstallableUpdates/***Installable Update Guid* Update identifiers that represent the updates applicable and not installed on a device. Supported operation is Get. @@ -784,7 +784,7 @@ The updates that require a reboot to complete the update session. Supported operation is Get. -**PendingRebootUpdates/****_Pending Reboot Update Guid_** +**PendingRebootUpdates/***Pending Reboot Update Guid* Update identifiers for the pending reboot state. Supported operation is Get. @@ -885,7 +885,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici

            -  + Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices. @@ -904,7 +904,7 @@ For policies supported for Windows Update for Business, when you set policies fo For policies supported for Windows Update for Business, when you set 1511 policies on a device running 1607, the you will get the expected behavior for 1511 policies. -  + ## Update management user experience screenshot @@ -968,7 +968,7 @@ The following diagram and screenshots show the process flow of the device update ![mdm device update management screenshot](images/deviceupdatescreenshot3.png)![mdm device update management screenshot](images/deviceupdatescreenshot4.png)![mdm device update management screenshot](images/deviceupdatescreenshot5.png)![mdm device update management screenshot](images/deviceupdatescreenshot6.png)![mdm device update management screenshot](images/deviceupdatescreenshot7.png)![mdm device update management screenshot](images/deviceupdatescreenshot8.png)![mdm device update management screenshot](images/deviceupdatescreenshot9.png) -  + diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 3a813ee975..c6e8ab6ccd 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -22,7 +22,7 @@ Stop using DeviceInstanceService CSP and use the updated [DeviceStatus CSP](devi The DeviceInstance CSP is only supported in Windows 10 Mobile. -  + The following diagram shows the DeviceInstanceService configuration service provider in tree format. @@ -110,9 +110,9 @@ Response from the phone. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index d3c26c5a29..aa39a5d6ed 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -38,9 +38,9 @@ Required. Node for queries on the SIM cards. > **Note**  Multiple SIMs are supported. -  + -**DeviceStatus/CellularIdentities/****_IMEI_** +**DeviceStatus/CellularIdentities/***IMEI* The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. **DeviceStatus/CellularIdentities/*IMEI*/IMSI** @@ -76,7 +76,7 @@ Supported operation is Get. **DeviceStatus/NetworkIdentifiers** Node for queries on network and device properties. -**DeviceStatus/NetworkIdentifiers/****_MacAddress_** +**DeviceStatus/NetworkIdentifiers/***MacAddress* MAC address of the wireless network card. A MAC address is present for each network card on the device. **DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 9940cd50e9..5336d57012 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -51,7 +51,7 @@ The changes on **State**, **Keywords** and **TraceLevel** takes effect immediate > **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. -  + ### Channel-based tracing @@ -114,7 +114,7 @@ Interior node to contain dynamic child interior nodes for active providers. The supported operation is Get. -**EtwLog/Collectors/****_CollectorName_** +**EtwLog/Collectors/***CollectorName* Dynamic nodes to represent active collector configuration. Supported operations are Add, Delete, and Get. @@ -174,7 +174,7 @@ The following table represents the possible values: | 0 | Stopped | | 1 | Started | -  + **EtwLog/Collectors/*CollectorName*/TraceLogFileMode** Specifies the log file logging mode. @@ -208,7 +208,7 @@ The following table lists the possible values: -  + **EtwLog/Collectors/*CollectorName*/TraceControl** Specifies the logging and report action state. @@ -222,7 +222,7 @@ The following table lists the possible values: | START | Start log tracing. | | STOP | Stop log tracing | -  + The supported operation is Execute. @@ -290,12 +290,12 @@ Interior node to contain dynamic child interior nodes for active providers. The supported operation is Get. -**EtwLog/Collectors/*CollectorName*/Providers/****_ProviderGUID_** +**EtwLog/Collectors/*CollectorName*/Providers/***ProviderGUID* Dynamic nodes to represent active provider configuration per provider GUID. > **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. -  + Supported operations are Add, Delete, and Get. @@ -384,7 +384,7 @@ The following table lists the possible values. -  + Set provider **TraceLevel** @@ -495,7 +495,7 @@ The following table lists the possible values. Default value is TRUE. -  + Set provider **State** @@ -525,7 +525,7 @@ Interior node to contain dynamic child interior nodes for registered channels. The supported operation is Get. -**EtwLog/Channels/****_ChannelName_** +**EtwLog/Channels/***ChannelName* Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin" Supported operations are Add, Delete, and Get. @@ -655,7 +655,7 @@ The following table lists the possible values. -  + Get channel **State** @@ -734,7 +734,7 @@ Node to contain child nodes for log file transportation protocols and correspond **FileDownload/DMChannel** Node to contain child nodes using DM channel for transport protocol. -**FileDownload/DMChannel/****_FileContext_** +**FileDownload/DMChannel/***FileContext* Dynamic interior nodes that represents per log file context. **FileDownload/DMChannel/*FileContext*/BlockSizeKB** @@ -894,7 +894,7 @@ Get **BlockData** **FileDownload/DMChannel/*FileContext*/DataBlocks** Node to transfer the selected log file block to the DM server. -**FileDownload/DMChannel/*FileContext*/DataBlocks/****_BlockNumber_** +**FileDownload/DMChannel/*FileContext*/DataBlocks/***BlockNumber* The data type is Base64. The only supported operation is Get. @@ -911,9 +911,9 @@ The only supported operation is Get. 7. Increase **BlockIndexToRead** 8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)** -  + -  + diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 9a2aa7a88b..52960d3977 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -19,7 +19,7 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve > **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -  + For the DMAcc CSP, you cannot use the Replace command unless the node already exists. @@ -64,7 +64,7 @@ Interior node for DM server address. Required. -**AppAddr/****_ObjectName_** +**AppAddr/***ObjectName* Required. Defines the OMA DM server address. Only one server address can be configured. When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored. @@ -86,7 +86,7 @@ Interior node for port information. Optional. -**Port/****_ObjectName_** +**Port/***ObjectName* Required. Only one port number can be configured. When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". @@ -108,7 +108,7 @@ Value type is string. Supported operations are Add, Get, and Replace. ***AccountUID*/AppAuth** Optional. Defines authentication settings. -**AppAuth/****_ObjectName_** +**AppAuth/***ObjectName* Required. Defines one set of authentication settings. When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED"). @@ -258,7 +258,7 @@ Stores specifies which certificate stores the DM client will search to find the > **Note**   %EF%80%80 is the UTF8-encoded character U+F000. -  + Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: @@ -279,9 +279,9 @@ Supported operations are Add, and Replace. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 9ceb7e3acb..61f105479e 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -37,7 +37,7 @@ Required. The root node for all settings that belong to a single management serv Supported operation is Get. -**Provider/****_ProviderID_** +**Provider/***ProviderID* Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM server. As a best practice, use text that doesn’t require XML/URI escaping. For Intune, use **MS DM Server** for Windows desktop or **SCConfigMgr** for Windows mobile for the _ProviderID_. @@ -57,14 +57,14 @@ Supported operations are Get and Add. > **Note**   Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION configuration service provider’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. This node is required and must be set by the server before the client certificate renewal is triggered. -  + **Provider/*ProviderID*/ExchangeID** Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server. > **Note**  In some cases for the desktop, this node will return "not found" until the user sets up their email. -  + Supported operation is Get. @@ -101,7 +101,7 @@ Required. The character string that contains the device management server addres > **Note**  When the ManagementServerAddressList value is set, the device ignores the value in ManagementServiceAddress. -  + The DMClient configuration service provider will save the address to the same location as the w7 and DMS configuration service providers to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md). @@ -148,7 +148,7 @@ This node is only supported in Windows 10 and later. Once you set the value to 2.0, it will not go back to 1.0. -  + Supported operations are Get, Replace, and Delete. @@ -227,7 +227,7 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo > **Note**  The < and > should be escaped. -  + ``` syntax @@ -322,7 +322,7 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch -  + **Valid poll schedule: initial enrollment only \[no infinite schedule\]** @@ -373,13 +373,13 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch -  + **Invalid poll schedule: disable all poll schedules** > **Note**   Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero. -  + @@ -428,7 +428,7 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch
            -  + **Invalid poll schedule: two infinite schedules** @@ -487,7 +487,7 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch -  + If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP @@ -624,7 +624,7 @@ The status error mapping is listed below. -  + **Provider/*ProviderID*/CustomEnrollmentCompletePage** Optional. Added in Windows 10, version 1703. @@ -791,9 +791,9 @@ The following SyncML shows how to remotely unenroll the device. Note that this c [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 4e8280b5d4..e915f4d790 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -46,16 +46,16 @@ Microsoft recommends that this function is not used to configure the following t > **Note**  The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop. -  + ## Syntax ```C++ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered( -        LPCWSTR pszXmlIn, -  const WCHAR   **rgszAllowedCspNode, -  const DWORD   dwNumAllowedCspNodes, -        BSTR    *pbstrXmlOut + LPCWSTR pszXmlIn, + const WCHAR   **rgszAllowedCspNode, + const DWORD   dwNumAllowedCspNodes, + BSTR    *pbstrXmlOut ); ``` @@ -63,25 +63,25 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered( *pszXmlIn*

              -
            • \[in\] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).
              • +
            • [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).

            *rgszAllowedCspNode*
              -
            • \[in\] Array of **WCHAR\*** that specify which configuration service provider nodes are allowed to be invoked.
              • +
            • [in] Array of WCHAR\* that specify which configuration service provider nodes are allowed to be invoked.

            *dwNumAllowedCspNodes*
              -
            • \[in\] Number of elements passed in *rgszAllowedCspNode*.
              • +
            • [in] Number of elements passed in rgszAllowedCspNode.

            *pbstrXmlOut*
              -
            • \[out\] The resulting null–terminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the *pbstrXmlOut* parameter references. Use [**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481) to free the memory.
              • +
            • [out] The resulting null–terminated XML from configuration. The caller of DMProcessConfigXMLFiltered is responsible for cleanup of the output buffer that the pbstrXmlOut parameter references. Use SysFreeString to free the memory.

            @@ -126,7 +126,7 @@ Returns the standard **HRESULT** value **S\_OK** to indicate success. The follow -  + ## Remarks @@ -136,20 +136,20 @@ The usage of **DMProcessConfigXMLFiltered** depends on the configuration service ``` XML -    -        -            -            -            -            -            -        -    -    -        -            -        -    + + + + + + + + + + + + + + ``` @@ -158,8 +158,8 @@ Then, the second parameter in the call to **DMProcessConfigXMLFiltered** would h ``` C++ LPCWSTR rgszAllowedCspNodes[] = { -    L"NAPDEF", -    L"BrowserFavorite" + L"NAPDEF", + L"BrowserFavorite" }; ``` @@ -172,18 +172,18 @@ WCHAR szProvxmlContent[] = L"..."; BSTR bstr = NULL; HRESULT hr = DMProcessConfigXMLFiltered( -                szProvxmlContent, -                rgszAllowedCspNodes, -                _countof(rgszAllowedCspNodes), -                &bstr -                ); + szProvxmlContent, + rgszAllowedCspNodes, + _countof(rgszAllowedCspNodes), + &bstr + ); /* check error */ if ( bstr != NULL ) { -    SysFreeString( bstr ); -    bstr = NULL; + SysFreeString( bstr ); + bstr = NULL; } ``` @@ -226,7 +226,7 @@ if ( bstr != NULL ) [**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481) -  + diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 5a6a34b4c7..c8c2490a37 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -28,25 +28,25 @@ The following diagram shows the DMSessionActions configuration service provider **./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**

            Defines the root node for the DMSessionActions configuration service provider.

            -**_ProviderID_** +***ProviderID***

            Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache.

            Scope is dynamic. Supported operations are Get, Add, and Delete.

            -**_ProviderID_/CheckinAlertConfiguration** +***ProviderID*/CheckinAlertConfiguration**

            Node for the custom configuration of alerts to be sent during MDM sync session.

            -**_ProviderID_/CheckinAlertConfiguration/Nodes** +***ProviderID*/CheckinAlertConfiguration/Nodes**

            Required. Root node for URIs to be queried. Scope is dynamic.

            Supported operation is Get.

            -**_ProviderID_/CheckinAlertConfiguration/Nodes/_NodeID_** +***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***

            Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.

            Supported operations are Get, Add, and Delete.

            -**_ProviderID_/CheckinAlertConfiguration/Nodes/_NodeID_/NodeURI** +***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**

            Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.

            Value type is string. Supported operations are Add, Get, Replace, and Delete.

            diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 583cad9b6a..bfee22a337 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -93,135 +93,135 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. - 1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy. + 1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy. - ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png) + ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png) - ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png) + ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png) - 2. Find the variable names of the parameters in the ADMX file. + 2. Find the variable names of the parameters in the ADMX file. - You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). + You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2). - ![Publishing server 2 policy description](images/admx-appv-policy-description.png) + ![Publishing server 2 policy description](images/admx-appv-policy-description.png) - 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. + 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. - 4. Search for GP name **Publishing_Server2_policy**. + 4. Search for GP name **Publishing_Server2_policy**. - 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor. + 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor. - Here is the snippet from appv.admx: + Here is the snippet from appv.admx: - ``` syntax - - + ``` syntax + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - ``` + + ``` - 6. From the \ tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor. + 6. From the \ tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor. - Here is the example XML for Publishing_Server2_Policy : + Here is the example XML for Publishing_Server2_Policy : - ``` syntax - - - - - - - - - - - ``` + ``` syntax + + + + + + + + + + + ``` - 7. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. + 7. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. - Here is the example for **AppVirtualization/PublishingAllowServer2**: + Here is the example for **AppVirtualization/PublishingAllowServer2**: > [!Note] > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index 7ad785dfe5..42c5475d1f 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -51,7 +51,7 @@ Inventory is specific to the package full name and lists bundled packs and resou > **Note**  On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name. -  + Here are the nodes for each package full name: - Name @@ -303,14 +303,14 @@ If you purchased an app from the Store for Business and the app is specified for Here are the requirements for this scenario: -- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_ -- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. -- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled. -- The user must be logged in, but association with AAD identity is not required. +- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_ +- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. +- The device does not need to have connectivity to the Microsoft Store, store services, or the have the Microsoft Store UI be enabled. +- The user must be logged in, but association with AAD identity is not required. > **Note**  You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). -  + The Add command for the package family name is required to ensure proper removal of the app at unenrollment. Here is an example of a line-of-business app installation. @@ -420,18 +420,18 @@ Provisioning allows you to stage the app to the device and all users of the devi Here are the requirements for this scenario: -- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_ -- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. -- The device does not need to have connectivity to the Microsoft Store, or store services enabled. -- The device does not need any AAD identity or domain membership. -- For nonStore app, your device must be unlocked. -- For Store offline apps, the required licenses must be deployed prior to deploying the apps. +- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_ +- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. +- The device does not need to have connectivity to the Microsoft Store, or store services enabled. +- The device does not need any AAD identity or domain membership. +- For nonStore app, your device must be unlocked. +- For Store offline apps, the required licenses must be deployed prior to deploying the apps. To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment. > **Note**  When you remove the provisioned app, it will not remove it from the users that already installed the app. -  + Here is an example of app installation. @@ -626,7 +626,7 @@ You can remove provisioned apps from a device for a specific version or for all > **Note**  You can only remove an app that has an inventory value IsProvisioned = 1. -  + Removing provisioned app occurs in the device context. Here is an example for removing a provisioned app from a device. @@ -827,7 +827,7 @@ In Windows 10 Mobile IT administrators can set a policy to restrict user applic > **Note**  The feature is only for Windows 10 Mobile. -  + The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1. Here is an example. @@ -899,7 +899,7 @@ Here is an example. ``` -  + diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index ef76c29a6c..29b5d5bdd5 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -17,7 +17,7 @@ ms.date: 09/22/2017 The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet. > [!Note] -Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. +> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. The following image shows the EnterpriseAPN configuration service provider in tree format. @@ -26,7 +26,7 @@ The following image shows the EnterpriseAPN configuration service provider in tr **EnterpriseAPN**

            The root node for the EnterpriseAPN configuration service provider.

            -**EnterpriseAPN/****_ConnectionName_** +**EnterpriseAPN/***ConnectionName*

            Name of the connection as seen by Windows Connection Manager.

            Supported operations are Add, Get, Delete, and Replace.

            @@ -52,7 +52,7 @@ The following image shows the EnterpriseAPN configuration service provider in tr

            Supported operations are Add, Get, Delete, and Replace.

            **EnterpriseAPN/*ConnectionName*/ClassId** -

            GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM\_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

            +

            GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

            Supported operations are Add, Get, Delete, and Replace.

            @@ -278,9 +278,9 @@ atomicZ [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index 15151b8144..34a8571486 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -19,7 +19,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to > **Note**   The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile. -  + The following diagram shows the EnterpriseAppManagement configuration service provider in tree format. @@ -57,7 +57,7 @@ Supported operations are Get and Add. > **Note**   Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00 -  + ***EnterpriseID*/Status** Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic. @@ -79,7 +79,7 @@ Required. The root node for individual enterprise application inventory settings Supported operation is Get. -**/Inventory/****_ProductID_** +**/Inventory/***ProductID* Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic. Supported operation is Get. @@ -109,7 +109,7 @@ Required. This node groups application download-related parameters. The enterpri Supported operation is Get. -**/Download/****_ProductID_** +**/Download/***ProductID* Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic. Supported operations are Get, Add, and Replace. @@ -168,12 +168,12 @@ Required. The integer value that indicates the status of the current download pr

            7:DOWNLOAD_FAILED

            -

            Unable to connect to server, file doesn't exist, etc.

            +

            Unable to connect to server, file doesn't exist, etc.

            -  + Scope is dynamic. Supported operations are Get, Add, and Replace. @@ -438,11 +438,11 @@ Install or update the installed app with the product ID “{B316008A-141D-4A79-8 To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog. > **Note**   -1. If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation). +> 1. If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation). -2. The application product ID curly braces need to be escaped where { is %7B and } is %7D. +2. The application product ID curly braces need to be escaped where { is %7B and } is %7D. -  + ``` syntax @@ -535,9 +535,9 @@ Uninstall an installed enterprise application with product ID “{7BB316008A-141 [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 8da304b673..03c5e1ef06 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -26,47 +26,47 @@ The following diagram shows the EnterpriseAppVManagement configuration service p

            Used to query App-V package information (post-publish).

            **AppVPackageManagement/EnterpriseID** -

            Used to query package information. Value is always "HostedInstall".

            +

            Used to query package information. Value is always "HostedInstall".

            **AppVPackageManagement/EnterpriseID/PackageFamilyName**

            Package ID of the published App-V package.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName***

            Version ID of the published App-V package.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Name** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name**

            Name specified in the published AppV package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Version** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version**

            Version specified in the published AppV package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Publisher** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher**

            Publisher as specified in the published asset information of the AppV package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/InstallLocation** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation**

            Local package path specified in the published asset information of the AppV package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/InstallDate** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate**

            Date the app was installed, as specified in the published asset information of the AppV package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Users** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users**

            Registered users for app, as specified in the published asset information of the AppV package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVPackageId** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId**

            Package ID of the published App-V package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVVersionId** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId**

            Version ID of the published App-V package.

            Value type is string. Supported operation is Get.

            -**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVPackageUri** +**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri**

            Package URI of the published App-V package.

            Value type is string. Supported operation is Get.

            @@ -103,9 +103,8 @@ The following diagram shows the EnterpriseAppVManagement configuration service p - SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.

            Value type is string. Supported operation is Get.

            - -**AppVPublishing/LastSync/SyncProgress** -

            Latest sync state. One of the following values may be returned:

            + +AppVPublishing/LastSync/SyncProgress

            Latest sync state. One of the following values may be returned:

            - SYNC\_STATUS_IDLE (0) - App-V Sync is idle. - SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. @@ -119,17 +118,17 @@ The following diagram shows the EnterpriseAppVManagement configuration service p

            Used to perform App-V synchronization.

            **AppVPublishing/Sync/PublishXML** -

            Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](https://msdn.microsoft.com/library/mt739986.aspx).

            +

            Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.

            Supported operations are Get, Delete, and Execute.

            **AppVDynamicPolicy**

            Used to set App-V Policy Configuration documents for publishing packages.

            -**AppVDynamicPolicy/_ConfigurationId_** +**AppVDynamicPolicy/*ConfigurationId***

            ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).

            -**AppVDynamicPolicy/_ConfigurationId_/Policy** +**AppVDynamicPolicy/*ConfigurationId*/Policy**

            XML for App-V Policy Configuration documents for publishing packages.

            Value type is xml. Supported operations are Add, Get, Delete, and Replace.

            diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index f04cae6f6e..0416e3badf 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -596,7 +596,7 @@ The following sample file contains configuration for enabling tile manipulation. Entry | Description ----------- | ------------ CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role. -  + **LockscreenWallpaper/** The parent node of the lock screen-related parameters that let administrators query and manage the lock screen image on devices. Supported operations are Add, Delete, Get and Replace. @@ -722,7 +722,7 @@ The accent color to apply as the foreground color for tiles, controls, and other -  + Supported operations are Get and Replace. @@ -1168,7 +1168,7 @@ Supported operations are Get and Replace.

            2500

            -

            UTC+13 Nuku'alofa

            +

            UTC+13 Nuku'alofa

            @@ -1190,7 +1190,7 @@ The XML examples in this section show how to perform various tasks by using OMA > **Note**  These examples are XML snippets and do not include all sections that are required for a complete lockdown XML file. -  + ### Assigned Access settings @@ -1198,12 +1198,12 @@ The following example shows how to add a new policy. ``` syntax -    -      "/> -    + + + "/> + + ``` @@ -1213,11 +1213,11 @@ The following example shows how to specify the language to display on the device ``` syntax -    -      + + -    + ``` @@ -1253,22 +1253,22 @@ The following example shows how to change the accent color to one of the standar ``` syntax -    -       -         1 -          -             -             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID -             -             -               int -             -             -            7 -          -       -       -    + + + 1 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID + + + int + + + 7 + + + + ``` @@ -1276,22 +1276,22 @@ The following example shows how to change the theme. ``` syntax -    -       -           1 -           -               -                   ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground -               -               -                   int -               -               -               1 -           -       -       -    + + + 1 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground + + + int + + + 1 + + + + ``` @@ -1299,19 +1299,19 @@ The following example shows how to set a custom theme accent color for the enter ``` syntax -    -      1 -       -          -             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID -          -          -            int -          -          -         151 -       -    + + 1 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID + + + int + + + 151 + + 2 @@ -1335,17 +1335,17 @@ Use the examples in this section to set a new lock screen and manage the lock sc ``` syntax 2 -    -      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName -    -      chr -      text/plain -    -    c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg -    + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName + + chr + text/plain + + c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg + + ``` @@ -1353,12 +1353,12 @@ The following example shows how to query the device for the file being used as t ``` syntax 2 -    -      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName -    + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName + + ``` @@ -1366,22 +1366,22 @@ The following example shows how to change the existing lock screen image to one ``` syntax -    -       -         2 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName -             -             -               chr -               text/plain -             -            c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg -          -       -       -    + + + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName + + + chr + text/plain + + c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg + + + + ``` @@ -1391,21 +1391,21 @@ The following example shows how to set the time zone to UTC-07 Mountain Time (US ``` syntax -    -       -         2 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone -             -             -               int -             -            500 -          -       -       -    + + + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone + + + int + + 500 + + + + ``` @@ -1413,21 +1413,21 @@ The following example shows how to set the time zone to Pacific Standard Time (U ``` syntax -    -       -         2 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone -             -             -               int -             -            400  -          -       -       -    + + + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone + + + int + + 400  + + + + ``` @@ -1437,21 +1437,21 @@ The following example shows how to set the language. ``` syntax -    -       -         1 -          -             -               ./Vendor/MSFT/EnterpriseAssignedAccess/Locale/Language -             -             -               int -             -            1033 -          -       -       -    + + + 1 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/Locale/Language + + + int + + 1033 + + + + ``` @@ -1667,11 +1667,11 @@ The following table lists the product ID and AUMID for each app that is included -  + -  + -  + diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 8b92f8e8bf..725444b2b6 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -20,7 +20,7 @@ The EnterpriseDataProtection configuration service provider (CSP) is used to con >- To make WIP functional the AppLocker CSP and the network isolation specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). >- This CSP was added in Windows 10, version 1607. -  + While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). @@ -52,13 +52,13 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.

            Supported operations are Add, Get, Replace and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -

            A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +

            A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.

            Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. > **Note**  The client requires domain name to be canonical, otherwise the setting will be rejected by the client. -  +

            Here are the steps to create canonical domain names: @@ -97,7 +97,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. > **Note**  This setting is only supported in Windows 10 Mobile. -  +

            Supported operations are Add, Get, Replace and Delete. Value type is integer. @@ -113,122 +113,122 @@ The binary blob is the serialized version of following structure: // //  Recovery Policy Data Structures // -  + typedef struct _RECOVERY_POLICY_HEADER { -    USHORT      MajorRevision; -    USHORT      MinorRevision; -    ULONG       RecoveryKeyCount; + USHORT      MajorRevision; + USHORT      MinorRevision; + ULONG       RecoveryKeyCount; } RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER; -  + typedef struct _RECOVERY_POLICY_1_1    { -        RECOVERY_POLICY_HEADER  RecoveryPolicyHeader; -        RECOVERY_KEY_1_1        RecoveryKeyList[1]; + RECOVERY_POLICY_HEADER  RecoveryPolicyHeader; + RECOVERY_KEY_1_1        RecoveryKeyList[1]; }   RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1; -  + #define EFS_RECOVERY_POLICY_MAJOR_REVISION_1   (1) #define EFS_RECOVERY_POLICY_MINOR_REVISION_0   (0) -  + #define EFS_RECOVERY_POLICY_MINOR_REVISION_1   (1) -  + /////////////////////////////////////////////////////////////////////////////// //                                                                            / //  RECOVERY_KEY Data Structure                                               / //                                                                            / /////////////////////////////////////////////////////////////////////////////// -  + // // Current format of recovery data. // -  + typedef struct _RECOVERY_KEY_1_1   { -        ULONG               TotalLength; -        EFS_PUBLIC_KEY_INFO PublicKeyInfo; + ULONG               TotalLength; + EFS_PUBLIC_KEY_INFO PublicKeyInfo; } RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1; -  -  + + typedef struct _EFS_PUBLIC_KEY_INFO { -  -    // -    // The length of this entire structure, including string data -    // appended to the end. The length should be a multiple of 8 for -    // 64 bit alignment -    // -  -    ULONG Length; -  -    // -    // Sid of owner of the public key (regardless of format). -   // This field is to be treated as a hint only. -    // -  -    ULONG PossibleKeyOwner; -  -    // -    // Contains information describing how to interpret -    // the public key information -    // -  -    ULONG KeySourceTag; -  -    union { -  -        struct { -  -            // -            // The following fields contain offsets based at the -            // beginning of the structure.  Each offset is to -            // a NULL terminated WCHAR string. -            // -  -            ULONG ContainerName; -            ULONG ProviderName; -  -            // -            // The exported public key used to encrypt the FEK. -            // This field contains an offset from the beginning of the -            // structure. -            // -  -            ULONG PublicKeyBlob; -  -            // -            // Length of the PublicKeyBlob in bytes -            // -  -            ULONG PublicKeyBlobLength; -  -        } ContainerInfo; -  -        struct { -  -            ULONG CertificateLength;       // in bytes -            ULONG Certificate;             // offset from start of structure -  -        } CertificateInfo; -  -  -        struct { -  -            ULONG ThumbprintLength;        // in bytes -            ULONG CertHashData;            // offset from start of structure -  -        } CertificateThumbprint; -    }; -  -  -  + + // + // The length of this entire structure, including string data + // appended to the end. The length should be a multiple of 8 for + // 64 bit alignment + // + + ULONG Length; + + // + // Sid of owner of the public key (regardless of format). + // This field is to be treated as a hint only. + // + + ULONG PossibleKeyOwner; + + // + // Contains information describing how to interpret + // the public key information + // + + ULONG KeySourceTag; + + union { + + struct { + + // + // The following fields contain offsets based at the + // beginning of the structure.  Each offset is to + // a NULL terminated WCHAR string. + // + + ULONG ContainerName; + ULONG ProviderName; + + // + // The exported public key used to encrypt the FEK. + // This field contains an offset from the beginning of the + // structure. + // + + ULONG PublicKeyBlob; + + // + // Length of the PublicKeyBlob in bytes + // + + ULONG PublicKeyBlobLength; + + } ContainerInfo; + + struct { + + ULONG CertificateLength;       // in bytes + ULONG Certificate;             // offset from start of structure + + } CertificateInfo; + + + struct { + + ULONG ThumbprintLength;        // in bytes + ULONG CertHashData;            // offset from start of structure + + } CertificateThumbprint; + }; + + + } EFS_PUBLIC_KEY_INFO, *PEFS_PUBLIC_KEY_INFO; -  + // // Possible KeyTag values // -  + typedef enum _PUBLIC_KEY_SOURCE_TAG { -    EfsCryptoAPIContainer = 1, -    EfsCertificate, -    EfsCertificateThumbprint + EfsCryptoAPIContainer = 1, + EfsCertificate, + EfsCertificateThumbprint } PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG; -  + ```

            For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. @@ -236,7 +236,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

            Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -

            This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. +

            This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.

            The following list shows the supported values: @@ -246,7 +246,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

            Supported operations are Add, Get, Replace and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -

            Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +

            Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys - 1 (dafault) - Revoke keys @@ -267,7 +267,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

            Supported operations are Add, Get, Replace and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -

            Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list. +

            Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.

            When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.

            Supported operations are Add, Get, Replace and Delete. Value type is string. @@ -317,7 +317,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { -  +

            Bit 0 indicates whether WIP is on or off. @@ -325,7 +325,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

            Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). -

            Here's the list of mandatory WIP policies: +

            Here's the list of mandatory WIP policies: - EDPEnforcementLevel in EnterpriseDataProtection CSP - DataRecoveryCertificate in EnterpriseDataProtection CSP @@ -337,9 +337,9 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

            Supported operation is Get. Value type is integer. -  + -  + diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index d8e19c676a..a8d02b09c0 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -29,7 +29,7 @@ The root node for the EnterpriseDesktopAppManagement configuration service provi **MSI** Node for all settings. -**MSI/****_ProductID_** +**MSI/***ProductID* The MSI product code for the application. **MSI/*ProductID*/Version** @@ -86,7 +86,7 @@ Status of the application. Value type is string. Supported operation is Get. | Enforcement Failed | 60 | | Enforcement Completed | 70 | -  + **MSI/*ProductID*/LastError** The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. @@ -136,7 +136,7 @@ The following table describes the fields in the previous sample: | CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | | LocURI | Path to Win32 CSP command processor. | -  + **SyncML to perform MSI operations for application uninstall** @@ -164,7 +164,7 @@ The following table describes the fields in the previous sample: | CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | -  + **SyncML to perform MSI operations for application status reporting** @@ -192,7 +192,7 @@ The following table describes the fields in the previous sample: | CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | | LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | -  + **SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.** @@ -282,11 +282,11 @@ The following table describes the fields in the previous sample: -  + > **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at . -  + **SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation)** @@ -407,7 +407,7 @@ The following table MsiInstallJob describes the schema elements. -  + Here is an example of a common response to a request @@ -479,7 +479,7 @@ For Intune standalone environment, the MSI package will determine the MSI execut -  + The following table applies to SCCM hybrid environment. @@ -520,7 +520,7 @@ The following table applies to SCCM hybrid environment. -  + ## How to determine the package type from the MSI package @@ -558,9 +558,9 @@ Here's a list of references: ``` -  + -  + diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 23e1076db3..a661803173 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -19,7 +19,7 @@ The EnterpriseExtFileSystem configuration service provider (CSP) allows IT admin > **Note**  The EnterpriseExtFileSystem CSP is only supported in Windows 10 Mobile. -  + File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**. @@ -33,32 +33,32 @@ The following list describes the characteristics and parameters.

            The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.

            **Persistent** -

            The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.

            +

            The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.

            > **Important**  There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer. - -  - +> +> +> > **Note**   When the IT admin triggers a **doWipePersistProvisionedData** action using [RemoteWipe CSP](remotewipe-csp.md), items stored in the Persistent folder are persisted over wipe and restored when the device boots again. The contents are not persisted if a **doWipe** action is triggered. -  + **NonPersistent** -

            The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.

            +

            The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.

            When the device is wiped, any data stored in the NonPersistent folder is deleted.

            **OemProfile** -

            Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \\data\\shareddata\\oem\\public\\profile\\ folder of the device.

            +

            Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.

            ***Directory*** -

            The name of a directory in the device file system. Any *Directory* node can have directories and files as child nodes.

            +

            The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.

            Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.

            -

            Use the Get command to return the list of child node names under *Directory*.

            +

            Use the Get command to return the list of child node names under Directory.

            -

            Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under *Directory*.

            +

            Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.

            ***Filename***

            The name of a file in the device file system.

            @@ -119,9 +119,9 @@ The following example shows how to push a file to the device. ``` -  + -  + diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 48f27f5fb0..cdadc5ca2d 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -30,7 +30,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. > [!Note] -> Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP. +> Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP. **AppManagement** Required. Used for inventory and app management (post-install). @@ -46,7 +46,7 @@ Required. Reports the last error code returned by the update scan. Supported operation is Get. **AppManagement/AppInventoryResults** -Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. +Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. Supported operation is Get. @@ -64,7 +64,7 @@ Here's an example of AppInventoryResults operation. ``` **AppManagement/AppInventoryQuery** -Added in Windows 10, version 1511. Required. Specifies the query for app inventory. +Added in Windows 10, version 1511. Required. Specifies the query for app inventory. Query parameters: @@ -129,8 +129,7 @@ Parameters:
        • User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.
          • -
        - +

      Supported operation is Execute. The following example removes a package for all users: @@ -198,7 +197,7 @@ Added in Windows 10, version 1809. Returns the last user release ID on the devic Value type is string. Supported operation is Get. -**.../****_PackageFamilyName_** +**.../***PackageFamilyName* Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. Supported operations are Get and Delete. @@ -226,7 +225,7 @@ Here's an example for uninstalling an app: ``` -**.../*PackageFamilyName*/****_PackageFullName_** +**.../*PackageFamilyName*/***PackageFullName* Optional. Full name of the package installed. Supported operations are Get and Delete. @@ -234,7 +233,7 @@ Supported operations are Get and Delete. > [!Note] > XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. -  + **.../*PackageFamilyName*/*PackageFullName*/Name** Required. Name of the app. Value type is string. @@ -263,7 +262,7 @@ Required. Install location of the app on the device. Value type is string. > [!Note] > Not applicable to XAP files. -  + Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsFramework** @@ -272,7 +271,7 @@ Required. Whether or not the app is a framework package. Value type is int. The > [!Note] > Not applicable to XAP files. - Supported operation is Get. + Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsBundle** Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. @@ -289,7 +288,7 @@ Required. Resource ID of the app. This is null for the main app, ~ for a bundle, > [!Note] > Not applicable to XAP files. -  + Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/PackageStatus** @@ -311,7 +310,7 @@ Required. Specifies whether the package state has changed and requires a reinsta > [!Note] > Not applicable to XAP files. -  + Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/Users** @@ -335,10 +334,10 @@ Required. Specifies whether you want to block a specific app from being updated Supported operations are Add, Get, Delete, and Replace. **.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT) -Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. +Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. -**.../*PackageFamilyName*/AppSettingPolicy/****_SettingValue_** (only for ./User/Vendor/MSFT) -Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. +**.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT) +Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. This setting only works for apps that support the feature and it is only supported in the user context. @@ -400,8 +399,8 @@ NonRemovable requires admin permission. This can only be set per device, not per Value type is integer. Supported operations are Add, Get, and Replace. Valid values: -- 0 – app is not in the nonremovable app policy list -- 1 – app is included in the nonremovable app policy list +- 0 – app is not in the nonremovable app policy list +- 1 – app is included in the nonremovable app policy list **Examples:** @@ -469,7 +468,7 @@ Data 1 = app is in the app policy list **AppInstallation** Required node. Used to perform app installation. -**AppInstallation/****_PackageFamilyName_** +**AppInstallation/***PackageFamilyName* Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. Supported operations are Get and Add. @@ -477,7 +476,7 @@ Supported operations are Get and Add. > [!Note] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. -  + **AppInstallation/*PackageFamilyName*/StoreInstall** Required. Command to perform an install of an app and a license from the Microsoft Store. @@ -496,7 +495,7 @@ Supported operation is Get. > [!Note] > This element is not present after the app is installed. -  + **AppInstallation/*PackageFamilyName*/LastErrorDescription** Required. Description of last error relating to the app installation. @@ -506,7 +505,7 @@ Supported operation is Get. > [!Note] > This element is not present after the app is installed. -  + **AppInstallation/*PackageFamilyName*/Status** Required. Status of app installation. The following values are returned: @@ -520,7 +519,7 @@ Supported operation is Get. > [!Note] > This element is not present after the app is installed. -  + **AppInstallation/*PackageFamilyName*/ProgessStatus** Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). @@ -529,20 +528,20 @@ Supported operation is Get. > [!Note] > This element is not present after the app is installed. -  + **AppLicenses** Required node. Used to manage licenses for app scenarios. **AppLicenses/StoreLicenses** Required node. Used to manage licenses for store apps. -**AppLicenses/StoreLicenses/****_LicenseID_** +**AppLicenses/StoreLicenses/***LicenseID* Optional node. License ID for a store installed app. The license ID is generally the PFN of the app. Supported operations are Add, Get, and Delete. **AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory** -Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: +Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: - Unknown - unknown license category - Retail - license sold through retail channels, typically from the Microsoft Store @@ -553,7 +552,7 @@ Added in Windows 10, version 1511. Required. Category of license that is used Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage** -Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: +Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: - Unknown - usage is unknown - Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. @@ -563,7 +562,7 @@ Added in Windows 10, version 1511. Required. Indicates the allowed usage for t Supported operation is Get. **AppLicenses/StoreLicenses/*LicenseID*/RequesterID** -Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. +Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. Supported operation is Get. @@ -573,7 +572,7 @@ Required. Command to add license. Supported operation is Execute. **AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore** -Added in Windows 10, version 1511. Required. Command to get license from the store. +Added in Windows 10, version 1511. Required. Command to get license from the store. Supported operation is Execute. @@ -600,7 +599,7 @@ The result contains a list of apps, such as \App1/App2/App\. Subsequent query for a specific app for its properties. ``` syntax - + 1 @@ -623,9 +622,9 @@ Subsequent query for a specific app for its properties. [Configuration service provider reference](configuration-service-provider-reference.md) -  - -  + + + diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md index c3beef8adc..2ff5dbb9e0 100644 --- a/windows/client-management/mdm/federated-authentication-device-enrollment.md +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -37,7 +37,7 @@ The discovery web service provides the configuration information necessary for a > **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. -  + The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc @@ -133,7 +133,7 @@ The discovery response is in the XML format and includes the following fields: > **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. -  + When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. @@ -142,13 +142,13 @@ When authentication policy is set to be Federated, Web Authentication Broker (WA > - Append the OS version as a parameter in the AuthenticationServiceURL. > - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. -  + A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. > **Note**  The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented. -  + The following are the explicit requirements for the server. @@ -162,8 +162,8 @@ The enrollment client issues an HTTPS request as follows: AuthenticationServiceUrl?appru=&login_hint= ``` -- <appid> is of the form ms-app://string -- <User Principal Name> is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. +- <appid> is of the form ms-app://string +- <User Principal Name> is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter. @@ -301,7 +301,7 @@ MS-XCEP supports very flexible enrollment policies using various Complex Types a > **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. -  + The following snippet shows the policy web service response. @@ -395,7 +395,7 @@ The RST may also specify a number of AdditionalContext items, such as DeviceType > **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name. -  + The following example shows the enrollment web service request for federated authentication. @@ -486,7 +486,7 @@ After validating the request, the web service looks up the assigned certificate > **Note**  The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. -  + Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate. @@ -638,7 +638,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. -  + diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 9c9644b2e2..f0745bb496 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -18,12 +18,12 @@ ms.date: 06/26/2017 The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user. > **Note**  FileSystem CSP is only supported in Windows 10 Mobile. - -  - +> +> +> > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. -  + The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. @@ -103,9 +103,9 @@ The following properties are supported for files: [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 9a2e097056..c6322ae0bb 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -40,11 +40,11 @@ The following diagram shows the Firewall configuration service provider in tree

      Value type in integer. Supported operation is Get.

      **MdmStore/Global/CurrentProfiles** -

      Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](https://msdn.microsoft.com/library/cc231559.aspx) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

      +

      Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

      Value type in integer. Supported operation is Get.

      **MdmStore/Global/DisableStatefulFtp** -

      Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.

      +

      Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.

      Default value is false.

      Data type is bool. Supported operations are Add, Get, Replace, and Delete.

      @@ -54,12 +54,12 @@ The following diagram shows the Firewall configuration service provider in tree

      Value type is integer. Supported operations are Add, Get, Replace, and Delete.

      **MdmStore/Global/PresharedKeyEncoding** -

      Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](https://msdn.microsoft.com/library/cc231525.aspx). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

      +

      Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

      Default value is 1.

      Value type is integer. Supported operations are Add, Get, Replace, and Delete.

      **MdmStore/Global/IPsecExempt** -

      This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](https://msdn.microsoft.com/library/cc231523.aspx); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

      +

      This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

      Default value is 0.

      Value type is integer. Supported operations are Add, Get, Replace, and Delete.

      @@ -78,7 +78,7 @@ The following diagram shows the Firewall configuration service provider in tree

      Value type is string. Supported operation is Get.

      **MdmStore/Global/BinaryVersionSupported** -

      This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

      +

      This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

      Value type is string. Supported operation is Get.

      **MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** @@ -117,7 +117,7 @@ The following diagram shows the Firewall configuration service provider in tree

      Value type is bool. Supported operations are Add, Get and Replace.

      **/Shielded** -

      Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.

      +

      Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.

      Default value is false.

      Value type is bool. Supported operations are Get and Replace.

      @@ -194,12 +194,12 @@ Sample syncxml to provision the firewall settings to evaluate

      Value type is integer. Supported operations are Add, Get and Replace.

      **/DisableStealthModeIpsecSecuredPacketExemption** -

      Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

      +

      Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

      Default value is true.

      Value type is bool. Supported operations are Add, Get and Replace.

      **FirewallRules** -

      A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

      +

      A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

      **FirewallRules/_FirewallRuleName_**

      Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

      @@ -247,39 +247,39 @@ Sample syncxml to provision the firewall settings to evaluate

      If not specified, the default is All.

      Value type is string. Supported operations are Add, Get, Replace, and Delete.

      -**FirewallRules/_FirewallRuleName_/LocalAddressRanges** -

      Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:

      +**FirewallRules/*FirewallRuleName*/LocalAddressRanges** +

      Comma separated list of local addresses covered by the rule. The default value is "". Valid tokens include:

        -
      • "\*" indicates any local address. If present, this must be the only token included.
        • +
      • "" indicates any local address. If present, this must be the only token included.
      • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
      • A valid IPv6 address.
        • -
      • An IPv4 address range in the format of "start address - end address" with no spaces included.
        • -
      • An IPv6 address range in the format of "start address - end address" with no spaces included.
        • +
      • An IPv4 address range in the format of "start address - end address" with no spaces included.
        • +
      • An IPv6 address range in the format of "start address - end address" with no spaces included.

      If not specified, the default is All.

      Value type is string. Supported operations are Add, Get, Replace, and Delete.

      -**FirewallRules/_FirewallRuleName_/RemoteAddressRanges** -

      List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:

      +**FirewallRules/*FirewallRuleName*/RemoteAddressRanges** +

      List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "". Valid tokens include:

        -
      • "\*" indicates any remote address. If present, this must be the only token included.
        • -
      • "Defaultgateway"
        • -
      • "DHCP"
        • -
      • "DNS"
        • -
      • "WINS"
        • -
      • "Intranet"
        • -
      • "RmtIntranet"
        • -
      • "Internet"
        • -
      • "Ply2Renders"
        • -
      • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
        • +
      • "" indicates any remote address. If present, this must be the only token included.
        • +
      • "Defaultgateway"
        • +
      • "DHCP"
        • +
      • "DNS"
        • +
      • "WINS"
        • +
      • "Intranet"
        • +
      • "RmtIntranet"
        • +
      • "Internet"
        • +
      • "Ply2Renders"
        • +
      • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
      • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
      • A valid IPv6 address.
        • -
      • An IPv4 address range in the format of "start address - end address" with no spaces included.
        • -
      • An IPv6 address range in the format of "start address - end address" with no spaces included.
        • +
      • An IPv4 address range in the format of "start address - end address" with no spaces included.
        • +
      • An IPv6 address range in the format of "start address - end address" with no spaces included.

      If not specified, the default is All.

      Value type is string. Supported operations are Add, Get, Replace, and Delete.

      -

      The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

      +

      The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.

      **FirewallRules/_FirewallRuleName_/Description**

      Specifies the description of the rule.

      @@ -291,7 +291,7 @@ Sample syncxml to provision the firewall settings to evaluate

      Boolean value. Supported operations are Get and Replace.

      **FirewallRules/_FirewallRuleName_/Profiles** -

      Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/library/cc231559.aspx) for the bitmasks that are used to identify profile types.

      +

      Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.

      If not specified, the default is All.

      Value type is integer. Supported operations are Get and Replace.

      diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md index 0830771854..12d263d212 100644 --- a/windows/client-management/mdm/get-inventory.md +++ b/windows/client-management/mdm/get-inventory.md @@ -41,7 +41,7 @@ The **Get Inventory** operation retrieves information from the Microsoft Store f -  + ### URI parameters @@ -77,7 +77,7 @@ The following parameters may be specified in the request URI.

      licenseTypes

      -

      collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)

      +

      collection of LicenseType

      {online,offline}

      Optional. A collection of license types

      @@ -165,7 +165,7 @@ Here are some examples. The response contains [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset). -  + diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 04287c446f..b794b4cf63 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -55,9 +55,8 @@ The following is a list of functions performed by the Device HealthAttestation C
    -![healthattestation session diagram](images/healthattestation_1.png) - -**DHA session data (Device HealthAttestation session data)** +healthattestation session diagram
    +DHA session data (Device HealthAttestation session data)

    The following list of data is produced or consumed in one DHA-Transaction:

    • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
      • @@ -73,7 +72,7 @@ The following is a list of functions performed by the Device HealthAttestation C
    • Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
    -**DHA-Enabled MDM (Device HealthAttestation enabled device management solution)** +DHA-Enabled MDM (Device HealthAttestation enabled device management solution)

    Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

    DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.

    The following list of operations are performed by DHA-Enabled-MDM:

    @@ -84,7 +83,7 @@ The following is a list of functions performed by the Device HealthAttestation C
  • Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
    • -**DHA-CSP (Device HealthAttestation Configuration Service Provider)** +DHA-CSP (Device HealthAttestation Configuration Service Provider)

    The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

    The following list of operations are performed by DHA-CSP:

      @@ -94,7 +93,7 @@ The following is a list of functions performed by the Device HealthAttestation C
    • Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
    -**DHA-Service (Device HealthAttestation Service)** +DHA-Service (Device HealthAttestation Service)

    Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

    DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

    @@ -194,7 +193,7 @@ The following diagram shows the Device HealthAttestation configuration service p

    The supported operation is Get.

    -

    The following list shows some examples of supported values. For the complete list of status see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).

    +

    The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.

    - 0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -400,8 +399,8 @@ Here is an example: AAAAAAAAAFFFFFFF - - + + 2 @@ -410,7 +409,7 @@ Here is an example: - + 3 @@ -538,7 +537,7 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitlockerStatus** (at boot time) -

    When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

    +

    When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

    Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

    @@ -556,9 +555,9 @@ Each of these are described in further detail in the following sections, along w **BootManagerRevListVersion**

    This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.

    -

    If BootManagerRevListVersion = \[CurrentVersion\], then allow access.

    +

    If BootManagerRevListVersion = [CurrentVersion], then allow access.

    -

    If BootManagerRevListVersion != \[CurrentVersion\], then take one of the following actions that align with your enterprise policies:

    +

    If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

    - Disallow all access - Disallow access to HBI and MBI assets @@ -568,9 +567,9 @@ Each of these are described in further detail in the following sections, along w **CodeIntegrityRevListVersion**

    This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

    -

    If CodeIntegrityRevListVersion = \[CurrentVersion\], then allow access.

    +

    If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.

    -

    If CodeIntegrityRevListVersion != \[CurrentVersion\], then take one of the following actions that align with your enterprise policies:

    +

    If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:

    - Disallow all access - Disallow access to HBI and MBI assets @@ -670,7 +669,7 @@ Each of these are described in further detail in the following sections, along w

    If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

    **ELAMDriverLoaded** (Windows Defender) -

    To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

    +

    To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

    In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

    @@ -734,7 +733,7 @@ Each of these are described in further detail in the following sections, along w **TPMVersion**

    This attribute identifies the version of the TPM that is running on the attested device.

    -

    TPMVersion node provides to replies "1" and "2":

    +

    TPMVersion node provides to replies "1" and "2":

    • 1 means TPM specification version 1.2
    • 2 means TPM specification version 2.0
      • @@ -748,15 +747,15 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -

      The measurement that is captured in PCR\[0\] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

      +

      The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

      -

      Enterprise managers can create a whitelist of trusted PCR\[0\] values, compare the PCR\[0\] value of the managed devices (the value that is verified and reported by HAS) with the whitelist, and then make a trust decision based on the result of the comparison.

      +

      Enterprise managers can create a whitelist of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the whitelist, and then make a trust decision based on the result of the comparison.

      -

      If your enterprise does not have a whitelist of accepted PCR\[0\] values, then take no action.

      +

      If your enterprise does not have a whitelist of accepted PCR[0] values, then take no action.

      -

      If PCR\[0\] equals an accepted whitelisted value, then allow access.

      +

      If PCR[0] equals an accepted whitelisted value, then allow access.

      -

      If PCR\[0\] does not equal any accepted whitelisted value, then take one of the following actions that align with your enterprise policies:

      +

      If PCR[0] does not equal any accepted whitelisted value, then take one of the following actions that align with your enterprise policies:

      - Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. @@ -809,212 +808,212 @@ Each of these are described in further detail in the following sections, along w ## **Device HealthAttestation CSP status and error codes** - - - - - - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - - - - + + + + - + + + + + +
      Error codeError nameDescription
      0HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZEDThis is the initial state for devices that have never participated in a DHA-Session.
      Error codeError nameDescription
      1HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTEDThis state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
      0HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZEDThis is the initial state for devices that have never participated in a DHA-Session.
      2HEALTHATTESTATION_CERT_RETRIEVAL_FAILEDThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
      1HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTEDThis state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
      3HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETEThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
      2HEALTHATTESTATION_CERT_RETRIEVAL_FAILEDThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
      4HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAILDeprecated in Windows 10, version 1607.
      3HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETEThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
      5HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAILDHA-CSP failed to get a claim quote.
      4HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAILDeprecated in Windows 10, version 1607.
      6HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READYDHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
      5HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAILDHA-CSP failed to get a claim quote.
      7HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAILDHA-CSP failed in retrieving Windows AIK
      6HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READYDHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
      8HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAILDeprecated in Windows 10, version 1607.
      7HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAILDHA-CSP failed in retrieving Windows AIK
      9HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSIONInvalid TPM version (TPM version is not 1.2 or 2.0)
      8HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAILDeprecated in Windows 10, version 1607.
      10HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAILNonce was not found in the registry.
      9HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSIONInvalid TPM version (TPM version is not 1.2 or 2.0)
      11HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAILCorrelation ID was not found in the registry.
      10HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAILNonce was not found in the registry.
      12HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAILDeprecated in Windows 10, version 1607.
      11HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAILCorrelation ID was not found in the registry.
      13HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAILDeprecated in Windows 10, version 1607.
      12HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAILDeprecated in Windows 10, version 1607.
      14HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAILFailure in Encoding functions. (Extremely unlikely scenario)
      13HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAILDeprecated in Windows 10, version 1607.
      15HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAILDeprecated in Windows 10, version 1607.
      14HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAILFailure in Encoding functions. (Extremely unlikely scenario)
      16HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XMLDHA-CSP failed to load the payload it received from DHA-Service
      15HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAILDeprecated in Windows 10, version 1607.
      17HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XMLDHA-CSP received a corrupted response from DHA-Service.
      16HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XMLDHA-CSP failed to load the payload it received from DHA-Service
      18HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XMLDHA-CSP received an empty response from DHA-Service.
      17HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XMLDHA-CSP received a corrupted response from DHA-Service.
      19HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EKDHA-CSP failed in decrypting the AES key from the EK challenge.
      18HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XMLDHA-CSP received an empty response from DHA-Service.
      20HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EKDHA-CSP failed in decrypting the health cert with the AES key.
      19HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EKDHA-CSP failed in decrypting the AES key from the EK challenge.
      21HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUBDHA-CSP failed in exporting the AIK Public Key.
      20HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EKDHA-CSP failed in decrypting the health cert with the AES key.
      22HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLYDHA-CSP failed in trying to create a claim with AIK attestation data.
      21HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUBDHA-CSP failed in exporting the AIK Public Key.
      23HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUBDHA-CSP failed in appending the AIK Pub to the request blob.
      22HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLYDHA-CSP failed in trying to create a claim with AIK attestation data.
      24HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERTDHA-CSP failed in appending the AIK Cert to the request blob.
      23HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUBDHA-CSP failed in appending the AIK Pub to the request blob.
      25HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLEDHA-CSP failed to obtain a Session handle.
      24HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERTDHA-CSP failed in appending the AIK Cert to the request blob.
      26HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLEDHA-CSP failed to connect to the DHA-Service.
      25HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLEDHA-CSP failed to obtain a Session handle.
      27HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLEDHA-CSP failed to create a HTTP request handle.
      26HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLEDHA-CSP failed to connect to the DHA-Service.
      28HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTIONDHA-CSP failed to set options.
      27HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLEDHA-CSP failed to create a HTTP request handle.
      29HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERSDHA-CSP failed to add request headers.
      28HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTIONDHA-CSP failed to set options.
      30HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUESTDHA-CSP failed to send the HTTP request.
      29HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERSDHA-CSP failed to add request headers.
      31HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSEDHA-CSP failed to receive a response from the DHA-Service.
      30HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUESTDHA-CSP failed to send the HTTP request.
      32HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERSDHA-CSP failed to query headers when trying to get HTTP status code.
      31HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSEDHA-CSP failed to receive a response from the DHA-Service.
      33HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSEDHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
      32HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERSDHA-CSP failed to query headers when trying to get HTTP status code.
      34HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSEDHA-CSP received an empty response along with a HTTP error code from DHA-Service.
      33HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSEDHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
      35HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USERDHA-CSP failed to impersonate user.
      34HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSEDHA-CSP received an empty response along with a HTTP error code from DHA-Service.
      36HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATORDHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
      35HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USERDHA-CSP failed to impersonate user.
      0xFFFFHEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWNDHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
      36HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATORDHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
      400Bad_Request_From_ClientDHA-CSP has received a bad (malformed) attestation request.
      0xFFFFHEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWNDHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
      404Endpoint_Not_ReachableDHA-Service is not reachable by DHA-CSP
      400Bad_Request_From_ClientDHA-CSP has received a bad (malformed) attestation request.
      404Endpoint_Not_ReachableDHA-Service is not reachable by DHA-CSP
      ## DHA-Report V3 schema @@ -1070,12 +1069,12 @@ Each of these are described in further detail in the following sections, along w - + diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md index 78d6b249ea..114abc12f9 100644 --- a/windows/client-management/mdm/hotspot-csp.md +++ b/windows/client-management/mdm/hotspot-csp.md @@ -18,12 +18,12 @@ ms.date: 06/26/2017 The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers. > **Note**  HotSpot CSP is only supported in Windows 10 Mobile. - -  - +> +> +> > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application. -  + The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. @@ -47,7 +47,7 @@ Specified connections will be mapped, by policy, to the Internet sharing service > **Note**   The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well. -  + If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share @@ -62,7 +62,7 @@ Specified connections will be mapped, by policy, to the Internet sharing service > **Note**   The mapping policy will also include the connections specified in the **DedicatedConnections** as well. -  + If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share @@ -94,7 +94,7 @@ Where `` is the path to the resource dll that contains the stri > **Note**  MOAppLink is required to use the MOHelpMessage setting. -  + **EntitlementRequired** Optional. Specifies whether the device requires an entitlement check to determine if Internet sharing should be enabled. This node is set to a Boolean value. The default value is **True**. @@ -122,12 +122,12 @@ Changes to this node require a reboot. **MinWifiKeyLength** > **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8. -  + **MinWifiSSIDLength** > **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1. -  + ## Additional requirements for CDMA networks @@ -154,7 +154,7 @@ For CDMA networks that use a separate Network Access Identity (NAI) for Internet > **Note**  CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on. -  + ## Creating an Entitlement DLL @@ -196,7 +196,7 @@ During an entitlement check the Internet Sharing service loads the specified DLL -  + The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit. @@ -205,9 +205,9 @@ The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEn [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/iconfigserviceprovider2.md b/windows/client-management/mdm/iconfigserviceprovider2.md index bd73a16b86..048b953696 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2.md +++ b/windows/client-management/mdm/iconfigserviceprovider2.md @@ -32,23 +32,23 @@ The following table shows the methods defined by this interface that OEMs must i -

      [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md)

      +

      IConfigServiceProvider2::ConfigManagerNotification

      Enables ConfigManager2 to send notifications to a configuration service provider of events such as when the configuration service provider is loaded or unloaded, when rollbacks are performed, and when actions are called on nodes.

      -

      [IConfigServiceProvider2::GetNode](iconfigserviceprovider2getnode.md)

      +

      IConfigServiceProvider2::GetNode

      Returns a node from the configuration service provider based on the path relative to the root node.

      -  + ## Related topics [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md index face49c09f..55f2a25518 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md +++ b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md @@ -99,7 +99,7 @@ The following events are supported by all configuration service providers. *lpParam*
      • -Normally NULL, but contains a pointer to an IConfigSession2 instance if *cmnfState* is CFGMGR\_NOTIFICATION\_SETSESSIONOBJ. +Normally NULL, but contains a pointer to an IConfigSession2 instance if cmnfState is CFGMGR_NOTIFICATION_SETSESSIONOBJ.

      @@ -137,7 +137,7 @@ Each configuration service provider will receive the relevant BEGIN/END notifica **Header:** None -  + diff --git a/windows/client-management/mdm/iconfigserviceprovider2getnode.md b/windows/client-management/mdm/iconfigserviceprovider2getnode.md index 037e015bc0..c89523b033 100644 --- a/windows/client-management/mdm/iconfigserviceprovider2getnode.md +++ b/windows/client-management/mdm/iconfigserviceprovider2getnode.md @@ -31,18 +31,18 @@ HRESULT GetNode([in] IConfigManager2URI* pURI, *pUri*
      • -URI of the child node, relative to the root node. For example, to access the "./Vendor/Contoso/SampleCSP/ContainerA/UserName" node, ConfigManager2 calls the configuration service provider's `GetNode` method and passes in an IConfigManager2URI instance representing the URI “SampleCSP/ContainerA/UserName”. +URI of the child node, relative to the root node. For example, to access the "./Vendor/Contoso/SampleCSP/ContainerA/UserName" node, ConfigManager2 calls the configuration service provider's GetNode method and passes in an IConfigManager2URI instance representing the URI “SampleCSP/ContainerA/UserName”.

      -*ppNode* +ppNode
      • -If the query is successful, this returns the ICSPNode instance at the *pUri* location in the configuration service provider's tree. +If the query is successful, this returns the ICSPNode instance at the pUri location in the configuration service provider's tree.

      -*pgrfNodeOptions* +pgrfNodeOptions
      • Nodes support the following features. @@ -69,7 +69,7 @@ Nodes support the following features.

        CSPNODE_OPTION_INTERNALTRANSACTION

        0x02

        -

        The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the [ICSPNodeTransactioning](icspnodetransactioning.md).

        +

        The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the ICSPNodeTransactioning.

        CSPNODE_OPTION_HANDLEALLPROPERTIES

        @@ -97,7 +97,7 @@ A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_NODENO **Header:** None -  + diff --git a/windows/client-management/mdm/icspnode.md b/windows/client-management/mdm/icspnode.md index e23844c5b6..c0a1f975f8 100644 --- a/windows/client-management/mdm/icspnode.md +++ b/windows/client-management/mdm/icspnode.md @@ -35,67 +35,67 @@ The following table shows the methods defined by this interface that OEMs must i -

        [ICSPNode::Add](icspnodeadd.md)

        +

        ICSPNode::Add

        Adds an immediate child to a configuration service provider node and returns a pointer to the new child node.

        -

        [ICSPNode::Clear](icspnodeclear.md)

        -

        Deletes the contents and children of the current configuration service provider node. Called before [ICSPNode::DeleteChild](icspnodedeletechild.md).

        +

        ICSPNode::Clear

        +

        Deletes the contents and children of the current configuration service provider node. Called before ICSPNode::DeleteChild.

        -

        [ICSPNode::Copy](icspnodecopy.md)

        +

        ICSPNode::Copy

        Makes a copy of the current node at the specified path within the configuration service provider. If the target node exists, it should be overwritten.

        -

        [ICSPNode::DeleteChild](icspnodedeletechild.md)

        +

        ICSPNode::DeleteChild

        Deletes the specified child node from the configuration service provider node.

        -

        [ICSPNode::DeleteProperty](icspnodedeleteproperty.md)

        +

        ICSPNode::DeleteProperty

        Deletes a property from a configuration service provider node.

        -

        [ICSPNode::Execute](icspnodeexecute.md)

        +

        ICSPNode::Execute

        Runs a task on an internally-transactioned configuration service provider node by passing in the specified user data and returning a result.

        -

        [ICSPNode::GetChildNodeNames](icspnodegetchildnodenames.md)

        +

        ICSPNode::GetChildNodeNames

        Returns the list of children for a configuration service provider node.

        -

        [ICSPNode::GetProperty](icspnodegetproperty.md)

        +

        ICSPNode::GetProperty

        Returns a property value from a configuration service provider node.

        -

        [ICSPNode::GetPropertyIdentifiers](icspnodegetpropertyidentifiers.md)

        +

        ICSPNode::GetPropertyIdentifiers

        Returns a list of non-standard properties supported by the node. The returned array must be allocated with CoTaskMemAlloc.

        -

        [ICSPNode::GetValue](icspnodegetvalue.md)

        +

        ICSPNode::GetValue

        Gets the value and data type for the node. Interior (non-leaf) nodes may not have a value.

        -

        [ICSPNode::Move](icspnodemove.md)

        +

        ICSPNode::Move

        Moves this node to a new location within the configuration service provider. If the target node already exists, it should be overwritten.

        -

        [ICSPNode::SetProperty](icspnodesetproperty.md)

        +

        ICSPNode::SetProperty

        Sets a property value for a configuration service provider node.

        -

        [ICSPNode::SetValue](icspnodesetvalue.md)

        +

        ICSPNode::SetValue

        Sets the value for the configuration service provider node. It is an error to attempt to set the value of an interior node.

        -  + ## Related topics [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodeadd.md b/windows/client-management/mdm/icspnodeadd.md index 46b7ab3ce3..a373d48773 100644 --- a/windows/client-management/mdm/icspnodeadd.md +++ b/windows/client-management/mdm/icspnodeadd.md @@ -75,7 +75,7 @@ HRESULT Add([in] IConfigManager2URI* pChildName,

        CSPNODE_OPTION_INTERNALTRANSACTION

        0x02

        -

        The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the [ICSPNodeTransactioning](icspnodetransactioning.md).

        +

        The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the ICSPNodeTransactioning.

        CSPNODE_OPTION_HANDLEALLPROPERTIES

        @@ -90,7 +90,7 @@ HRESULT Add([in] IConfigManager2URI* pChildName, -  + ## Return Value This method returns an ICSPNode and the feature options supported on that child node. If the method returns null, call GetLastError to get the error value. @@ -109,7 +109,7 @@ For externally–transactioned nodes, if this method is implemented, then [ICSPN [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodecopy.md b/windows/client-management/mdm/icspnodecopy.md index 0da3f0c155..0d9ef070a4 100644 --- a/windows/client-management/mdm/icspnodecopy.md +++ b/windows/client-management/mdm/icspnodecopy.md @@ -57,7 +57,7 @@ HRESULT Copy([in] IConfigManager2URI* puriDestination,

        CSPNODE_OPTION_INTERNALTRANSACTION

        0x02

        -

        The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the [ICSPNodeTransactioning](icspnodetransactioning.md).

        +

        The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the ICSPNodeTransactioning.

        CSPNODE_OPTION_HANDLEALLPROPERTIES

        @@ -72,7 +72,7 @@ HRESULT Copy([in] IConfigManager2URI* puriDestination, -  + ## Return Value A value of S\_OK indicates that the node was successfully copied to the new location. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **Copy** method. diff --git a/windows/client-management/mdm/icspnodegetchildnodenames.md b/windows/client-management/mdm/icspnodegetchildnodenames.md index c2f47b8995..dd7dc2fe59 100644 --- a/windows/client-management/mdm/icspnodegetchildnodenames.md +++ b/windows/client-management/mdm/icspnodegetchildnodenames.md @@ -29,7 +29,7 @@ HRESULT GetChildNodeNames([out] ULONG* pulCount,

        The number of child nodes to return.

        *pbstrNodeNames* -

        The array of child node names. The returned array must be allocated with `CoTaskMemAlloc`. Each element of the array must be a valid, non-NULL `BSTR`, allocated by `SysAllocString` or `SysAllocStringLen`. The names returned must not be encoded in any way, including URI-encoding, for canonicalization reasons.

        +

        The array of child node names. The returned array must be allocated with CoTaskMemAlloc. Each element of the array must be a valid, non-NULL BSTR, allocated by SysAllocString or SysAllocStringLen. The names returned must not be encoded in any way, including URI-encoding, for canonicalization reasons.

        ## Return Value @@ -47,7 +47,7 @@ For externally–transactioned nodes, no additional methods are required for suc [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodegetproperty.md b/windows/client-management/mdm/icspnodegetproperty.md index 84de37e679..4b325efd51 100644 --- a/windows/client-management/mdm/icspnodegetproperty.md +++ b/windows/client-management/mdm/icspnodegetproperty.md @@ -49,7 +49,7 @@ For externally–transactioned nodes, no additional methods are required for suc [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md index 09b6ee1779..4660b81365 100644 --- a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md +++ b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md @@ -29,7 +29,7 @@ HRESULT GetPropertyIdentifiers([out] ULONG* pulCount,

        The number of non-standard properties to return.

        *pguidProperties* -

        The array of property GUIDs to return. This array must be allocated with `CoTaskMemAlloc`.

        +

        The array of property GUIDs to return. This array must be allocated with CoTaskMemAlloc.

        ## Return Value @@ -47,7 +47,7 @@ For externally–transactioned nodes, no additional methods are required for suc [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodegetvalue.md b/windows/client-management/mdm/icspnodegetvalue.md index 1def6a9a7b..b01be8e614 100644 --- a/windows/client-management/mdm/icspnodegetvalue.md +++ b/windows/client-management/mdm/icspnodegetvalue.md @@ -25,7 +25,7 @@ HRESULT GetValue([in,out] VARIANT* pvarValue); ## Parameters *pvarValue* -

        Data value to return. A node containing a password value returns 16 asterisks (‘\*’) for this method. A leaf node whose value has not been set returns a variant whose type is `VT_NULL`. +

        Data value to return. A node containing a password value returns 16 asterisks (‘*’) for this method. A leaf node whose value has not been set returns a variant whose type is VT_NULL.

        ## Return Value @@ -44,7 +44,7 @@ For externally–transactioned nodes, this node is not required to implement any [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodemove.md b/windows/client-management/mdm/icspnodemove.md index b66aaa9aa0..2740a4caf3 100644 --- a/windows/client-management/mdm/icspnodemove.md +++ b/windows/client-management/mdm/icspnodemove.md @@ -25,7 +25,7 @@ HRESULT Move([in] IConfigManager2URI* puriDestination); ## Parameters *puriDestination* -

        Path and name of the node's new location, relative to the configuration service provider's root node.

        +

        Path and name of the node's new location, relative to the configuration service provider's root node.

        ## Return Value @@ -43,7 +43,7 @@ For externally–transactioned nodes, if this method is implemented, then [ICSPN [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodesetproperty.md b/windows/client-management/mdm/icspnodesetproperty.md index 7c537a911b..d27d12ce60 100644 --- a/windows/client-management/mdm/icspnodesetproperty.md +++ b/windows/client-management/mdm/icspnodesetproperty.md @@ -49,7 +49,7 @@ For externally–transactioned nodes, no additional methods are required for suc [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/icspnodesetvalue.md b/windows/client-management/mdm/icspnodesetvalue.md index d9a3176f44..1aa5cbdd52 100644 --- a/windows/client-management/mdm/icspnodesetvalue.md +++ b/windows/client-management/mdm/icspnodesetvalue.md @@ -25,7 +25,7 @@ HRESULT SetValue([in] VARIANT varValue); ## Parameters *varValue* -

        Value to set. To clear a leaf node’s value, set *varValue*’s type to `VT_NULL`.

        +

        Value to set. To clear a leaf node’s value, set varValue’s type to VT_NULL.

        ## Return Value @@ -43,7 +43,7 @@ For externally–transactioned nodes, no additional methods must be implemented [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -  + diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 3f7d014e30..da6438913d 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -34,10 +34,10 @@ To make applications WIP-aware, app developers need to include the following dat ``` syntax // Mark this binary as Allowed for WIP (EDP) purpose  -    MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID -     BEGIN -         0x0001 -     END  + MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID + BEGIN + 0x0001 + END  ``` ## Configuring an Azure AD tenant for MAM enrollment @@ -61,13 +61,13 @@ Here is an example provisioning XML for MAM enrollment. ``` syntax -    -    -    -    -    + + + + + + + ``` @@ -151,7 +151,7 @@ We have updated Skype for Business to work with MAM. The following table explain -[Current channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_CB) +Current channel Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. March 9 2017

        Visio Pro for Office 365

        @@ -159,12 +159,12 @@ We have updated Skype for Business to work with MAM. The following table explain

        Office 365 Business (the version of Office that comes with some Office 365 plans, such as Business Premium.)

        -[Deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_CBB) +Deferred channel Provide users with new features of Office only a few times a year. October 10 2017 Office 365 ProPlus -[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB) +First release for deferred channel Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017 diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index facdcc4168..02f521dce2 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -83,9 +83,9 @@ When an organization wants to move to MDM to manage devices, they should prepare - [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) - [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) -  + -  + diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index cb8c526de2..c9c8076463 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -53,7 +53,7 @@ The Store for Business provides services that enable a management tool to synchr -  + ### Offline-licensed application distribution @@ -83,39 +83,39 @@ For code samples, see [Microsoft Azure Active Directory Samples and Documentatio Here are the steps to configure your Azure AD app. For additional information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021): -1. Log into Microsoft Azure Management Portal (https:manage.windowsazure.com) -2. Go to the Active Directory module. -3. Select your directory. -4. Click the **Applications** tab. +1. Log into Microsoft Azure Management Portal (https:manage.windowsazure.com) +2. Go to the Active Directory module. +3. Select your directory. +4. Click the **Applications** tab. - ![business store management tool](images/businessstoreportalservices8.png) + ![business store management tool](images/businessstoreportalservices8.png) -5. Click **Add**. +5. Click **Add**. - ![business store management tool](images/businessstoreportalservices9.png) + ![business store management tool](images/businessstoreportalservices9.png) -6. Select **Add an application that my organization is developing**. +6. Select **Add an application that my organization is developing**. - ![business store management tool](images/businessstoreportalservices10.png) + ![business store management tool](images/businessstoreportalservices10.png) -7. Specify a name and then select **WEB APPLICATION AND/OR WEB API**. +7. Specify a name and then select **WEB APPLICATION AND/OR WEB API**. - ![business store management tool](images/businessstoreportalservices11.png) + ![business store management tool](images/businessstoreportalservices11.png) -8. Specify the **SIGN-ON URL** to your application. +8. Specify the **SIGN-ON URL** to your application. - ![business store management tool](images/businessstoreportalservices12.png) + ![business store management tool](images/businessstoreportalservices12.png) -9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021). +9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021). - ![business store management tool](images/businessstoreportalservices13.png) + ![business store management tool](images/businessstoreportalservices13.png) 10. Create a client key. ![business store management tool](images/businessstoreportalservices14.png) - > **Note**  In the prior version of the tool, an update to the app manifest was required to authorize the application. This is no longer necessary. -   + > **Note** In the prior version of the tool, an update to the app manifest was required to authorize the application. This is no longer necessary. + 11. Login to Store for Business and enable your application. For step-by-step guide, see [Configure an MDM provider](https://technet.microsoft.com/library/mt606939.aspx). @@ -158,7 +158,7 @@ The diagram below shows the call patterns for acquiring a new or updated applica - [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md) - [Get seats assigned to a user](get-seats-assigned-to-a-user.md) -  + diff --git a/windows/client-management/mdm/maps-csp.md b/windows/client-management/mdm/maps-csp.md index 30e2bd267a..d2e6000b6f 100644 --- a/windows/client-management/mdm/maps-csp.md +++ b/windows/client-management/mdm/maps-csp.md @@ -19,7 +19,7 @@ The Maps configuration service provider (CSP) is used to configure the maps to d > **Note**  The Maps CSP is only supported in Windows 10 Mobile. -  + The following diagram shows the Maps configuration service provider in tree format. @@ -31,7 +31,7 @@ Root node. **Packages** Represents the map packages installed on the device. -**Packages/****_Package_** +**Packages/***Package* A GUID that represents a map package. When you add a *Package* node, Windows adds it to the queue for download to the device. See the table below for the list of various maps and corresponding GUIDS. **Packages/*Package*/Status** @@ -122,7 +122,7 @@ Here is a list of GUIDs of the most downloaded reqions. | Wisconsin | 0b5a98f7-489d-4a07-859b-4e01fe9e1b32 | | Wyoming | 360e0c25-a3bb-4e29-939a-3631eae46e9a | -  + Here is an example queuing a map package of New York for download. @@ -160,9 +160,9 @@ Here is an example that gets the status of the New York map package on the devic ``` -  + -  + diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 63d68704b5..60126c6e01 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -24,7 +24,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l > **Note**  When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. -  + ## Connecting corporate-owned Windows 10-based devices @@ -39,7 +39,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio > **Note**  Mobile devices cannot be connected to an Active Directory domain. -  + ### Out-of-box-experience (OOBE) @@ -94,7 +94,7 @@ There are a few instances where your device cannot be connected to an Active Dir | You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue. | | Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | -  + ### Connecting your device to an Azure AD domain (Join Azure AD) @@ -167,7 +167,7 @@ There are a few instances where your device cannot be connected to an Azure AD d | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | | Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Azure AD domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | -  + ## Connecting personally-owned devices (Bring your own device) @@ -216,33 +216,33 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an ### Using the Settings app -1. Launch the Settings app. +1. Launch the Settings app. - ![windows settings page](images/unifiedenrollment-rs1-28.png) + ![windows settings page](images/unifiedenrollment-rs1-28.png) -2. Next, navigate to **Accounts**. +2. Next, navigate to **Accounts**. - ![windows settings accounts page](images/unifiedenrollment-rs1-29.png) + ![windows settings accounts page](images/unifiedenrollment-rs1-29.png) -3. Navigate to **Access work or school**. +3. Navigate to **Access work or school**. - ![access work or school](images/unifiedenrollment-rs1-30.png) + ![access work or school](images/unifiedenrollment-rs1-30.png) -4. Click the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934) . For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). +4. Click the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934) . For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). - ![connect to work or school](images/unifiedenrollment-rs1-31.png) + ![connect to work or school](images/unifiedenrollment-rs1-31.png) -5. Type in your work email address. +5. Type in your work email address. - ![set up work or school account](images/unifiedenrollment-rs1-32.png) + ![set up work or school account](images/unifiedenrollment-rs1-32.png) -6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. +6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. - ![corporate sign in](images/unifiedenrollment-rs1-33-b.png) + ![corporate sign in](images/unifiedenrollment-rs1-33-b.png) - After you complete the flow, your device will be connected to your organization’s MDM. + After you complete the flow, your device will be connected to your organization’s MDM. ### Connecting to MDM on a phone (Enrolling in device management) @@ -283,7 +283,7 @@ There are a few instances where your device may not be able to connect to work, | You don’t have the right privileges to perform this operation. Please talk to your admin. | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | -  + ## Connecting your Windows 10-based device to work using a deep link @@ -315,7 +315,7 @@ The deep link used for connecting your device to work will always use the follow When connecting to MDM using a deep link, the URI you should use is **ms-device-enrollment:?mode=mdm** -**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=https://example.server.com** +**ms-device-enrollment:?mode=mdm&username=someone@example.com&servername=** The following procedure describes how users can connect their devices to MDM using deep links. @@ -384,7 +384,7 @@ Starting in Windows 10, version 1709, you can get the advanced diagnostic report ![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png) -  + diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index 66d1aba6e2..d7beeeadcc 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -24,7 +24,7 @@ The following diagram shows the Messaging configuration service provider in tree

        Root node for the Messaging configuration service provider.

        **AuditingLevel** -

        Turns on the "Text" auditing feature.

        +

        Turns on the "Text" auditing feature.

        The following list shows the supported values:

        • 0 (Default) - Off
          • diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 3423a80eba..f4d7d563df 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -18,12 +18,12 @@ ms.date: 06/26/2017 The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a. > **Note**  You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list. - -  - +> +> +> > **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -  + The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. @@ -51,7 +51,7 @@ The only permitted values for this element are "POP" (Password Authentication Pr > **Note**  **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. -  + **BEARER** Specifies the type of bearer. @@ -131,16 +131,16 @@ The following table shows the Microsoft custom elements that this configuration -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 1e2b01c931..f33f6a6ee2 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -41,10 +41,10 @@ The following diagram shows the NetworkQoSPolicy configuration service provider

          The only supported operation is Get. -**_Name_** +***Name***

          Node for the QoS policy name. -**_Name_/IPProtocolMatchCondition** +***Name*/IPProtocolMatchCondition**

          Specifies the IP protocol used to match the network traffic.

          Valid values are: @@ -57,14 +57,14 @@ The following diagram shows the NetworkQoSPolicy configuration service provider

          The supported operations are Add, Get, Delete, and Replace. -**_Name_/AppPathNameMatchCondition** +***Name*/AppPathNameMatchCondition**

          Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.

          The data type is char.

          The supported operations are Add, Get, Delete, and Replace. -**_Name_/SourcePortMatchCondition** +***Name*/SourcePortMatchCondition**

          Specifies a single port or a range of ports to be used to match the network traffic source.

          Valid values are: @@ -76,7 +76,7 @@ The following diagram shows the NetworkQoSPolicy configuration service provider

          The supported operations are Add, Get, Delete, and Replace. -**_Name_/DestinationPortMatchCondition** +***Name*/DestinationPortMatchCondition**

          Specifies a single source port or a range of ports to be used to match the network traffic destination.

          Valid values are: @@ -88,7 +88,7 @@ The following diagram shows the NetworkQoSPolicy configuration service provider

          The supported operations are Add, Get, Delete, and Replace. -**_Name_/PriorityValue8021Action** +***Name*/PriorityValue8021Action**

          Specifies the IEEE 802.1p priority value to apply to matching network traffic.

          Valid values are 0-7. @@ -97,7 +97,7 @@ The following diagram shows the NetworkQoSPolicy configuration service provider

          The supported operations are Add, Get, Delete, and Replace. -**_Name_/DSCPAction** +***Name*/DSCPAction**

          The differentiated services code point (DSCP) value to apply to matching network traffic.

          Valid values are 0-63. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 1c0b2881ec..414ac9ccd1 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -91,47 +91,47 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

          Added the following new policies in Windows 10, version 1903:

          -[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) +EnrollmentStatusTracking CSP

          Added new CSP in Windows 10, version 1903.

          @@ -152,7 +152,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

          Added the following new policies in Windows 10, version 1809:

          • ApplicationManagement/LaunchAppAfterLogOn
            • @@ -215,55 +215,55 @@ For details about Microsoft mobile device management protocols for Windows 10 s
          -[PassportForWork CSP](passportforwork-csp.md) +PassportForWork CSP

          Added new settings in Windows 10, version 1809.

          -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +EnterpriseModernAppManagement CSP

          Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

          -[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) +Win32CompatibilityAppraiser CSP

          Added new configuration service provider in Windows 10, version 1809.

          -[WindowsLicensing CSP](windowslicensing-csp.md) +WindowsLicensing CSP

          Added S mode settings and SyncML examples in Windows 10, version 1809.

          -[SUPL CSP](supl-csp.md) +SUPL CSP

          Added 3 new certificate nodes in Windows 10, version 1809.

          -[Defender CSP](defender-csp.md) +Defender CSP

          Added a new node Health/ProductStatus in Windows 10, version 1809.

          -[BitLocker CSP](bitlocker-csp.md) +BitLocker CSP

          Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro.

          -[DevDetail CSP](devdetail-csp.md) +DevDetail CSP

          Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

          -[Wifi CSP](wifi-csp.md) +Wifi CSP

          Added a new node WifiCost in Windows 10, version 1809.

          -[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) +WindowsDefenderApplicationGuard CSP

          Added new settings in Windows 10, version 1809.

          -[RemoteWipe CSP](remotewipe-csp.md) +RemoteWipe CSP

          Added new settings in Windows 10, version 1809.

          -[TenantLockdown CSP](tenantlockdown-csp.md) +TenantLockdown CSP

          Added new CSP in Windows 10, version 1809.

          -[Office CSP](office-csp.md) +Office CSP

          Added FinalStatus setting in Windows 10, version 1809.

          @@ -284,7 +284,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

          Added the following new policies for Windows 10, version 1803:

          • ApplicationDefaults/EnableAppUriHandlers
            • @@ -405,11 +405,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s

            Security/RequireDeviceEncryption - updated to show it is supported in desktop.

            -[BitLocker CSP](bitlocker-csp.md) +BitLocker CSP

            Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

            -[DMClient CSP](dmclient-csp.md) +DMClient CSP

            Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

            • AADSendDeviceToken
              • @@ -421,15 +421,15 @@ For details about Microsoft mobile device management protocols for Windows 10 s
            -[Defender CSP](defender-csp.md) +Defender CSP

            Added new node (OfflineScan) in Windows 10, version 1803.

            -[UEFI CSP](uefi-csp.md) +UEFI CSP

            Added a new CSP in Windows 10, version 1803.

            -[Update CSP](update-csp.md) +Update CSP

            Added the following nodes in Windows 10, version 1803:

            • Rollback
              • @@ -439,7 +439,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
            -[AssignedAccess CSP](assignedaccess-csp.md) +AssignedAccess CSP

            Added the following nodes in Windows 10, version 1803:

            • Status
              • @@ -449,58 +449,58 @@ For details about Microsoft mobile device management protocols for Windows 10 s

              Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.

              -[MultiSIM CSP](multisim-csp.md) +MultiSIM CSP

              Added a new CSP in Windows 10, version 1803.

              -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +EnterpriseModernAppManagement CSP

              Added the following node in Windows 10, version 1803:

              • MaintainProcessorArchitectureOnUpdate
              -[eUICCs CSP](euiccs-csp.md) +eUICCs CSP

              Added the following node in Windows 10, version 1803:

              • IsEnabled
              -[DeviceStatus CSP](devicestatus-csp.md) +DeviceStatus CSP

              Added the following node in Windows 10, version 1803:

              • OS/Mode
              -[AccountManagement CSP](accountmanagement-csp.md) +AccountManagement CSP

              Added a new CSP in Windows 10, version 1803.

              -[RootCATrustedCertificates CSP](rootcacertificates-csp.md) +RootCATrustedCertificates CSP

              Added the following node in Windows 10, version 1803:

              • UntrustedCertificates
              -[NetworkProxy CSP](\networkproxy--csp.md) +NetworkProxy CSP

              Added the following node in Windows 10, version 1803:

              • ProxySettingsPerUser
              -[Accounts CSP](accounts-csp.md) +Accounts CSP

              Added a new CSP in Windows 10, version 1803.

              -[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat) +MDM Migration Analysis Too (MMAT)

              Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

              -[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) +CSP DDF files download

              Added the DDF download of Windows 10, version 1803 configuration service providers.

              @@ -521,7 +521,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx) +The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

              The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

              • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
                • @@ -531,31 +531,31 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

                -[Firewall CSP](firewall-csp.md) +Firewall CSP

                Added new CSP in Windows 10, version 1709.

                -[eUICCs CSP](euiccs-csp.md) +eUICCs CSP

                Added new CSP in Windows 10, version 1709.

                -[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) -New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md). +WindowsDefenderApplicationGuard CSP +New CSP added in Windows 10, version 1709. Also added the DDF topic WindowsDefenderApplicationGuard DDF file. -[CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md) -In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the [Configuration service provider reference](configuration-service-provider-reference.md) was updated. +CM_ProxyEntries CSP and CMPolicy CSP +In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the Configuration service provider reference was updated. -[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) -New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md). +WindowsDefenderApplicationGuard CSP +New CSP added in Windows 10, version 1709. Also added the DDF topic WindowsDefenderApplicationGuard DDF file. -[VPNv2 CSP](vpnv2-csp.md) +VPNv2 CSP

                Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709.

                -[DeviceStatus CSP](devicestatus-csp.md) +DeviceStatus CSP

                Added the following settings in Windows 10, version 1709:

                • DeviceStatus/DomainName
                  • @@ -565,7 +565,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                -[AssignedAccess CSP](assignedaccess-csp.md) +AssignedAccess CSP

                Added the following setting in Windows 10, version 1709.

                • Configuration
                  • @@ -573,51 +573,51 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                  Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro.

                  -[DeviceManageability CSP](devicemanageability-csp.md) +DeviceManageability CSP

                  Added the following settings in Windows 10, version 1709:

                    -
                  • Provider/_ProviderID_/ConfigInfo
                    • -
                  • Provider/_ProviderID_/EnrollmentInfo
                    • +
                  • Provider/ProviderID/ConfigInfo
                    • +
                  • Provider/ProviderID/EnrollmentInfo
                  -[Office CSP](office-csp.md) +Office CSP

                  Added the following setting in Windows 10, version 1709:

                  • Installation/CurrentStatus
                  -[DMClient CSP](dmclient-csp.md) +DMClient CSP

                  Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

                  -[Bitlocker CSP](bitlocker-csp.md) +Bitlocker CSP

                  Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.

                  -[ADMX-backed policies in Policy CSP](policy-configuration-service-provider.md#admx-backed-policies) +ADMX-backed policies in Policy CSP

                  Added new policies.

                  Microsoft Store for Business and Microsoft Store

                  Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

                  -[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +MDM enrollment of Windows-based devices

                  New features in the Settings app:

                  • User sees installation progress of critical policies during MDM enrollment.
                  • User knows what policies, profiles, apps MDM has configured
                  • IT helpdesk can get detailed MDM diagnostic information using client tools
                  -

                  For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)

                  +

                  For details, see Managing connection and Collecting diagnostic logs

                  -[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) +Enroll a Windows 10 device automatically using Group Policy

                  Added new topic to introduce a new Group Policy for automatic MDM enrollment.

                  -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                  Added the following new policies for Windows 10, version 1709:

                  • Authentication/AllowAadPasswordReset
                    • @@ -728,7 +728,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -

                    [Update CSP](update-csp.md)

                    +

                    Update CSP

                    Added the following nodes:

                    • FailedUpdates/Failed Update Guid/RevisionNumber
                      • @@ -738,7 +738,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[CM_CellularEntries CSP](cm-cellularentries-csp.md) +CM_CellularEntries CSP

                      To PurposeGroups setting, added the following values:

                      • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
                        • @@ -746,7 +746,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                      -

                      [CertificateStore CSP](certificatestore-csp.md)

                      +

                      CertificateStore CSP

                      Added the following setting:

                      • My/WSTEP/Renew/RetryAfterExpiryInterval
                        • @@ -754,7 +754,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -

                        [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)

                        +

                        ClientCertificateInstall CSP

                        Added the following setting:

                        • SCEP/UniqueID/Install/AADKeyIdentifierList
                          • @@ -762,7 +762,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -

                          [DMAcc CSP](dmacc-csp.md)

                          +

                          DMAcc CSP

                          Added the following setting:

                          • AccountUID/EXT/Microsoft/InitiateSession
                            • @@ -770,7 +770,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -

                            [DMClient CSP](dmclient-csp.md)

                            +

                            DMClient CSP

                            Added the following nodes and settings:

                            • HWDevID
                              • @@ -784,11 +784,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s -

                              [CellularSettings CSP](cellularsettings-csp.md)

                              [CM_CellularEntries CSP](cm-cellularentries-csp.md)

                              [EnterpriseAPN CSP](enterpriseapn-csp.md)

                              +

                              CellularSettings CSP

                              CM_CellularEntries CSP

                              EnterpriseAPN CSP

                              For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

                              -[SecureAssessment CSP](secureassessment-csp.md) +SecureAssessment CSP

                              Added the following settings:

                              • AllowTextSuggestions
                                • @@ -797,7 +797,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[EnterpriseAPN CSP](enterpriseapn-csp.md) +EnterpriseAPN CSP

                                Added the following setting:

                                • Roaming
                                  • @@ -805,12 +805,12 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[Messaging CSP](messaging-csp.md) +Messaging CSP

                                  Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.

                                  -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                  Added the following new policies:

                                  • Accounts/AllowMicrosoftAccountSignInAssistant
                                    • @@ -918,12 +918,12 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                  Removed TextInput/AllowLinguisticDataCollection

                                  Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enteprise and IoT Enterprise

                                  Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.

                                  -

                                  Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

                                  +

                                  Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

                                  Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.

                                  Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files.

                                  -[DevDetail CSP](devdetail-csp.md) +DevDetail CSP

                                  Added the following setting:

                                  • DeviceHardwareData
                                    • @@ -931,19 +931,19 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[CleanPC CSP](cleanpc-csp.md) +CleanPC CSP

                                    Added new CSP.

                                    -[DeveloperSetup CSP](developersetup-csp.md) +DeveloperSetup CSP

                                    Added new CSP.

                                    -[NetworkProxy CSP](networkproxy-csp.md) +NetworkProxy CSP

                                    Added new CSP.

                                    -[BitLocker CSP](bitlocker-csp.md) +BitLocker CSP

                                    Added new CSP.

                                    Added the following setting:

                                      @@ -952,7 +952,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +EnterpriseDataProtection CSP

                                      Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

                                      Added the following settings:

                                      • RevokeOnMDMHandoff
                                        • @@ -960,15 +960,15 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                      -[DynamicManagement CSP](dynamicmanagement-csp.md) +DynamicManagement CSP

                                      Added new CSP.

                                      -[Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md) +Implement server-side support for mobile application management on Windows

                                      New mobile application management (MAM) support added in Windows 10, version 1703.

                                      -

                                      [PassportForWork CSP](passportforwork-csp.md)

                                      +

                                      PassportForWork CSP

                                      Added the following new node and settings:

                                      • TenantId/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
                                        • @@ -977,19 +977,19 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                      -[Office CSP](office-csp.md) +Office CSP

                                      Added new CSP.

                                      -[Personalization CSP](personalization-csp.md) +Personalization CSP

                                      Added new CSP.

                                      -[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) +EnterpriseAppVManagement CSP

                                      Added new CSP.

                                      -[HealthAttestation CSP](healthattestation-csp.md) +HealthAttestation CSP

                                      Added the following settings:

                                      • HASEndpoint - added in Windows 10, version 1607, but not documented
                                        • @@ -997,7 +997,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                      -

                                      [SurfaceHub CSP](surfacehub-csp.md)

                                      +

                                      SurfaceHub CSP

                                      Added the following nodes and settings:

                                      • InBoxApps/SkypeForBusiness
                                        • @@ -1016,11 +1016,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[NetworkQoSPolicy CSP](networkqospolicy-csp.md) +NetworkQoSPolicy CSP

                                        Added new CSP.

                                        -

                                        [WindowsLicensing CSP](windowslicensing-csp.md)

                                        +

                                        WindowsLicensing CSP

                                        Added the following setting:

                                        • ChangeProductKey
                                          • @@ -1028,7 +1028,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +WindowsAdvancedThreatProtection CSP

                                          Added the following setting:

                                          • Configuration/TelemetryReportingFrequency
                                            • @@ -1036,11 +1036,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s -[DMSessionActions CSP](dmsessionactions-csp.md) +DMSessionActions CSP

                                            Added new CSP.

                                            -[SharedPC CSP](dmsessionactions-csp.md) +SharedPC CSP

                                            Added new settings in Windows 10, version 1703.

                                            • RestrictLocalStorage
                                              • @@ -1052,14 +1052,14 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                              The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300.

                                              -[RemoteLock CSP](remotelock-csp.md) +RemoteLock CSP

                                              Added following setting:

                                              • LockAndRecoverPIN
                                              -[NodeCache CSP](nodecache-csp.md) +NodeCache CSP

                                              Added following settings:

                                              • ChangedNodesData
                                                • @@ -1067,40 +1067,40 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                              -[Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +Download all the DDF files for Windows 10, version 1703

                                              Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

                                              -[RemoteWipe CSP](remotewipe-csp.md) +RemoteWipe CSP

                                              Added new setting in Windows 10, version 1703.

                                              • doWipeProtected
                                              -[MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) +MDM Bridge WMI Provider

                                              Added new classes and properties.

                                              -[Understanding ADMX-backed policies](understanding-admx-backed-policies.md) +Understanding ADMX-backed policies

                                              Added a section describing SyncML examples of various ADMX elements.

                                              -[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) +Win32 and Desktop Bridge app policy configuration New topic. -[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md) +Deploy and configure App-V apps using MDM

                                              Added a new topic describing how to deploy and configure App-V apps using MDM.

                                              -[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) +EnterpriseDesktopAppManagement CSP

                                              Added new setting in the March service release of Windows 10, version 1607.

                                              • MSI/UpgradeCode/[Guid]
                                              -[Reporting CSP](reporting-csp.md) +Reporting CSP

                                              Added new settings in Windows 10, version 1703.

                                              • EnterpriseDataProtection/RetrieveByTimeRange/Type
                                                • @@ -1108,7 +1108,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                              -[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link) +Connecting your Windows 10-based device to work using a deep link

                                              Added following deep link parameters to the table:

                                              • Username
                                                • @@ -1123,12 +1123,12 @@ For details about Microsoft mobile device management protocols for Windows 10 s MDM support for Windows 10 S

                                                Updated the following topics to indicate MDM support in Windows 10 S.

                                                -[TPMPolicy CSP](tpmpolicy-csp.md) +TPMPolicy CSP New CSP added in Windows 10, version 1703. @@ -1151,25 +1151,25 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                Sideloading of apps

                                                -

                                                Starting in Windows 10, version 1607, sideloading of apps is only allowed through [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices.

                                                +

                                                Starting in Windows 10, version 1607, sideloading of apps is only allowed through EnterpriseModernAppManagement CSP. Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices.

                                                -

                                                New value for [NodeCache CSP](nodecache-csp.md)

                                                -

                                                In [NodeCache CSP](nodecache-csp.md), the value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache.

                                                +

                                                New value for NodeCache CSP

                                                +

                                                In NodeCache CSP, the value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache.

                                                -[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +EnterpriseDataProtection CSP

                                                New CSP.

                                                -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                Removed the following policies:

                                                  -
                                                • DataProtection/AllowAzureRMSForEDP - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
                                                  • -
                                                • DataProtection/AllowUserDecryption - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
                                                  • -
                                                • DataProtection/EDPEnforcementLevel - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
                                                  • -
                                                • DataProtection/RequireProtectionUnderLockConfig - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
                                                  • -
                                                • DataProtection/RevokeOnUnenroll - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
                                                  • +
                                                • DataProtection/AllowAzureRMSForEDP - moved this policy to EnterpriseDataProtection CSP
                                                  • +
                                                • DataProtection/AllowUserDecryption - moved this policy to EnterpriseDataProtection CSP
                                                  • +
                                                • DataProtection/EDPEnforcementLevel - moved this policy to EnterpriseDataProtection CSP
                                                  • +
                                                • DataProtection/RequireProtectionUnderLockConfig - moved this policy to EnterpriseDataProtection CSP
                                                  • +
                                                • DataProtection/RevokeOnUnenroll - moved this policy to EnterpriseDataProtection CSP
                                                • DataProtection/EnterpriseCloudResources - moved this policy to NetworkIsolation policy
                                                • DataProtection/EnterpriseInternalProxyServers - moved this policy to NetworkIsolation policy
                                                • DataProtection/EnterpriseIPRange - moved this policy to NetworkIsolation policy
                                                  • @@ -1306,7 +1306,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                  Updated Security/AntiTheftMode description to clarify what each supported value does.

                                                  -[DMClient CSP](dmclient-csp.md) +DMClient CSP

                                                  Added the following settings:

                                                  • ManagementServerAddressList
                                                    • @@ -1318,11 +1318,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                    Removed the EnrollmentID setting.

                                                    -[DeviceManageability CSP](devicemanageability-csp.md) +DeviceManageability CSP

                                                    New CSP.

                                                    -[DeviceStatus CSP](devicestatus-csp.md) +DeviceStatus CSP

                                                    Added the following new settings:

                                                    • DeviceStatus/TPM/SpecificationVersion
                                                      • @@ -1339,23 +1339,23 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                                    -[AssignedAccess CSP](assignedaccess-csp.md) +AssignedAccess CSP

                                                    Added SyncML examples.

                                                    -[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) +EnterpriseAssignedAccess CSP
                                                    • Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description.
                                                    • Updated the DDF and XSD file sections.
                                                    -[SecureAssessment CSP](secureassessment-csp.md) +SecureAssessment CSP

                                                    New CSP for Windows 10, version 1607

                                                    -[DiagnosticLog CSP](diagnosticlog-csp.md) -

                                                    [DiagnosticLog DDF](diagnosticlog-ddf.md)

                                                    +DiagnosticLog CSP +

                                                    DiagnosticLog DDF

                                                    Added version 1.3 of the CSP with two new settings. Added the new 1.3 version of the DDF. Added the following new settings in Windows 10, version 1607.

                                                    • DeviceStateData
                                                      • @@ -1363,15 +1363,15 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                                    -[Reboot CSP](reboot-csp.md) +Reboot CSP

                                                    New CSP for Windows 10, version 1607

                                                    -[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) +CMPolicyEnterprise CSP

                                                    New CSP for Windows 10, version 1607

                                                    -[VPNv2 CSP](vpnv2-csp.md) +VPNv2 CSP

                                                    Added the following settings for Windows 10, version 1607

                                                    • ProfileName/RouteList/routeRowId/ExclusionRoute
                                                      • @@ -1394,38 +1394,38 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                                    -[Win32AppInventory CSP](win32appinventory-csp.md) -

                                                    [Win32AppInventory DDF](win32appinventory-ddf-file.md)

                                                    +Win32AppInventory CSP +

                                                    Win32AppInventory DDF

                                                    New CSP for Windows 10, version 1607.

                                                    -[SharedPC CSP](sharedpc-csp.md) +SharedPC CSP

                                                    New CSP for Windows 10, version 1607.

                                                    -[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +WindowsAdvancedThreatProtection CSP

                                                    New CSP for Windows 10, version 1607.

                                                    -[MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) +MDM Bridge WMI Provider

                                                    Added new classes for Windows 10, version 1607.

                                                    -[MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) +MDM enrollment of Windows devices

                                                    Topic renamed from "Enrollment UI".

                                                    Completely updated enrollment procedures and screenshots.

                                                    -[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) -

                                                    [UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md)

                                                    +UnifiedWriteFilter CSP +

                                                    UnifiedWriteFilter DDF File

                                                    Added the following new setting for Windows 10, version 1607:

                                                    • NextSession/HORMEnabled
                                                    -[CertificateStore CSP](certificatestore-csp.md) -

                                                    [CertificateStore DDF file](certificatestore-ddf-file.md)

                                                    +CertificateStore CSP +

                                                    CertificateStore DDF file

                                                    Added the following new settings in Windows 10, version 1607:

                                                    • My/WSTEP/Renew/LastRenewalAttemptTime
                                                      • @@ -1433,7 +1433,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
                                                    -

                                                    [WindowsLicensing CSP](windowslicensing-csp.md)

                                                    +

                                                    WindowsLicensing CSP

                                                    Added the following new node and settings in Windows 10, version 1607, but not documented:

                                                    • Subscriptions
                                                      • @@ -1463,16 +1463,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                      New configuration service providers added in Windows 10, version 1511

                                                      New and updated policies in Policy CSP

                                                      -

                                                      The following policies have been added to the [Policy CSP](policy-configuration-service-provider.md):

                                                      +

                                                      The following policies have been added to the Policy CSP:

                                                      • Accounts/DomainNamesForEmailSync
                                                      • ApplicationManagement/AllowWindowsBridgeForAndroidAppsExecution
                                                        • @@ -1505,20 +1505,20 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                        Custom header for generic alert

                                                        The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format:

                                                        MDM-GenericAlert: <AlertType1><AlertType2> -

                                                        If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).

                                                        +

                                                        If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this OMA website.

                                                        Alert message for slow client response

                                                        When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.

                                                        -

                                                        To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the [DMClient CSP](dmclient-csp.md).

                                                        +

                                                        To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the DMClient CSP.

                                                        New node in DMClient CSP

                                                        -

                                                        Added a new node EnableOmaDmKeepAliveMessage to the [DMClient CSP](dmclient-csp.md) and updated the ManagementServerAddress to indicate that it can contain a list of URLs.

                                                        +

                                                        Added a new node EnableOmaDmKeepAliveMessage to the DMClient CSP and updated the ManagementServerAddress to indicate that it can contain a list of URLs.

                                                        New nodes in EnterpriseModernAppManagement CSP

                                                        -

                                                        Added the following nodes to the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md):

                                                        +

                                                        Added the following nodes to the EnterpriseModernAppManagement CSP:

                                                        • AppManagement/GetInventoryQuery
                                                        • AppManagement/GetInventoryResults
                                                          • @@ -1531,7 +1531,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                          New nodes in EnterpriseExt CSP

                                                          -

                                                          Added the following nodes to the [EnterpriseExt CSP](enterpriseext-csp.md):

                                                          +

                                                          Added the following nodes to the EnterpriseExt CSP:

                                                          • DeviceCustomData (CustomID, CustomeString)
                                                          • Brightness (Default, MaxAuto)
                                                            • @@ -1540,11 +1540,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                            New node in EnterpriseExtFileSystem CSP

                                                            -

                                                            Added OemProfile node to [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md).

                                                            +

                                                            Added OemProfile node to EnterpriseExtFileSystem CSP.

                                                            New nodes in PassportForWork CSP

                                                            -

                                                            Added the following nodes to [PassportForWork CSP](passportforwork-csp.md):

                                                            +

                                                            Added the following nodes to PassportForWork CSP:

                                                            • TenantId/Policies/PINComplexity/History
                                                            • TenantId/Policies/PINComplexity/Expiration
                                                              • @@ -1555,16 +1555,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s

                                                              Updated EnterpriseAssignedAccess CSP

                                                              -

                                                              Here are the changes to the [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md):

                                                              +

                                                              Here are the changes to the EnterpriseAssignedAccess CSP:

                                                              • In AssignedAccessXML node, added new page settings and quick action settings.
                                                              • In AssignedAccessXML node, added an example about how to pin applications in multiple app packages using the AUMID.
                                                                • -
                                                              • Updated the [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md) topic.
                                                                • +
                                                              • Updated the EnterpriseAssignedAccess XSD topic.

                                                              New nodes in the DevDetail CSP

                                                              -

                                                              Here are the changes to the [DevDetail CSP](devdetail-csp.md):

                                                              +

                                                              Here are the changes to the DevDetail CSP:

                                                              • Added TotalStore and TotalRAM settings.
                                                              • Added support for Replace command for the DeviceName setting.
                                                                • @@ -1693,7 +1693,7 @@ The following XML sample explains the properties for the EAP TLS XML including c >[!NOTE] >For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. -  + ``` syntax @@ -1796,7 +1796,7 @@ The following XML sample explains the properties for the EAP TLS XML including c >[!NOTE] >The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** -  + Alternatively you can use the following procedure to create an EAP Configuration XML. @@ -1856,7 +1856,7 @@ No. Only one MDM is allowed. 5. Set quota to unlimited. ![aad maximum joined devices](images/faq-max-devices.png) -  + ### **What is dmwappushsvc?** @@ -1887,10 +1887,10 @@ How do I turn if off? | The service can be stopped from the "Services" console o ### April 2019 -|New or updated topic | Description| -|--- | ---| -|[Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)|Added the following warning at the end of the Overview section:
                                                                Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined.| -|[Policy CSP - UserRights](policy-csp-userrights.md)|Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields.| +| New or updated topic | Description | +|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
                                                                Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. | +| [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. | ### March 2019 @@ -1941,31 +1941,31 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[BitLocker CSP](bitlocker-csp.md) +BitLocker CSP

                                                                Added support for Windows 10 Pro starting in the version 1809.

                                                                -[Office CSP](office-csp.md) +Office CSP

                                                                Added FinalStatus setting in Windows 10, version 1809.

                                                                -[RemoteWipe CSP](remotewipe-csp.md) +RemoteWipe CSP

                                                                Added new settings in Windows 10, version 1809.

                                                                -[TenantLockdown CSP](\tenantlockdown-csp.md) +TenantLockdown CSP

                                                                Added new CSP in Windows 10, version 1809.

                                                                -[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) +WindowsDefenderApplicationGuard CSP

                                                                Added new settings in Windows 10, version 1809.

                                                                -[Policy DDF file](policy-ddf-file.md) +Policy DDF file

                                                                Posted an updated version of the Policy DDF for Windows 10, version 1809.

                                                                -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                Added the following new policies in Windows 10, version 1809:

                                                                • Browser/AllowFullScreenMode
                                                                  • @@ -2019,46 +2019,46 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[AssignedAccess CSP](assignedaccess-csp.md) +AssignedAccess CSP

                                                                  Added the following note:

                                                                  • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
                                                                  -[PassportForWork CSP](passportforwork-csp.md) +PassportForWork CSP

                                                                  Added new settings in Windows 10, version 1809.

                                                                  -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +EnterpriseModernAppManagement CSP

                                                                  Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

                                                                  -[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) +Win32CompatibilityAppraiser CSP

                                                                  Added new configuration service provider in Windows 10, version 1809.

                                                                  -[WindowsLicensing CSP](windowslicensing-csp.md) +WindowsLicensing CSP

                                                                  Added S mode settings and SyncML examples in Windows 10, version 1809.

                                                                  -[SUPL CSP](supl-csp.md) +SUPL CSP

                                                                  Added 3 new certificate nodes in Windows 10, version 1809.

                                                                  -[Defender CSP](defender-csp.md) +Defender CSP

                                                                  Added a new node Health/ProductStatus in Windows 10, version 1809.

                                                                  -[BitLocker CSP](bitlocker-csp.md) +BitLocker CSP

                                                                  Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

                                                                  -[DevDetail CSP](devdetail-csp.md) +DevDetail CSP

                                                                  Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

                                                                  -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                  Added the following new policies in Windows 10, version 1809:

                                                                  • ApplicationManagement/LaunchAppAfterLogOn
                                                                    • @@ -2109,11 +2109,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Wifi CSP](wifi-csp.md) +Wifi CSP

                                                                    Added a new node WifiCost in Windows 10, version 1809.

                                                                    -[Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md) +Diagnose MDM failures in Windows 10

                                                                    Recent changes:

                                                                    • Added procedure for collecting logs remotely from Windows 10 Holographic.
                                                                      • @@ -2121,11 +2121,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                    -[Bitlocker CSP](bitlocker-csp.md) +Bitlocker CSP

                                                                    Added new node AllowStandardUserEncryption in Windows 10, version 1809.

                                                                    -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                    Recent changes:

                                                                    • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
                                                                      • @@ -2147,7 +2147,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                    -[WiredNetwork CSP](wirednetwork-csp.md) +WiredNetwork CSP New CSP added in Windows 10, version 1809. @@ -2169,11 +2169,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Policy DDF file](policy-ddf-file.md) +Policy DDF file

                                                                    Updated the DDF files in the Windows 10 version 1703 and 1709.

                                                                    @@ -2194,7 +2194,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) +WindowsDefenderApplicationGuard CSP

                                                                    Added the following node in Windows 10, version 1803:

                                                                    • Settings/AllowVirtualGPU
                                                                      • @@ -2202,26 +2202,26 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                    -[NetworkProxy CSP](\networkproxy--csp.md) +NetworkProxy CSP

                                                                    Added the following node in Windows 10, version 1803:

                                                                    • ProxySettingsPerUser
                                                                    -[Accounts CSP](accounts-csp.md) +Accounts CSP

                                                                    Added a new CSP in Windows 10, version 1803.

                                                                    -[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat) +MDM Migration Analysis Too (MMAT)

                                                                    Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

                                                                    -[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) +CSP DDF files download

                                                                    Added the DDF download of Windows 10, version 1803 configuration service providers.

                                                                    -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                    Added the following new policies for Windows 10, version 1803:

                                                                    • Bluetooth/AllowPromptedProximalConnections
                                                                      • @@ -2253,40 +2253,40 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[eUICCs CSP](euiccs-csp.md) +eUICCs CSP

                                                                      Added the following node in Windows 10, version 1803:

                                                                      • IsEnabled
                                                                      -[DeviceStatus CSP](devicestatus-csp.md) +DeviceStatus CSP

                                                                      Added the following node in Windows 10, version 1803:

                                                                      • OS/Mode
                                                                      -[Understanding ADMX-backed policies](understanding-admx-backed-policies.md) +Understanding ADMX-backed policies

                                                                      Added the following videos:

                                                                      -[AccountManagement CSP](accountmanagement-csp.md) +AccountManagement CSP

                                                                      Added a new CSP in Windows 10, version 1803.

                                                                      -[RootCATrustedCertificates CSP](rootcacertificates-csp.md) +RootCATrustedCertificates CSP

                                                                      Added the following node in Windows 10, version 1803:

                                                                      • UntrustedCertificates
                                                                      -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                      Added the following new policies for Windows 10, version 1803:

                                                                      • ApplicationDefaults/EnableAppUriHandlers
                                                                        • @@ -2305,19 +2305,19 @@ How do I turn if off? | The service can be stopped from the "Services" console o

                                                                      Added a new section:

                                                                        -
                                                                      • [Policies supported by GP](policy-configuration-service-provider.md#policies-supported-by-gp) - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.
                                                                        • +
                                                                      • Policies supported by GP - list of policies in Policy CSP that has corresponding Group Policy. The policy description contains the GP information, such as GP policy name and variable name.
                                                                      -[Policy CSP - Bluetooth](policy-csp-bluetooth.md) -

                                                                      Added new section [ServicesAllowedList usage guide](policy-csp-bluetooth.md#servicesallowedlist-usage-guide).

                                                                      +Policy CSP - Bluetooth +

                                                                      Added new section ServicesAllowedList usage guide.

                                                                      -[MultiSIM CSP](multisim-csp.md) +MultiSIM CSP

                                                                      Added SyncML examples and updated the settings descriptions.

                                                                      -[RemoteWipe CSP](remotewipe-csp.md) +RemoteWipe CSP

                                                                      Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

                                                                      @@ -2338,7 +2338,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                      Added the following new policies for Windows 10, version 1803:

                                                                      • Display/DisablePerProcessDpiForApps
                                                                        • @@ -2356,11 +2356,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                          -[VPNv2 ProfileXML XSD](vpnv2-profile-xsd.md) +VPNv2 ProfileXML XSD

                                                                          Updated the XSD and Plug-in profile example for VPNv2 CSP.

                                                                          -[AssignedAccess CSP](assignedaccess-csp.md) +AssignedAccess CSP

                                                                          Added the following nodes in Windows 10, version 1803:

                                                                          • Status
                                                                            • @@ -2370,11 +2370,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o

                                                                            Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.

                                                                            -[MultiSIM CSP](multisim-csp.md) +MultiSIM CSP

                                                                            Added a new CSP in Windows 10, version 1803.

                                                                            -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +EnterpriseModernAppManagement CSP

                                                                            Added the following node in Windows 10, version 1803:

                                                                            • MaintainProcessorArchitectureOnUpdate
                                                                              • @@ -2398,7 +2398,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                              Added the following new policies for Windows 10, version 1803:

                                                                              • Browser/AllowConfigurationUpdateForBooksLibrary
                                                                                • @@ -2497,15 +2497,15 @@ How do I turn if off? | The service can be stopped from the "Services" console o

                                                                                Security/RequireDeviceEncryption - updated to show it is supported in desktop.

                                                                                -[BitLocker CSP](bitlocker-csp.md) +BitLocker CSP

                                                                                Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

                                                                                -[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +EnterpriseModernAppManagement CSP

                                                                                Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

                                                                                -[DMClient CSP](dmclient-csp.md) +DMClient CSP

                                                                                Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

                                                                                • AADSendDeviceToken
                                                                                  • @@ -2517,15 +2517,15 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                                -[Defender CSP](defender-csp.md) +Defender CSP

                                                                                Added new node (OfflineScan) in Windows 10, version 1803.

                                                                                -[UEFI CSP](uefi-csp.md) +UEFI CSP

                                                                                Added a new CSP in Windows 10, version 1803.

                                                                                -[Update CSP](update-csp.md) +Update CSP

                                                                                Added the following nodes in Windows 10, version 1803:

                                                                                • Rollback
                                                                                  • @@ -2552,8 +2552,8 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Configuration service provider reference](configuration-service-provider-reference.md) -

                                                                                  Added new section [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)

                                                                                  +Configuration service provider reference +

                                                                                  Added new section CSP DDF files download

                                                                                  @@ -2573,7 +2573,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                                  Added the following policies for Windows 10, version 1709:

                                                                                  • Authentication/AllowFidoDeviceSignon
                                                                                    • @@ -2611,11 +2611,11 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Policy DDF file](policy-ddf-file.md) +Policy DDF file

                                                                                    Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

                                                                                    -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                                    Updated the following policies:

                                                                                    • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
                                                                                      • @@ -2623,15 +2623,15 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                                    -[eUICCs CSP](euiccs-csp.md) +eUICCs CSP

                                                                                    Added new CSP in Windows 10, version 1709.

                                                                                    -[AssignedAccess CSP](assignedaccess-csp.md) +AssignedAccess CSP

                                                                                    Added SyncML examples for the new Configuration node.

                                                                                    -[DMClient CSP](dmclient-csp.md) +DMClient CSP

                                                                                    Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

                                                                                    @@ -2653,7 +2653,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                                    Added the following new policies for Windows 10, version 1709:

                                                                                    • Authentication/AllowAadPasswordReset
                                                                                      • @@ -2664,7 +2664,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o

                                                                                      Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

                                                                                      -[AssignedAccess CSP](assignedaccess-csp.md) +AssignedAccess CSP

                                                                                      Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

                                                                                      @@ -2672,7 +2672,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o

                                                                                      Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

                                                                                      -The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx) +The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

                                                                                      The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

                                                                                      • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
                                                                                        • @@ -2682,26 +2682,26 @@ How do I turn if off? | The service can be stopped from the "Services" console o

                                                                                        For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

                                                                                        -[EntepriseAPN CSP](enterpriseapn-csp.md) +EntepriseAPN CSP

                                                                                        Added a SyncML example.

                                                                                        -[VPNv2 CSP](vpnv2-csp.md) +VPNv2 CSP

                                                                                        Added RegisterDNS setting in Windows 10, version 1709.

                                                                                        -[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) +Enroll a Windows 10 device automatically using Group Policy

                                                                                        Added new topic to introduce a new Group Policy for automatic MDM enrollment.

                                                                                        -[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +MDM enrollment of Windows-based devices

                                                                                        New features in the Settings app:

                                                                                        • User sees installation progress of critical policies during MDM enrollment.
                                                                                        • User knows what policies, profiles, apps MDM has configured
                                                                                        • IT helpdesk can get detailed MDM diagnostic information using client tools
                                                                                        -

                                                                                        For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)

                                                                                        +

                                                                                        For details, see Managing connections and Collecting diagnostic logs

                                                                                        @@ -2721,22 +2721,22 @@ How do I turn if off? | The service can be stopped from the "Services" console o -[Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md) +Enable ADMX-backed policies in MDM

                                                                                        Added new step-by-step guide to enable ADMX-backed policies.

                                                                                        -[Mobile device enrollment](mobile-device-enrollment.md) +Mobile device enrollment

                                                                                        Added the following statement:

                                                                                        • Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
                                                                                        -[CM\_CellularEntries CSP](cm-cellularentries-csp.md) +CM_CellularEntries CSP

                                                                                        Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

                                                                                        -[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +EnterpriseDataProtection CSP

                                                                                        Updated the Settings/EDPEnforcementLevel values to the following:

                                                                                        • 0 (default) – Off / No protection (decrypts previously protected data).
                                                                                          • @@ -2746,30 +2746,30 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                                        -[AppLocker CSP](applocker-csp.md) -

                                                                                        Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in [Whitelist examples](applocker-csp.md#whitelist-examples).

                                                                                        +AppLocker CSP +

                                                                                        Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Whitelist examples.

                                                                                        -[DeviceManageability CSP](devicemanageability-csp.md) +DeviceManageability CSP

                                                                                        Added the following settings in Windows 10, version 1709:

                                                                                          -
                                                                                        • Provider/_ProviderID_/ConfigInfo
                                                                                          • -
                                                                                        • Provider/_ProviderID_/EnrollmentInfo
                                                                                          • +
                                                                                        • Provider/ProviderID/ConfigInfo
                                                                                          • +
                                                                                        • Provider/ProviderID/EnrollmentInfo
                                                                                        -[Office CSP](office-csp.md) +Office CSP

                                                                                        Added the following setting in Windows 10, version 1709:

                                                                                        • Installation/CurrentStatus
                                                                                        -[BitLocker CSP](bitlocker-csp.md) +BitLocker CSP Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. -[Firewall CSP](firewall-csp.md) +Firewall CSP Updated the CSP and DDF topics. Here are the changes:
                                                                                        • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
                                                                                          • @@ -2779,8 +2779,8 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                                        -[Policy DDF file](policy-ddf-file.md) -Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies: +Policy DDF file +Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
                                                                                        • Browser/AllowMicrosoftCompatibilityList
                                                                                        • Update/DisableDualScan
                                                                                          • @@ -2788,7 +2788,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                                        -[Policy CSP](policy-configuration-service-provider.md) +Policy CSP

                                                                                        Added the following new policies for Windows 10, version 1709:

                                                                                        • Browser/ProvisionFavorites
                                                                                          • @@ -2829,7 +2829,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
                                                                                        • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
                                                                                        • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
                                                                                        -

                                                                                        Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

                                                                                        +

                                                                                        Added links to the additional ADMX-backed BitLocker policies.

                                                                                        There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:

                                                                                        • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
                                                                                          • diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 9725beb2d3..2e9c9128db 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -59,7 +59,7 @@ Required. Root node for cached nodes. Scope is dynamic. Supported operation is Get. -**/Nodes/****_NodeID_** +**/Nodes/***NodeID* Optional. Information about each cached node is stored under *NodeID* as specified by the server. This value must not contain a comma. Scope is dynamic. Supported operations are Get, Add, and Delete. @@ -357,9 +357,9 @@ The value inside of the node tag is the actual value returned by the Uri, which [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 88fd1042e5..844b2f1336 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -64,7 +64,7 @@ The following table shows the OMA DM standards that Windows uses.

                                                                                          DM protocol commands

                                                                                          -

                                                                                          The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).

                                                                                          +

                                                                                          The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.

                                                                                          • Add (Implicit Add supported)

                                                                                          • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.

                                                                                            • @@ -123,23 +123,22 @@ The following table shows the OMA DM standards that Windows uses.

                                                                                            Provisioning Files

                                                                                            -

                                                                                            Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

                                                                                            +

                                                                                            Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.

                                                                                            If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.

                                                                                            -Note   -

                                                                                            To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.

                                                                                            +Note

                                                                                            To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.

                                                                                            -  +

                                                                                            WBXML support

                                                                                            -

                                                                                            Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

                                                                                            +

                                                                                            Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.

                                                                                            Handling of large objects

                                                                                            -

                                                                                            In Windows 10, version 1511, client support for uploading large objects to the server was added.

                                                                                            +

                                                                                            In Windows 10, version 1511, client support for uploading large objects to the server was added.

                                                                                            @@ -210,10 +209,10 @@ Common elements are used by other OMA DM element types. The following table list

                                                                                            SessionID

                                                                                            Specifies the identifier of the OMA DM session associated with the containing message.

                                                                                            -Note  If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes. +Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
                                                                                            -  +
                                                                                            @@ -373,13 +372,13 @@ When using SyncML in OMA DM, there are standard response status codes that are r | 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | | 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 0fd5f359a5..206ca69d61 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -15,7 +15,7 @@ ms.date: 05/01/2019 # Policy CSP -The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. +The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. The Policy configuration service provider has the following sub-categories: @@ -57,12 +57,12 @@ The following diagram shows the Policy configuration service provider in tree fo

                                                                                            Supported operation is Get. -**Policy/Config/****_AreaName_** +**Policy/Config/***AreaName*

                                                                                            The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.

                                                                                            Supported operations are Add, Get, and Delete. -**Policy/Config/****_AreaName/PolicyName_** +**Policy/Config/***AreaName/PolicyName*

                                                                                            Specifies the name/value pair used in the policy.

                                                                                            The following list shows some tips to help you when configuring policies: @@ -70,7 +70,7 @@ The following diagram shows the Policy configuration service provider in tree fo - Separate substring values by the Unicode &\#xF000; in the XML file. > [!NOTE] -> A query from a different caller could provide a different value as each caller could have different values for a named policy. +> A query from a different caller could provide a different value as each caller could have different values for a named policy. - In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. - Supported operations are Add, Get, Delete, and Replace. @@ -81,12 +81,12 @@ The following diagram shows the Policy configuration service provider in tree fo

                                                                                            Supported operation is Get. -**Policy/Result/****_AreaName_** +**Policy/Result/***AreaName*

                                                                                            The area group that can be configured by a single technology independent of the providers.

                                                                                            Supported operation is Get. -**Policy/Result/****_AreaName/PolicyName_** +**Policy/Result/***AreaName/PolicyName*

                                                                                            Specifies the name/value pair used in the policy.

                                                                                            Supported operation is Get. @@ -97,36 +97,36 @@ The following diagram shows the Policy configuration service provider in tree fo

                                                                                            Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall** -

                                                                                            Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md). +

                                                                                            Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration. > [!NOTE] > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/library/cc179097.aspx). -

                                                                                            ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}`. +

                                                                                            ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.

                                                                                            Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/****_AppName_** +**Policy/ConfigOperations/ADMXInstall/***AppName*

                                                                                            Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.

                                                                                            Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy** +**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy

                                                                                            Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.

                                                                                            Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy/_UniqueID_** +**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy/*UniqueID*

                                                                                            Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.

                                                                                            Supported operations are Add and Get. Does not support Delete. -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference** +**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference

                                                                                            Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.

                                                                                            Supported operations are Add, Get, and Delete. -**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference/_UniqueID_** +**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference/*UniqueID*

                                                                                            Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.

                                                                                            Supported operations are Add and Get. Does not support Delete. @@ -1403,8 +1403,7 @@ The following diagram shows the Policy configuration service provider in tree fo

                                                                                            InternetExplorer/DisableActiveXVersionListAutoDownload -
                                                                                            -
                                                                                            +

                                                                                            InternetExplorer/DisableAdobeFlash
                                                                                            @@ -5398,29 +5397,29 @@ The following diagram shows the Policy configuration service provider in tree fo ## Policies that can be set using Exchange Active Sync (EAS) -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Camera/AllowCamera](#camera-allowcamera) -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) -- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) -- [Wifi/AllowWiFi](#wifi-allowwifi) - +- [Browser/AllowBrowser](#browser-allowbrowser) +- [Camera/AllowCamera](#camera-allowcamera) +- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) +- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) +- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) +- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) +- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) +- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) +- [System/AllowStorageCard](#system-allowstoragecard) +- [System/TelemetryProxy](#system-telemetryproxy) +- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](#wifi-allowwifi) + ## Examples diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 788996c9d3..722bfbdd40 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -76,9 +76,9 @@ Note: Wild card characters cannot be used when specifying the host URLs. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 5b256f687b..96fb236ede 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -73,9 +73,9 @@ If you disable or do not configure this policy setting, users will need to sign > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 281f313ca0..a1c25ca11b 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -151,9 +151,9 @@ This policy setting allows you to enable or disable Microsoft Application Virtua > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -209,9 +209,9 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -267,9 +267,9 @@ Enables automatic cleanup of appv packages that were added after Windows10 anniv > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -325,9 +325,9 @@ Enables scripts defined in the package manifest of configuration files that shou > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -383,9 +383,9 @@ Enables a UX to display to the user when a publishing refresh is performed on th > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -451,9 +451,9 @@ Data Block Size: This value specifies the maximum size in bytes to transmit to t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -509,9 +509,9 @@ Specifies the file paths relative to %userprofile% that do not roam with a user' > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -567,9 +567,9 @@ Specifies the registry paths that do not roam with a user profile. Example usage > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -625,9 +625,9 @@ Specifies how new packages should be loaded automatically by App-V on a specific > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -683,9 +683,9 @@ Migration mode allows the App-V client to modify shortcuts and FTA's for package > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -741,9 +741,9 @@ Specifies the location where symbolic links are created to the current version o > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -799,9 +799,9 @@ Specifies the location where symbolic links are created to the current version o > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -875,9 +875,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -951,9 +951,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1027,9 +1027,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1103,9 +1103,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1179,9 +1179,9 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1237,9 +1237,9 @@ Specifies the path to a valid certificate in the certificate store. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1295,9 +1295,9 @@ This setting controls whether virtualized applications are launched on Windows 8 > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1353,9 +1353,9 @@ Specifies the CLSID for a compatible implementation of the IAppvPackageLocationP > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1411,9 +1411,9 @@ Specifies directory where all new applications and updates will be installed. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1469,9 +1469,9 @@ Overrides source location for downloading package content. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1527,9 +1527,9 @@ Specifies the number of seconds between attempts to reestablish a dropped sessio > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1585,9 +1585,9 @@ Specifies the number of times to retry a dropped session. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1643,9 +1643,9 @@ Specifies that streamed package contents will be not be saved to the local hard > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1701,9 +1701,9 @@ If enabled, the App-V client will support BrancheCache compatible HTTP streaming > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1759,9 +1759,9 @@ Verifies Server certificate revocation status before streaming using HTTPS. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1817,9 +1817,9 @@ Specifies a list of process paths (may contain wildcards) which are candidates f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 3c01e9d16c..6253a5f07d 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -82,9 +82,9 @@ If you do not configure this policy setting, Windows marks file attachments with > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -146,9 +146,9 @@ If you do not configure this policy setting, Windows hides the check box and Unb > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -210,9 +210,9 @@ If you do not configure this policy setting, Windows does not call the registere > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 2b478378d5..183ee25611 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -509,8 +509,8 @@ Value type is string. - [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname) - -
                                                                                            + +
                                                                                            Footnotes: diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 6482bcf810..6991b2357f 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -81,9 +81,9 @@ If you disable or do not configure this policy setting, AutoPlay is enabled for > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -153,9 +153,9 @@ If you disable or not configure this policy setting, Windows Vista or later will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -226,9 +226,9 @@ Note: This policy setting appears in both the Computer Configuration and User Co > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 76cbb587d6..12986ccfe5 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -358,8 +358,8 @@ The default value is an empty string. For more information, see [ServicesAllowed - [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) - [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) - [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) - -
                                                                                            + +
                                                                                            Footnotes: diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index a869a6c060..1ba7caf16f 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -2470,7 +2470,7 @@ Most restricted value: 0    > [!NOTE] > This policy has no effect when the Browser/HomePages policy is not configured.  -  + > [!IMPORTANT] > This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). @@ -2601,7 +2601,7 @@ Most restricted value: 0 > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. -  + @@ -3400,14 +3400,14 @@ Most restricted value: 1 >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later* [!INCLUDE [provision-favorites-shortdesc](../../../browsers/edge/shortdesc/provision-favorites-shortdesc.md)] -  + Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off. To define a default list of favorites: 1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**. 2. Click **Import from another browser**, click **Export to file** and save the file. -3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

                                                                                            Specify the URL as:

                                                                                            • HTTP location: "SiteList"=http://localhost:8080/URLs.html
                                                                                            • Local network: "SiteList"="\network\shares\URLs.html"
                                                                                            • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
                                                                                            +3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision.

                                                                                            Specify the URL as:

                                                                                            • HTTP location: "SiteList"=
                                                                                            • Local network: "SiteList"="\network\shares\URLs.html"
                                                                                            • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
                                                                                            >[!IMPORTANT] @@ -3831,7 +3831,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
                                                                                            1. Open Internet Explorer and add some favorites. -
                                                                                            2. Open Microsoft Edge, then select **Hub > Favorites**. +
                                                                                            3. Open Microsoft Edge, then select Hub > Favorites.
                                                                                            4. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge.
                                                                                            diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 975745ccbe..626376e2ba 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -100,18 +100,18 @@ Footnote: ## Camera policies that can be set using Exchange Active Sync (EAS) -- [Camera/AllowCamera](#camera-allowcamera) - +- [Camera/AllowCamera](#camera-allowcamera) + ## Camera policies supported by IoT Core -- [Camera/AllowCamera](#camera-allowcamera) - +- [Camera/AllowCamera](#camera-allowcamera) + ## Camera policies supported by Microsoft Surface Hub -- [Camera/AllowCamera](#camera-allowcamera) - +- [Camera/AllowCamera](#camera-allowcamera) + diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 874e20e5e3..09a587860d 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -313,9 +313,9 @@ If this policy setting is disabled or is not configured, the link to the per-app > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -341,18 +341,18 @@ Footnote: ## Cellular policies that can be set using Exchange Active Sync (EAS) -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) - +- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) + ## Cellular policies supported by IoT Core -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) - +- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) + ## Cellular policies supported by Microsoft Surface Hub -- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) - +- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui) + diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index b6ffd8d3af..6a794dd7a4 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -640,9 +640,9 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -706,9 +706,9 @@ If you disable or do not configure this policy setting, users can download print > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -772,9 +772,9 @@ See the documentation for the web publishing and online ordering wizards for mor > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -825,7 +825,7 @@ ADMX Info: -Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. +Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. Value type is integer. @@ -885,9 +885,9 @@ If you enable this policy, Windows only allows access to the specified UNC paths > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -949,9 +949,9 @@ If you disable this setting or do not configure it, the user will be able to cre > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index da2d9b35dd..1eb6215b47 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -84,9 +84,9 @@ To configure Windows Hello for Business, use the Administrative Template policie > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -148,9 +148,9 @@ Note that the user's domain password will be cached in the system vault when usi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -228,7 +228,7 @@ Footnote: ## CredentialProviders policies supported by IoT Core -- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) -- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) - +- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword) + diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index 79fd716fc5..0d204f9001 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -75,9 +75,9 @@ If you disable or do not configure this policy setting, Restricted Administratio > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 91fdbe7e29..1c535f7394 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -82,9 +82,9 @@ The policy applies to all Windows components and applications that use the Windo > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -144,9 +144,9 @@ If you disable this policy setting, users will always be required to type a user > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 9ff8a844eb..b7e7fa115c 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -105,9 +105,9 @@ Footnote: # Cryptography policies supported by Microsoft Surface Hub -- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) -- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) - +- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites) + diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 882bd8253b..efbd0b0ba5 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -123,7 +123,7 @@ The following list shows the supported values: > [!IMPORTANT] > This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. -  + Setting used by Windows 8.1 Selective Wipe. > [!NOTE] @@ -145,6 +145,6 @@ Footnote: ## DataProtection policies supported by IoT Core -- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) - +- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess) + diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 1b88ce9075..acd292df91 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -95,9 +95,9 @@ If this policy setting is disabled or is not configured, the cost of 4G connecti > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index b98e04463c..536b67fd62 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -252,7 +252,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Allows or disallows Windows Defender Behavior Monitoring functionality. @@ -563,7 +563,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Allows or disallows Windows Defender IOAVP Protection functionality. @@ -803,7 +803,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Allows or disallows a scanning of network files. @@ -1099,7 +1099,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Represents the average CPU load factor for the Windows Defender scan (in percent). @@ -1243,7 +1243,7 @@ Added in Windows 10, version 1709. This policy setting determines how aggressive If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site. -      + > [!Note] > This feature requires the "Join Microsoft MAPS" setting enabled in order to function. @@ -1481,7 +1481,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Time period (in days) that quarantine items will be stored on the system. @@ -1890,7 +1890,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". @@ -2008,7 +2008,7 @@ Allows an administrator to specify a list of files opened by processes to ignore > [!IMPORTANT] > The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path. -  + Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". @@ -2249,13 +2249,13 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Selects the time of day that the Windows Defender quick scan should run. > [!NOTE] > The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. -  + For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. @@ -2607,7 +2607,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. @@ -2674,7 +2674,7 @@ Valid values: 0–24. > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. @@ -2738,11 +2738,11 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. -  + Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. -This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3 +This value is a list of threat severity level IDs and corresponding actions, separated by a| using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3 The following list shows the supported values for threat severity levels: @@ -2787,32 +2787,32 @@ Footnote: ## Defender policies supported by Microsoft Surface Hub -- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) -- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) -- [Defender/AllowCloudProtection](#defender-allowcloudprotection) -- [Defender/AllowEmailScanning](#defender-allowemailscanning) -- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) -- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) -- [Defender/AllowIOAVProtection](#defender-allowioavprotection) -- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) -- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) -- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) -- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) -- [Defender/AllowScriptScanning](#defender-allowscriptscanning) -- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) -- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) -- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) -- [Defender/ExcludedExtensions](#defender-excludedextensions) -- [Defender/ExcludedPaths](#defender-excludedpaths) -- [Defender/ExcludedProcesses](#defender-excludedprocesses) -- [Defender/PUAProtection](#defender-puaprotection) -- [Defender/RealTimeScanDirection](#defender-realtimescandirection) -- [Defender/ScanParameter](#defender-scanparameter) -- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) -- [Defender/ScheduleScanDay](#defender-schedulescanday) -- [Defender/ScheduleScanTime](#defender-schedulescantime) -- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) -- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) -- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) - +- [Defender/AllowArchiveScanning](#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](#defender-allowioavprotection) +- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem) +- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](#defender-allowscriptscanning) +- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess) +- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](#defender-excludedextensions) +- [Defender/ExcludedPaths](#defender-excludedpaths) +- [Defender/ExcludedProcesses](#defender-excludedprocesses) +- [Defender/PUAProtection](#defender-puaprotection) +- [Defender/RealTimeScanDirection](#defender-realtimescandirection) +- [Defender/ScanParameter](#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](#defender-schedulescanday) +- [Defender/ScheduleScanTime](#defender-schedulescantime) +- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction) + diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 227ecc8101..dd2a915a30 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -838,7 +838,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -  + Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20. @@ -895,7 +895,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -  + Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. @@ -954,7 +954,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. -  + Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization. The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). @@ -1613,9 +1613,9 @@ Added in Windows 10, version 1803. Specifies the maximum background downloa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1679,9 +1679,9 @@ Added in Windows 10, version 1803. Specifies the maximum foreground downloa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1779,22 +1779,22 @@ This policy allows an IT Admin to define the following: ## DeliveryOptimization policies supported by Microsoft Surface Hub -- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) -- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) -- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) -- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) -- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) -- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) -- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) -- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) -- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) -- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) -- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) -- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) -- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) -- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) -- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) - +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth) +
                                                                                            diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 90f6b5f36a..3d779f0c64 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -74,9 +74,9 @@ If you enable this setting, users are unable to type a new location in the Targe > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -102,6 +102,6 @@ Footnote: ## Desktop policies supported by Microsoft Surface Hub -- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders) - +- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders) + diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index ee0cb46e92..29bff22868 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -93,9 +93,9 @@ Peripherals can be specified by their [hardware identity](https://docs.microsoft > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -204,9 +204,9 @@ Peripherals can be specified by their [hardware identity](https://docs.microsoft > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -316,9 +316,9 @@ If you disable or do not configure this policy setting, the setting in the Devic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -390,9 +390,9 @@ If you disable or do not configure this policy setting, Windows is allowed to in > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -499,9 +499,9 @@ Peripherals can be specified by their [hardware identity](https://docs.microsoft > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -516,7 +516,7 @@ ADMX Info:
                                                                                            -To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. +To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use &#xF000; as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. ``` syntax @@ -601,9 +601,9 @@ Peripherals can be specified by their [hardware identity](https://docs.microsoft > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 3de4e004f7..dcc8261939 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -119,7 +119,7 @@ manager: dansimp > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. -  + Specifies whether the user must input a PIN or password when the device resumes from an idle state. > [!NOTE] @@ -176,7 +176,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. -  + Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. > [!NOTE] @@ -359,7 +359,7 @@ Specifies whether device lock is enabled. > This policy must be wrapped in an Atomic command. > > Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. -  + > [!IMPORTANT] @@ -883,7 +883,7 @@ The default value is 1. The following list shows the supported values and actual

                                                                                            Desktop Microsoft Accounts

                                                                                            1,2

                                                                                            - +<p2

                                                                                            Desktop Domain Accounts

                                                                                            @@ -1077,9 +1077,9 @@ If you enable this setting, users will no longer be able to enable or disable lo > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1139,9 +1139,9 @@ If you enable this setting, users will no longer be able to modify slide show se > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1194,7 +1194,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. -  + Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices. Minimum supported value is 10. diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 3c266f829b..8535ed7dc0 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -96,9 +96,9 @@ If you disable or do not configure this policy setting, then the default consent > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -158,9 +158,9 @@ If you disable or do not configure this policy setting, the Turn off Windows Err > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -224,9 +224,9 @@ See also the Configure Error Reporting policy setting. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -286,9 +286,9 @@ If you disable or do not configure this policy setting, then consent policy sett > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -348,9 +348,9 @@ If you disable or do not configure this policy setting, Windows Error Reporting > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index 55458a2b41..5ca67b16c6 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -85,9 +85,9 @@ Note: Old events may or may not be retained according to the "Backup log automat > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -147,9 +147,9 @@ If you disable or do not configure this policy setting, the maximum size of the > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -209,9 +209,9 @@ If you disable or do not configure this policy setting, the maximum size of the > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -271,9 +271,9 @@ If you disable or do not configure this policy setting, the maximum size of the > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 67a1882e64..f0c7dbd3e0 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -72,9 +72,9 @@ Disabling data execution prevention can allow certain legacy plug-in application > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -130,9 +130,9 @@ Disabling heap termination on corruption can allow certain legacy plug-in applic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index b95f11d20d..7e8466865c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -830,9 +830,9 @@ If you disable or do not configure this policy setting, the user can configure t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -893,9 +893,9 @@ If you disable or do not configure this policy setting, ActiveX Filtering is not > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -962,9 +962,9 @@ If you disable this policy setting, the list is deleted. The 'Deny all add-ons u > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1026,9 +1026,9 @@ If you do not configure this setting, the user has the freedom of turning on Aut > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1089,9 +1089,9 @@ If you disable or do not configure this policy setting, the user can choose whet > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1156,9 +1156,9 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1221,9 +1221,9 @@ If you do not configure this policy, users will be able to turn on or turn off E > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1286,9 +1286,9 @@ If you do not configure this policy setting, users can change the Suggestions se > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1360,9 +1360,9 @@ If you disable or don't configure this policy setting, the menu option won't app > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1423,9 +1423,9 @@ If you disable or don't configure this policy setting, Internet Explorer opens a > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1487,9 +1487,9 @@ If you disable this policy, system defaults will be used. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1550,9 +1550,9 @@ If you disable or do not configure this policy setting, the user can add and rem > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1615,9 +1615,9 @@ If you do not configure this policy setting, Internet Explorer uses an Internet > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1684,9 +1684,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1753,9 +1753,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1822,9 +1822,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1891,9 +1891,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1960,9 +1960,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2029,9 +2029,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2098,9 +2098,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2161,9 +2161,9 @@ If you disable or do not configure this policy setting, Internet Explorer does n > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2221,7 +2221,7 @@ Internet Explorer has 4 security zones, numbered 1-4, and these are used by this If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information: -Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. +Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. @@ -2235,9 +2235,9 @@ The list is a set of pairs of strings. Each string is seperated by F000. Each pa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2325,9 +2325,9 @@ If you do not configure this policy, users can choose to run or install files wi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2390,9 +2390,9 @@ If you do not configure this policy setting, the user can turn on and turn off t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2459,9 +2459,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2528,9 +2528,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2597,9 +2597,9 @@ Note. It is recommended to configure template policy settings in one Group Polic > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2662,9 +2662,9 @@ If you do not configure this policy setting, Internet Explorer will not check se > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2727,9 +2727,9 @@ If you do not configure this policy, Internet Explorer will not check the digita > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2794,9 +2794,9 @@ If you do not configure this policy setting, Internet Explorer requires consiste > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2857,9 +2857,9 @@ If you disable or do not configure this setting, IE continues to download update > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2933,9 +2933,9 @@ Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -2996,9 +2996,9 @@ If you disable or do not configure this policy setting, the user can bypass Smar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3059,9 +3059,9 @@ If you disable or do not configure this policy setting, the user can bypass Smar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3122,9 +3122,9 @@ If you disable or do not configure this policy setting, the user can use the Com > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3196,9 +3196,9 @@ If you disable or do not configure this policy setting, a user can set the numbe > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3259,9 +3259,9 @@ If you disable or do not configure this policy setting, the crash detection feat > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3324,9 +3324,9 @@ If you do not configure this policy setting, the user can choose to participate > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3391,9 +3391,9 @@ If the "Prevent access to Delete Browsing History" policy setting is enabled, th > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3454,9 +3454,9 @@ If you disable or do not configure this policy setting, the user can set the Fee > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3519,9 +3519,9 @@ Note: SSL 2.0 is off by default and is no longer supported starting with Windows > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3582,9 +3582,9 @@ If you disable or do not configure this policy setting, the user can synchronize > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3660,9 +3660,9 @@ If you disable or do not configure this policy setting, Internet Explorer may ru > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3727,9 +3727,9 @@ If you don't configure this setting, users can turn this behavior on or off, usi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3792,9 +3792,9 @@ If you do not configure this policy setting, browser geolocation support can be > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3865,9 +3865,9 @@ If you disable or do not configure this policy setting, the Home page box is ena > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3928,9 +3928,9 @@ If you disable or do not configure this policy setting, the user can choose to i > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -3995,9 +3995,9 @@ If you do not configure this policy setting, InPrivate Browsing can be turned on > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4062,9 +4062,9 @@ If you don't configure this policy setting, users can turn this feature on or of > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4125,9 +4125,9 @@ If you disable or do not configure this policy setting, the user can configure p > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4188,9 +4188,9 @@ If you disable or do not configure this policy setting, the user can change the > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4253,9 +4253,9 @@ Note: If the “Disable Changing Home Page Settings” policy is enabled, the us > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4316,9 +4316,9 @@ If you disable or do not configure this policy setting, the feature is turned on > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4380,9 +4380,9 @@ This policy is intended to help the administrator maintain version control for I > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4445,9 +4445,9 @@ If you do not configure this policy setting, users can choose to turn the auto-c > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4523,9 +4523,9 @@ If you disable or do not configure this policy setting, Internet Explorer notifi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4591,9 +4591,9 @@ Also, see the "Security zones: Use only machine settings" policy. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4659,9 +4659,9 @@ Also, see the "Security zones: Use only machine settings" policy. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4724,9 +4724,9 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4793,9 +4793,9 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4858,9 +4858,9 @@ If you do not configure this policy setting, users choose whether to force local > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4923,9 +4923,9 @@ If you do not configure this policy setting, users choose whether network paths > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -4988,9 +4988,9 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5053,9 +5053,9 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5116,9 +5116,9 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5183,9 +5183,9 @@ If you do not configure this policy setting, a script can perform a clipboard op > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5248,9 +5248,9 @@ If you do not configure this policy setting, users can drag files or copy and pa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5313,9 +5313,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5378,9 +5378,9 @@ If you do not configure this policy setting, Web sites from less privileged zone > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5443,9 +5443,9 @@ If you do not configure this policy setting, the user can decide whether to load > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5508,9 +5508,9 @@ If you do not configure this policy setting, Internet Explorer will execute unsi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5571,9 +5571,9 @@ If you disable this policy setting, the user does not see the per-site ActiveX p > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5634,9 +5634,9 @@ If you disable this policy setting, the TDC Active X control will run from all s > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5699,9 +5699,9 @@ If you do not configure this policy setting, the possible harmful actions contai > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5764,9 +5764,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5829,9 +5829,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5896,9 +5896,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -5959,9 +5959,9 @@ If you disable or do not configure this policy setting, script is not allowed to > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6024,9 +6024,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6091,9 +6091,9 @@ If you do not configure or disable this policy setting, VBScript is prevented fr > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6156,9 +6156,9 @@ If you don't configure this policy setting, Internet Explorer always checks with > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6221,9 +6221,9 @@ If you do not configure this policy setting, users are queried whether to downlo > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6286,9 +6286,9 @@ If you do not configure this policy setting, users cannot run unsigned controls. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6349,9 +6349,9 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6416,9 +6416,9 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6483,9 +6483,9 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6548,9 +6548,9 @@ If you do not configure this policy setting, the MIME Sniffing Safety Feature wi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6613,9 +6613,9 @@ If you do not configure this policy setting, the user can turn on or turn off Pr > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6678,9 +6678,9 @@ If you do not configure this policy setting, the user can choose whether path in > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6745,9 +6745,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6849,9 +6849,9 @@ If you do not configure this policy setting, the permission is set to High Safet > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6914,9 +6914,9 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -6987,9 +6987,9 @@ If you do not configure this policy setting, logon is set to Automatic logon onl > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7052,9 +7052,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7117,9 +7117,9 @@ If you do not configure this policy setting, Internet Explorer will execute sign > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7182,9 +7182,9 @@ If you do not configure this policy setting, the user can configure how the comp > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7247,9 +7247,9 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7312,9 +7312,9 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7377,9 +7377,9 @@ If you do not configure this policy setting, users will receive a prompt when a > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7440,9 +7440,9 @@ If you disable or do not configure this setting, users will receive a file downl > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7505,9 +7505,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7570,9 +7570,9 @@ If you do not configure this policy setting, Web sites from less privileged zone > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7635,9 +7635,9 @@ If you do not configure this policy setting, Internet Explorer will execute unsi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7700,9 +7700,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7767,9 +7767,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7832,9 +7832,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7897,9 +7897,9 @@ If you don't configure this policy setting, Internet Explorer won't check with y > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -7964,9 +7964,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8035,9 +8035,9 @@ If you do not configure this policy setting, the permission is set to Medium Saf > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8100,9 +8100,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8165,9 +8165,9 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8230,9 +8230,9 @@ If you do not configure this policy setting, users will receive a prompt when a > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8293,9 +8293,9 @@ If you disable or do not configure this setting, users will receive a file downl > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8358,9 +8358,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8423,9 +8423,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8488,9 +8488,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8553,9 +8553,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8620,9 +8620,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8685,9 +8685,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8750,9 +8750,9 @@ If you don't configure this policy setting, Internet Explorer won't check with y > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8817,9 +8817,9 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8888,9 +8888,9 @@ If you do not configure this policy setting, the permission is set to Medium Saf > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -8953,9 +8953,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9018,9 +9018,9 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9083,9 +9083,9 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9146,9 +9146,9 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9211,9 +9211,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9276,9 +9276,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9341,9 +9341,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9406,9 +9406,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9473,9 +9473,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9538,9 +9538,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9605,9 +9605,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9676,9 +9676,9 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9741,9 +9741,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9812,9 +9812,9 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9877,9 +9877,9 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -9942,9 +9942,9 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10005,9 +10005,9 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10070,9 +10070,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10135,9 +10135,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10200,9 +10200,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10265,9 +10265,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10332,9 +10332,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10397,9 +10397,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10464,9 +10464,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10529,9 +10529,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10594,9 +10594,9 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10659,9 +10659,9 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10722,9 +10722,9 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10787,9 +10787,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10852,9 +10852,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10917,9 +10917,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -10982,9 +10982,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11049,9 +11049,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11114,9 +11114,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11181,9 +11181,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11252,9 +11252,9 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11317,9 +11317,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11382,9 +11382,9 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11447,9 +11447,9 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11510,9 +11510,9 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11575,9 +11575,9 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11640,9 +11640,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11705,9 +11705,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11770,9 +11770,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11837,9 +11837,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11902,9 +11902,9 @@ If you do not configure this policy setting, users cannot preserve information i > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -11969,9 +11969,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12040,9 +12040,9 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12105,9 +12105,9 @@ If you do not configure this policy setting, users cannot open other windows and > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12170,9 +12170,9 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12235,9 +12235,9 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12298,9 +12298,9 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12363,9 +12363,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12428,9 +12428,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12493,9 +12493,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12558,9 +12558,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12625,9 +12625,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12690,9 +12690,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12757,9 +12757,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12828,9 +12828,9 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12893,9 +12893,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -12958,9 +12958,9 @@ If you do not configure this policy setting, the MK Protocol is prevented for Fi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13023,9 +13023,9 @@ If you do not configure this policy setting, MIME sniffing will never promote a > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13086,9 +13086,9 @@ If you disable or do not configure this policy setting, users can select their p > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13165,9 +13165,9 @@ If you do not configure this policy setting, the Notification bar will be displa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13228,9 +13228,9 @@ If you disable or do not configure this policy setting, the user is prompted to > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13291,9 +13291,9 @@ If you disable or do not configure this policy setting, ActiveX controls can be > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13356,9 +13356,9 @@ If you do not configure this policy setting, any zone can be protected from zone > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13421,9 +13421,9 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13486,9 +13486,9 @@ If you do not configure this policy setting, the user's preference will be used > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13551,9 +13551,9 @@ If you do not configure this policy setting, the user's preference determines wh > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13616,9 +13616,9 @@ If you do not configure this policy setting, users cannot load a page in the zon > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13681,9 +13681,9 @@ If you do not configure this policy setting, script code on pages in the zone is > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13746,9 +13746,9 @@ If you do not configure this policy setting, ActiveX control installations will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13809,9 +13809,9 @@ If you disable or do not configure this setting, file downloads that are not use > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13874,9 +13874,9 @@ If you do not configure this policy setting, binary and script behaviors are not > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -13941,9 +13941,9 @@ If you do not configure this policy setting, a script cannot perform a clipboard > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14006,9 +14006,9 @@ If you do not configure this policy setting, users are queried to choose whether > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14071,9 +14071,9 @@ If you do not configure this policy setting, files are prevented from being down > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14136,9 +14136,9 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14201,9 +14201,9 @@ If you do not configure this policy setting, the possibly harmful navigations ar > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14266,9 +14266,9 @@ If you do not configure this policy setting, the user can decide whether to load > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14331,9 +14331,9 @@ If you do not configure this policy setting, a user's browser that loads a page > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14396,9 +14396,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14459,9 +14459,9 @@ If you disable this policy setting, the user does not see the per-site ActiveX p > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14522,9 +14522,9 @@ If you disable this policy setting, the TDC Active X control will run from all s > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14587,9 +14587,9 @@ If you do not configure this policy setting, the possible harmful actions contai > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14652,9 +14652,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14717,9 +14717,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14784,9 +14784,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14847,9 +14847,9 @@ If you disable or do not configure this policy setting, script is not allowed to > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14912,9 +14912,9 @@ If you do not configure this policy setting, users cannot preserve information i > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -14979,9 +14979,9 @@ If you do not configure or disable this policy setting, VBScript is prevented fr > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15044,9 +15044,9 @@ If you don't configure this policy setting, Internet Explorer always checks with > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15109,9 +15109,9 @@ If you do not configure this policy setting, signed controls cannot be downloade > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15174,9 +15174,9 @@ If you do not configure this policy setting, users cannot run unsigned controls. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15237,9 +15237,9 @@ If you disable this policy setting, the XSS Filter is turned off for sites in th > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15304,9 +15304,9 @@ In Internet Explorer 9 and earlier versions, if you disable this policy or do no > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15371,9 +15371,9 @@ In Internet Explorer 9 and earlier versions, if you disable this policy setting > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15436,9 +15436,9 @@ If you do not configure this policy setting, the actions that may be harmful can > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15501,9 +15501,9 @@ If you do not configure this policy setting, the user can choose whether path in > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15568,9 +15568,9 @@ If you do not configure this policy setting, ActiveX controls that cannot be mad > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15639,9 +15639,9 @@ If you do not configure this policy setting, Java applets are disabled. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15704,9 +15704,9 @@ If you do not configure this policy setting, users are prevented from running ap > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15777,9 +15777,9 @@ If you do not configure this policy setting, logon is set to Prompt for username > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15842,9 +15842,9 @@ If you do not configure this policy setting, users cannot open other windows and > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15909,9 +15909,9 @@ If you do not configure this policy setting, controls and plug-ins are prevented > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -15974,9 +15974,9 @@ If you do not configure this policy setting, Internet Explorer will not execute > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16041,9 +16041,9 @@ If you do not configure this policy setting, script interaction is prevented fro > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16108,9 +16108,9 @@ If you do not configure this policy setting, scripts are prevented from accessin > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16173,9 +16173,9 @@ If you do not configure this policy setting, the user can configure how the comp > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16238,9 +16238,9 @@ If you do not configure this policy setting, the user can turn on or turn off Pr > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16303,9 +16303,9 @@ If you do not configure this policy setting, most unwanted pop-up windows are pr > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16368,9 +16368,9 @@ If you do not configure this policy setting, popup windows and other restriction > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16431,9 +16431,9 @@ If you disable or do not configure this policy setting, the user can configure h > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16497,9 +16497,9 @@ Also, see the "Security zones: Do not allow users to change policies" policy. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16560,9 +16560,9 @@ If you disable or do not configure this policy setting, ActiveX controls, includ > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16625,9 +16625,9 @@ If you do not configure this policy setting, users can load a page in the zone t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16690,9 +16690,9 @@ If you do not configure this policy setting, users will receive a prompt when a > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16753,9 +16753,9 @@ If you disable or do not configure this setting, users will receive a file downl > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16818,9 +16818,9 @@ If you do not configure this policy setting, HTML fonts can be downloaded automa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16883,9 +16883,9 @@ If you do not configure this policy setting, a warning is issued to the user tha > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -16948,9 +16948,9 @@ If you do not configure this policy setting, Internet Explorer will execute unsi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -17013,9 +17013,9 @@ If you do not configure this policy setting, the user can enable or disable scri > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -17080,9 +17080,9 @@ Note: In Internet Explorer 7, this policy setting controls whether Phishing Filt > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -17145,9 +17145,9 @@ If you do not configure this policy setting, users can preserve information in t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -17210,9 +17210,9 @@ If you don't configure this policy setting, Internet Explorer won't check with y > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -17277,9 +17277,9 @@ If you do not configure this policy setting, users are queried whether to allow > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -17348,9 +17348,9 @@ If you do not configure this policy setting, the permission is set to Low Safety > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -17413,9 +17413,9 @@ If you do not configure this policy setting, users can open windows and frames f > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index aa4f15a0f2..d7aa81c2a1 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -91,9 +91,9 @@ If you disable or do not configure this policy setting, the Kerberos client does > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -152,9 +152,9 @@ If you disable or do not configure this policy setting, the client devices will > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -218,9 +218,9 @@ If you disable or do not configure this policy setting, the client computers in > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -280,9 +280,9 @@ If you disable or do not configure this policy setting, the Kerberos client requ > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -346,9 +346,9 @@ Note: This policy setting configures the existing MaxTokenSize registry value in > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index 7ecab0d0b7..36fa5d0cc8 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -83,9 +83,9 @@ manager: dansimp > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -138,9 +138,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -193,9 +193,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -248,9 +248,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -303,9 +303,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -358,9 +358,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 64f42bf970..f12f2f997f 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -77,9 +77,9 @@ manager: dansimp > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -132,9 +132,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -187,9 +187,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -242,9 +242,9 @@ ADMX Info: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 21e288f80e..95e8f4591b 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -136,9 +136,9 @@ If you disable this policy setting, standby states (S1-S3) are not allowed. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -198,9 +198,9 @@ If you disable this policy setting, standby states (S1-S3) are not allowed. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -262,9 +262,9 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -326,9 +326,9 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -523,9 +523,9 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -587,9 +587,9 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -649,9 +649,9 @@ If you disable this policy setting, the user is not prompted for a password when > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -711,9 +711,9 @@ If you disable this policy setting, the user is not prompted for a password when > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1207,9 +1207,9 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1271,9 +1271,9 @@ If the user has configured a slide show to run on the lock screen when the machi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 1d4aa4feae..5d3b5f3b49 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -93,9 +93,9 @@ If you disable this policy setting: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -168,9 +168,9 @@ If you disable this policy setting: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -232,9 +232,9 @@ Note: This settings takes priority over the setting "Automatically publish new p > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 656495af5a..35c9418f05 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -89,9 +89,9 @@ If you do not configure this policy setting, the user sees the default warning m > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -153,9 +153,9 @@ If you do not configure this setting, application-based settings are used. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -225,9 +225,9 @@ If you enable this policy setting you should also enable appropriate firewall ex > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -320,9 +320,9 @@ Allow Remote Desktop Exception > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 559af1e0d3..7ec935f89a 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -95,9 +95,9 @@ You can limit the number of users who can connect simultaneously by configuring > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -167,9 +167,9 @@ FIPS compliance can be configured through the System cryptography. Use FIPS comp > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -233,9 +233,9 @@ If you do not configure this policy setting, client drive redirection and Clipbo > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -295,9 +295,9 @@ If you disable this setting or leave it not configured, the user will be able to > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -363,9 +363,9 @@ If you do not configure this policy setting, automatic logon is not specified at > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -431,9 +431,9 @@ Note: The RPC interface is used for administering and configuring Remote Desktop > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index c32963c4d8..5ab20bb4a9 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -116,9 +116,9 @@ If you disable or do not configure this policy setting, the WinRM client does no > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -178,9 +178,9 @@ If you disable or do not configure this policy setting, the WinRM service does n > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -240,9 +240,9 @@ If you disable or do not configure this policy setting, the WinRM client does no > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -302,9 +302,9 @@ If you disable or do not configure this policy setting, the WinRM service does n > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -377,9 +377,9 @@ Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FE > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -439,9 +439,9 @@ If you disable or do not configure this policy setting, the WinRM client sends o > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -501,9 +501,9 @@ If you disable or do not configure this policy setting, the WinRM client sends o > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -563,9 +563,9 @@ If you disable or do not configure this policy setting, the WinRM client uses Di > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -625,9 +625,9 @@ If you disable or do not configure this policy setting, the WinRM client uses Ne > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -687,9 +687,9 @@ If you disable or do not configure this policy setting, the WinRM service accept > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -751,9 +751,9 @@ If you enable and then disable this policy setting,any values that were previous > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -819,9 +819,9 @@ If HardeningLevel is set to None, all requests are accepted (though they are not > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -881,9 +881,9 @@ If you disable or do not configure this policy setting and the WinRM client need > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -947,9 +947,9 @@ A listener might be automatically created on port 80 to ensure backward compatib > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1013,9 +1013,9 @@ A listener might be automatically created on port 443 to ensure backward compati > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index 44f2c67b91..f91881863d 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -81,9 +81,9 @@ Note: This policy will not be applied until the system is rebooted. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -155,9 +155,9 @@ Note: This policy setting will not be applied until the system is rebooted. > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index bfdc356235..6e881739c8 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -92,9 +92,9 @@ If you set this policy to ‘disabled’, new remote shell connections are rejec > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -156,9 +156,9 @@ If you disable or do not configure this policy setting, the default number is fi > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -220,9 +220,9 @@ If you do not configure or disable this policy setting, the default value of 900 > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -284,9 +284,9 @@ If you disable or do not configure this policy setting, the value 150 is used by > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -346,9 +346,9 @@ If you disable or do not configure this policy setting, the limit is five proce > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -410,9 +410,9 @@ If you disable or do not configure this policy setting, by default the limit is > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -468,9 +468,9 @@ This policy setting is deprecated and has no effect when set to any state: Enabl > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 18c9500905..9ce3ab68b9 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -72,9 +72,9 @@ If you disable or do not configure this policy setting, the stricter security se > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 9793dfcd99..c889fc7bec 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -574,9 +574,9 @@ If you disable or do not configure this policy setting, Windows will activate un > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index e2a334bc7b..cd2c32f688 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -766,9 +766,9 @@ Most restricted value is 0. > [!TIP] > This policy is also applicable to Windows 10 and not exclusive to phone. - -The following list shows the supported values: -orted values: +> +> The following list shows the supported values: +> orted values: - 0 – Not allowed. - 1 (default) – Allowed to reset to factory default settings. @@ -829,9 +829,9 @@ If your malware detection application does not include an Early Launch Antimalwa > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1328,9 +1328,9 @@ Also, see the "Turn off System Restore configuration" policy setting. If the "Tu > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -1440,7 +1440,7 @@ To enable this behavior you must complete two steps:
                                                                                          • Set Allow Telemetry to level 2 (Enhanced)
                                                                                          -When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594). +When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index b9bf9d8959..08dea14a3e 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1344,16 +1344,16 @@ Footnote: ## TextInput policies supported by Microsoft Surface Hub -- [TextInput/AllowIMELogging](#textinput-allowimelogging) -- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) -- [TextInput/AllowInputPanel](#textinput-allowinputpanel) -- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) -- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) -- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) -- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) -- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) -- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) -- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) - +- [TextInput/AllowIMELogging](#textinput-allowimelogging) +- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess) +- [TextInput/AllowInputPanel](#textinput-allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis) + diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index e69f53fed7..ec68e060bc 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -32,22 +32,22 @@ ms.date: 05/21/2019 - - - - - - - + + + + + + + - - - - - - - + + + + + + +
                                                                                          HomeProBusinessEnterpriseEducationMobileMobile EnterpriseHomeProBusinessEnterpriseEducationMobileMobile Enterprise
                                                                                          cross markcheck mark6check mark6check mark6check mark6cross markcheck mark6check mark6check mark6check mark6
                                                                                          @@ -81,43 +81,42 @@ By default, this policy is not configured and the SKU based defaults are used fo - - + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + +
                                                                                          SKUUnmanaged DefaultManaged DefaultUnmanaged DefaultManaged Default
                                                                                          HomePrompt (OOBE)OffHomePrompt (OOBE)Off
                                                                                          ProPrompt (OOBE)OffProPrompt (OOBE)Off
                                                                                          EducationOn (auto)OffEducationOn (auto)Off
                                                                                          EnterpriseOffOffEnterpriseOffOff
                                                                                          GovernmentOffOffGovernmentOffOff
                                                                                          - + -ADMX Info: -- GP English name: *Troubleshooting: Allow users to access recommended troubleshooting for known problems* -- GP name: *TroubleshootingAllowRecommendations* -- GP path: *Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool* -- GP ADMX file name: *MSDT.admx* +ADMX Info:
                                                                                          - GP English name: Troubleshooting: Allow users to access recommended troubleshooting for known problems +- GP name: TroubleshootingAllowRecommendations +- GP path: Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool +- GP ADMX file name: MSDT.admx diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index da4ba1dc7f..2531787f7f 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -426,7 +426,7 @@ Supported operations are Get and Replace. > [!IMPORTANT] > This option should be used only for systems under regulatory compliance, as you will not get security updates as well. -  + If the policy is not configured, end-users get the default behavior (Auto install and restart). @@ -1589,31 +1589,31 @@ If the "Specify intranet Microsoft update service location" policy is enabled, t If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. OS upgrade: -- Maximum deferral: 8 months -- Deferral increment: 1 month -- Update type/notes: - - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 +- Maximum deferral: 8 months +- Deferral increment: 1 month +- Update type/notes: + - Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 Update: -- Maximum deferral: 1 month -- Deferral increment: 1 week -- Update type/notes: - If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 +- Maximum deferral: 1 month +- Deferral increment: 1 week +- Update type/notes: + If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. + - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 + - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 + - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F + - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 + - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB + - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F + - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 + - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 Other/cannot defer: -- Maximum deferral: No deferral -- Deferral increment: No deferral -- Update type/notes: - Any update category not specifically enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B +- Maximum deferral: No deferral +- Deferral increment: No deferral +- Update type/notes: + Any update category not specifically enumerated above falls into this category. + - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B @@ -4000,8 +4000,8 @@ ADMX Info: - [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) - [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot) - -
                                                                                          + +
                                                                                          Footnotes: diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 54fa1a3e0b..ad3586a7b2 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -44,31 +44,31 @@ Here is an example syncml for setting the user right BackupFilesAndDirectories f Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator. -- Grant an user right to Administrators group via SID: - ``` - *S-1-5-32-544 - ``` +- Grant an user right to Administrators group via SID: + ``` + *S-1-5-32-544 + ``` -- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID - ``` - *S-1-5-32-544*S-1-5-11 - ``` +- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID + ``` + *S-1-5-32-544*S-1-5-11 + ``` -- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings - ``` - *S-1-5-32-544Authenticated Users - ``` +- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings + ``` + *S-1-5-32-544Authenticated Users + ``` -- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings - ``` - Authenticated UsersAdministrators - ``` +- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings + ``` + Authenticated UsersAdministrators + ``` -- Empty input indicates that there are no users configured to have that user right - ``` - - ``` -If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. +- Empty input indicates that there are no users configured to have that user right + ``` + + ``` + If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator. > [!Note] > `` is the entity encoding of 0xF000. diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 13aae33bd9..1aa0d39661 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -389,7 +389,7 @@ Supported operations are Add, Delete, Get, and Replace. - [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) - [Wifi/AllowWiFi](#wifi-allowwifi) - + ## Wifi policies supported by Windows Holographic @@ -410,13 +410,13 @@ Supported operations are Add, Delete, Get, and Replace. - [Wifi/AllowInternetSharing](#wifi-allowinternetsharing) - [Wifi/AllowWiFi](#wifi-allowwifi) - [Wifi/WLANScanMode](#wifi-wlanscanmode) - + ## Wifi policies supported by Microsoft Surface Hub - [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting) - +
                                                                                          diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 3b53beaa64..3765d7bdde 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -81,9 +81,9 @@ If this policy setting is not configured or is disabled, computers are allowed t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 7e127ca4b4..5c3f33f450 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -96,9 +96,9 @@ If you disable this policy setting, the device does not configure automatic sign > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -173,9 +173,9 @@ If you disable or do not configure this setting, automatic sign on defaults to t > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -244,9 +244,9 @@ If you disable or do not configure this policy setting, users can choose which a > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -331,9 +331,9 @@ Here is an example to enable this policy: > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). @@ -465,9 +465,9 @@ If you disable or do not configure this policy setting, the Logon UI will not en > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 5ef55bb450..fd6fa0ab4c 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -78,9 +78,9 @@ Note: This policy setting exists under both Computer Configuration and User Conf > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - +> > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - +> > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index 80a28a33fc..f6f151d7d1 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -19,7 +19,7 @@ The Provisioning configuration service provider is used for bulk user enrollment > **Note**  Bulk enrollment does not work when two factor authentication is enabled. -  + For bulk enrollment step-by-step guide, see [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md). @@ -33,7 +33,7 @@ Root node for Provisioning CSP. **Provisioning/Enrollments** Node for defining bulk enrollment of users into an MDM service. -**Provisioning/Enrollments/****_UPN_** +**Provisioning/Enrollments/***UPN* Unique identifier for the enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com" **Provisioning/Enrollments/*UPN*/DiscoveryServiceFullURL** @@ -58,9 +58,9 @@ Specifies the policy service URL. **Provisioning/Enrollments/*UPN*/EnrollmentServiceFullURL** Specifies the enrollment service URL. -  + -  + diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md index 9ba7017faf..9078c67e05 100644 --- a/windows/client-management/mdm/proxy-csp.md +++ b/windows/client-management/mdm/proxy-csp.md @@ -21,7 +21,7 @@ The PROXY configuration service provider is used to configure proxy connections. This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. -  + For the PROXY CSP, you cannot use the Replace command unless the node already exists. @@ -63,7 +63,7 @@ Depending on the ProxyID, the valid values are ISA, WAP, SOCKS, or NULL. ***ProxyName*/Ports** Node for port information. -***ProxyName*/Ports/****_PortName_** +***ProxyName*/Ports/***PortName* Defines the name of a port. It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names. @@ -74,7 +74,7 @@ Specifies the port number to be associated with the parent port. ***ProxyName*/Ports/*PortName*/Services** Node for services information. -***ProxyName*/Ports/Services/****_ServiceName_** +***ProxyName*/Ports/Services/***ServiceName* Defines the name of a service. It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names. @@ -87,7 +87,7 @@ One commonly used value is "HTTP". ***ProxyName*/ConRefs** Node for connection reference information -***ProxyName*/ConRefs/****_ConRefName_** +***ProxyName*/ConRefs/***ConRefName* Defines the name of a connection reference. It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names. @@ -100,9 +100,9 @@ Specifies one single connectivity object associated with the proxy connection. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 2a9d911d0f..227a21008a 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -54,9 +54,9 @@ Example to configure: 2018-10-25T18:00:00

                                                                                          [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 2e8807235a..195eb13662 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -33,9 +33,9 @@ The supported operations are Add, Delete, Get, and Replace. **TesterAccount** The user name of the test taking account. -- To specify a domain account, use domain\\user. -- To specify an AAD account, use username@tenant.com. -- To specify a local account, use the username. +- To specify a domain account, use domain\\user. +- To specify an AAD account, use username@tenant.com. +- To specify a local account, use the username. The supported operations are Add, Delete, Get, and Replace. @@ -60,9 +60,9 @@ Supported operations are Get and Replace. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 80ede58036..23a4434f1e 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -36,8 +36,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format > [!NOTE] > If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. -  -

                                                                                          Here's a SyncML example. + +

                                                                                          Here's a SyncML example. ``` syntax @@ -203,7 +203,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format -  +

                                                                                          The data type is int. Supported operation is Get. **MaintenanceHoursSimple/Hours** @@ -226,7 +226,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

                                                                                          Added in Windows 10, version 1703. Node for the Skype for Business settings. **InBoxApps/SkypeForBusiness/DomainName** -

                                                                                          Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see [Set up Skype for Business Online](https://support.office.com/en-us/article/Set-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e?ui=en-US&rs=en-US&ad=US#bkmk_users). +

                                                                                          Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online.

                                                                                          The data type is char. Supported operation is Get and Replace. @@ -290,8 +290,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format -  -

                                                                                          The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). + +

                                                                                          The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).

                                                                                          The data type is int. Supported operation is Get and Replace. @@ -477,7 +477,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format **Properties/AllowSessionResume**

                                                                                          Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -

                                                                                          If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. +

                                                                                          If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.

                                                                                          The data type is bool. Supported operation is Get and Replace. @@ -496,7 +496,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

                                                                                          The data type is bool. Supported operation is Get and Replace. **Properties/DoNotShowMyMeetingsAndFiles** -

                                                                                          Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. +

                                                                                          Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.

                                                                                          If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. @@ -515,9 +515,9 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

                                                                                          The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. -  + -  + diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index f474eab658..7a16b050f3 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -38,19 +38,19 @@ The following diagram shows the TPMPolicy configuration service provider in tree Here is an example: ``` syntax -                -                    101 -                    -                        -                            -                                ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust -                            -                        -                         + + 101 + + + + ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust + + + bool -               text/plain -        -        true -                     -                 + text/plain + + true + + ``` diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 6d5f16c77d..9376c73530 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -19,7 +19,7 @@ The UnifiedWriteFilter (UWF) configuration service provider enables the IT admin > **Note**  The UnifiedWriteFilter CSP is only supported in Windows 10 Enterprise and Windows 10 Education. -  + The following diagram shows the UWF configuration service provider in tree format. @@ -76,7 +76,7 @@ The only supported operation is Get. **CurrentSession/RegistryExclusions** Required. The root node that contains all registry exclusions. -**CurrentSession/RegistryExclusions/****_ExcludedRegistry_** +**CurrentSession/RegistryExclusions/***ExcludedRegistry* Optional. A registry key in the registry exclusion list for UWF in the current session. The only supported operation is Get. @@ -89,7 +89,7 @@ The only supported operation is Get. **CurrentSession/Volume** Required. The root node to contain all volumes protected by UWF in the current session. -**CurrentSession/Volume/****_Volume_** +**CurrentSession/Volume/***Volume* Optional. Represents a specific volume in the current session. **CurrentSession/Volume/*Volume*/Protected** @@ -110,7 +110,7 @@ The only supported operation is Get. **CurrentSession/Volume/*Volume*/Exclusions** Required. The root node that contains all file exclusions for the volume. -**CurrentSession/Volume/*Volume*/Exclusions/****_ExclusionPath_** +**CurrentSession/Volume/*Volume*/Exclusions/***ExclusionPath* Optional. A string that contains the full path of the file or folder relative to the volume. The only supported operation is Get. @@ -180,7 +180,7 @@ Required. The root node that contains all registry exclusions for the next sessi Supported operations are Add, Delete, and Replace. -**NextSession/RegistryExclusions/****_ExcludedRegistry_** +**NextSession/RegistryExclusions/***ExcludedRegistry* Optional. A registry key in the registry exclusion list for UWF. Supported operations are Add, Delete, Get, and Replace. @@ -193,7 +193,7 @@ Supported operations are Get and Replace. **NextSession/Volume** Required. The root node that contains all volumes protected by UWF for the next session. -**NextSession/Volume/****_Volume_** +**NextSession/Volume/***Volume* Optional. Represents a specific volume in the next session. Supported operations are Add, Delete, and Replace. @@ -216,7 +216,7 @@ The only supported operation is Get. **NextSession/Volume/*Volume*/Exclusions** Required. The root node that contains all file exclusions for this volume in the next session. -**NextSession/Volume/*Volume*/Exclusions/****_ExclusionPath_** +**NextSession/Volume/*Volume*/Exclusions/***ExclusionPath* Optional. A string that contains the full path of the file or folder relative to the volume. Supported operations are Add, Delete, Get, and Replace. @@ -241,9 +241,9 @@ Supported operations are Get and Execute. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index 35a3e11c82..bae9a67bc6 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -31,7 +31,7 @@ The following diagram shows the Update configuration service provider in tree fo > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -

                                                                                          The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +

                                                                                          The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.

                                                                                          The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. @@ -40,10 +40,10 @@ The following diagram shows the Update configuration service provider in tree fo

                                                                                          Supported operations are Get and Add. -**ApprovedUpdates/****_Approved Update Guid_** +**ApprovedUpdates/***Approved Update Guid*

                                                                                          Specifies the update GUID. -

                                                                                          To auto-approve a class of updates, you can specify the [Update Classifications](https://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +

                                                                                          To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.

                                                                                          Supported operations are Get and Add. @@ -62,7 +62,7 @@ The following diagram shows the Update configuration service provider in tree fo

                                                                                          Supported operation is Get. -**FailedUpdates/****_Failed Update Guid_** +**FailedUpdates/***Failed Update Guid*

                                                                                          Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.

                                                                                          Supported operation is Get. @@ -87,7 +87,7 @@ The following diagram shows the Update configuration service provider in tree fo

                                                                                          Supported operation is Get. -**InstalledUpdates/****_Installed Update Guid_** +**InstalledUpdates/***Installed Update Guid*

                                                                                          UpdateIDs that represent the updates installed on a device.

                                                                                          Supported operation is Get. @@ -102,7 +102,7 @@ The following diagram shows the Update configuration service provider in tree fo

                                                                                          Supported operation is Get. -**InstallableUpdates/****_Installable Update Guid_** +**InstallableUpdates/***Installable Update Guid*

                                                                                          Update identifiers that represent the updates applicable and not installed on a device.

                                                                                          Supported operation is Get. @@ -126,7 +126,7 @@ The following diagram shows the Update configuration service provider in tree fo

                                                                                          Supported operation is Get. -**PendingRebootUpdates/****_Pending Reboot Update Guid_** +**PendingRebootUpdates/***Pending Reboot Update Guid*

                                                                                          Update identifiers for the pending reboot state.

                                                                                          Supported operation is Get. @@ -187,9 +187,9 @@ Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUp [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 7cf3039819..8c6907a689 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -40,28 +40,28 @@ The following diagram shows the VPNv2 configuration service provider in tree for **Device or User profile** For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path. -**VPNv2/***ProfileName* +**VPNv2/**ProfileName Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). Supported operations include Get, Add, and Delete. > **Note**  If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. -**VPNv2/***ProfileName***/AppTriggerList** +**VPNv2/**ProfileName**/AppTriggerList** Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. -**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId* +**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App** +**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App** App Node under the Row Id. -**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App/Id** +**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id** App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore cannot be specified in the get only App/Type field -**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App/Type** +**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type** Returns the type of **App/Id**. This value can be either of the following: - PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application. @@ -69,34 +69,34 @@ Returns the type of **App/Id**. This value can be either of the following: Value type is chr. Supported operation is Get. -**VPNv2/***ProfileName***/RouteList/** +**VPNv2/**ProfileName**/RouteList/** Optional node. List of routes to be added to the routing table for the VPN interface. This is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface. Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length. Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and do not need this information in the VPN Profile. Please check with your VPN server administrator to determine whether you need this information in the VPN profile. -**VPNv2/***ProfileName***/RouteList/***routeRowId* +**VPNv2/**ProfileName**/RouteList/**routeRowId A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/RouteList/***routeRowId***/Address** +**VPNv2/**ProfileName**/RouteList/**routeRowId**/Address** Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0` -**VPNv2/***ProfileName***/RouteList/***routeRowId***/PrefixSize** +**VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize** The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. Value type is int. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/RouteList/***routeRowId***/Metric** +**VPNv2/**ProfileName**/RouteList/**routeRowId**/Metric** Added in Windows 10, version 1607. The route's metric. Value type is int. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/RouteList/***routeRowId***/ExclusionRoute** +**VPNv2/**ProfileName**/RouteList/**routeRowId**/ExclusionRoute** Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values: - False (default) - This route will direct traffic over the VPN @@ -104,17 +104,17 @@ Added in Windows 10, version 1607. A boolean value that specifies if the route Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DomainNameInformationList** +**VPNv2/**ProfileName**/DomainNameInformationList** Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. -**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId* +**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId A sequential integer identifier for the Domain Name information. Sequencing must start at 0. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/DomainName** +**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainName** Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: - FQDN - Fully qualified domain name @@ -122,7 +122,7 @@ Used to indicate the namespace to which the policy applies. When a Name query is Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/DomainNameType** +**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType** Returns the namespace type. This value can be one of the following: - FQDN - If the DomainName was not prepended with a **.** and applies only to the fully qualified domain name (FQDN) of a specified host. @@ -130,21 +130,21 @@ Returns the namespace type. This value can be one of the following: Value type is chr. Supported operation is Get. -**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/DnsServers** +**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers** List of comma separated DNS Server IP addresses to use for the namespace. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/WebProxyServers** +**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. > **Note**  Currently only one web proxy server is supported. -  + Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/AutoTrigger** +**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger** Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN. If set to False, this DomainName rule will not trigger the VPN. @@ -155,7 +155,7 @@ By default, this value is false. Value type is bool. -**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/Persistent** +**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent** Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values: - False (default) - This DomainName rule will only be applied when VPN is connected. @@ -163,22 +163,22 @@ Added in Windows 10, version 1607. A boolean value that specifies if the rule b Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/TrafficFilterList** +**VPNv2/**ProfileName**/TrafficFilterList** An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface. > **Note**  Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules. -  + When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId* +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/App** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App** Per app VPN rule. This will allow only the apps specified to be allowed over the VPN interface. Value type is chr. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/App/Id** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id** App identity for the app-based traffic filter. The value for this node can be one of the following: @@ -189,48 +189,48 @@ The value for this node can be one of the following: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/App/Type** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Type** Returns the type of ID of the **App/Id**. Value type is chr. Supported operation is Get. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/Claims** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Claims** Reserved for future use. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/Protocol** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Protocol** Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17. Value type is int. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/LocalPortRanges** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges** A list of comma separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. > **Note**  Ports are only valid when the protocol is set to TCP=6 or UDP=17. -  + Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/RemotePortRanges** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges** A list of comma separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. > **Note**  Ports are only valid when the protocol is set to TCP=6 or UDP=17. -  + Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/LocalAddressRanges** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges** A list of comma separated values specifying local IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/RemoteAddressRanges** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges** A list of comma separated values specifying remote IP address ranges to allow. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/RoutingPolicyType** +**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType** Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following: - SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. @@ -240,19 +240,19 @@ This is only applicable for App ID based Traffic Filter rules. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/EdpModeId** +**VPNv2/**ProfileName**/EdpModeId** Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/RememberCredentials** +**VPNv2/**ProfileName**/RememberCredentials** Boolean value (true or false) for caching credentials. Default is false, which means do not cache credentials. If set to true, credentials are cached whenever possible. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/AlwaysOn** +**VPNv2/**ProfileName**/AlwaysOn** An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. > **Note**  Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. @@ -273,7 +273,7 @@ Valid values: Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/LockDown** (./Device only profile) +**VPNv2/**ProfileName**/LockDown** (./Device only profile) Lockdown profile. Valid values: @@ -292,7 +292,7 @@ A Lockdown profile must be deleted before you can add, remove, or connect other Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DeviceTunnel** (./Device only profile) +**VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile) Device tunnel profile. Valid values: @@ -310,7 +310,7 @@ A device tunnel profile must be deleted before another device tunnel profile can Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/RegisterDNS** +**VPNv2/**ProfileName**/RegisterDNS** Allows registration of the connection's address in DNS. Valid values: @@ -318,112 +318,112 @@ Valid values: - False = Do not register the connection's address in DNS (default). - True = Register the connection's addresses in DNS. -**VPNv2/***ProfileName***/DnsSuffix** +**VPNv2/**ProfileName**/DnsSuffix** Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/ByPassForLocal** +**VPNv2/**ProfileName**/ByPassForLocal** Reserved for future use. -**VPNv2/***ProfileName***/TrustedNetworkDetection** +**VPNv2/**ProfileName**/TrustedNetworkDetection** Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/ProfileXML** +**VPNv2/**ProfileName**/ProfileXML** Added in Windows 10, version 1607. The XML schema for provisioning all the fields of a VPN. For the XSD, see [ProfileXML XSD](vpnv2-profile-xsd.md). Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/Proxy** +**VPNv2/**ProfileName**/Proxy** A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. -**VPNv2/***ProfileName***/Proxy/Manual** +**VPNv2/**ProfileName**/Proxy/Manual** Optional node containing the manual server settings. -**VPNv2/***ProfileName***/Proxy/Manual/Server** +**VPNv2/**ProfileName**/Proxy/Manual/Server** Optional. Proxy server address as a fully qualified hostname or an IP address. You should set this element together with Port. Example, proxy.contoso.com. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/Proxy/AutoConfigUrl** +**VPNv2/**ProfileName**/Proxy/AutoConfigUrl** Optional. URL to automatically retrieve the proxy settings. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/APNBinding** +**VPNv2/**ProfileName**/APNBinding** Reserved for future use. -**VPNv2/***ProfileName***/APNBinding/ProviderId** +**VPNv2/**ProfileName**/APNBinding/ProviderId** Reserved for future use. Optional node. -**VPNv2/***ProfileName***/APNBinding/AccessPointName** +**VPNv2/**ProfileName**/APNBinding/AccessPointName** Reserved for future use. -**VPNv2/***ProfileName***/APNBinding/UserName** +**VPNv2/**ProfileName**/APNBinding/UserName** Reserved for future use. -**VPNv2/***ProfileName***/APNBinding/Password** +**VPNv2/**ProfileName**/APNBinding/Password** Reserved for future use. -**VPNv2/***ProfileName***/APNBinding/IsCompressionEnabled** +**VPNv2/**ProfileName**/APNBinding/IsCompressionEnabled** Reserved for future use. -**VPNv2/***ProfileName***/APNBinding/AuthenticationType** +**VPNv2/**ProfileName**/APNBinding/AuthenticationType** Reserved for future use. -**VPNv2/***ProfileName***/DeviceCompliance** +**VPNv2/**ProfileName**/DeviceCompliance** Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable AAD-based Conditional Access for VPN. -**VPNv2/***ProfileName***/DeviceCompliance/Enabled** +**VPNv2/**ProfileName**/DeviceCompliance/Enabled** Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DeviceCompliance/Sso** +**VPNv2/**ProfileName**/DeviceCompliance/Sso** Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. -**VPNv2/***ProfileName***/DeviceCompliance/Sso/Enabled** +**VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled** Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication. Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DeviceCompliance/Sso/IssuerHash** +**VPNv2/**ProfileName**/DeviceCompliance/Sso/IssuerHash** Added in Windows 10, version 1607. Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/DeviceCompliance/Sso/Eku** +**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku** Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/PluginProfile** +**VPNv2/**ProfileName**/PluginProfile** Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin. -**VPNv2/***ProfileName***/PluginProfile/ServerUrlList** +**VPNv2/**ProfileName**/PluginProfile/ServerUrlList** Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/PluginProfile/CustomConfiguration** +**VPNv2/**ProfileName**/PluginProfile/CustomConfiguration** Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/PluginProfile/PluginPackageFamilyName** +**VPNv2/**ProfileName**/PluginProfile/PluginPackageFamilyName** Required for plug-in profiles. Package family name for the SSL-VPN plug-in. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/PluginProfile/CustomStoreUrl** +**VPNv2/**ProfileName**/PluginProfile/CustomStoreUrl** Reserved for future use. -**VPNv2/***ProfileName***/NativeProfile** +**VPNv2/**ProfileName**/NativeProfile** Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP). -**VPNv2/***ProfileName***/NativeProfile/Servers** +**VPNv2/**ProfileName**/NativeProfile/Servers** Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. @@ -432,7 +432,7 @@ You can make a list of server by making a list of server names (with optional fr Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/RoutingPolicyType** +**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType** Optional for native profiles. Type of routing policy. This value can be one of the following: - SplitTunnel - Traffic can go over any interface as determined by the networking stack. @@ -440,7 +440,7 @@ Optional for native profiles. Type of routing policy. This value can be one of t Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/NativeProtocolType** +**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType** Required for native profiles. Type of tunneling protocol used. This value can be one of the following: - PPTP @@ -452,10 +452,10 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. > **Note** The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: IKEv2, PPTP and then L2TP. This order is not customizable. -**VPNv2/***ProfileName***/NativeProfile/Authentication** +**VPNv2/**ProfileName**/NativeProfile/Authentication** Required node for native profile. It contains authentication information for the native VPN profile. -**VPNv2/***ProfileName***/NativeProfile/Authentication/UserMethod** +**VPNv2/**ProfileName**/NativeProfile/Authentication/UserMethod** This value can be one of the following: - EAP @@ -463,7 +463,7 @@ This value can be one of the following: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/Authentication/MachineMethod** +**VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod** This is only supported in IKEv2. This value can be one of the following: @@ -472,32 +472,32 @@ This value can be one of the following: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/Authentication/Eap** +**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap** Required when the native profile specifies EAP authentication. EAP configuration XML. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/Authentication/Eap/Configuration** +**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Configuration** HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see [EAP configuration](eap-configuration.md). Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/Authentication/Eap/Type** +**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Type** Reserved for future use. -**VPNv2/***ProfileName***/NativeProfile/Authentication/Certificate** +**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate** Reserved for future use. -**VPNv2/***ProfileName***/NativeProfile/Authentication/Certificate/Issuer** +**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Issuer** Reserved for future use. -**VPNv2/***ProfileName***/NativeProfile/Authentication/Certificate/Eku** +**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Eku** Reserved for future use. -**VPNv2/***ProfileName***/NativeProfile/CryptographySuite** +**VPNv2/**ProfileName**/NativeProfile/CryptographySuite** Added in Windows 10, version 1607. Properties of IPSec tunnels. -**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/AuthenticationTransformConstants** +**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/AuthenticationTransformConstants** Added in Windows 10, version 1607. The following list contains the valid values: @@ -511,7 +511,7 @@ The following list contains the valid values: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/CipherTransformConstants** +**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/CipherTransformConstants** Added in Windows 10, version 1607. The following list contains the valid values: @@ -527,7 +527,7 @@ The following list contains the valid values: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/EncryptionMethod** +**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/EncryptionMethod** Added in Windows 10, version 1607. The following list contains the valid values: @@ -542,7 +542,7 @@ The following list contains the valid values: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/IntegrityCheckMethod** +**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/IntegrityCheckMethod** Added in Windows 10, version 1607. The following list contains the valid values: @@ -554,7 +554,7 @@ The following list contains the valid values: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/DHGroup** +**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/DHGroup** Added in Windows 10, version 1607. The following list contains the valid values: @@ -568,7 +568,7 @@ The following list contains the valid values: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/PfsGroup** +**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/PfsGroup** Added in Windows 10, version 1607. The following list contains the valid values: @@ -583,12 +583,12 @@ The following list contains the valid values: Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/L2tpPsk** +**VPNv2/**ProfileName**/NativeProfile/L2tpPsk** Added in Windows 10, version 1607. The preshared key used for an L2TP connection. Value type is chr. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/***ProfileName***/NativeProfile/DisableClassBasedDefaultRoute** +**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute** Added in Windows 10, version 1607. Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8 Value type is bool. Supported operations include Get, Add, Replace, and Delete. @@ -1316,9 +1316,9 @@ Servers [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index a56dd909f2..bcbbe82cd4 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -43,7 +43,7 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is Supported operation is Get. -****** +**** Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted. SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, ./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml. @@ -228,9 +228,9 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 6c0fcf723e..a55ac7648e 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -399,10 +399,10 @@ The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}. {CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3. Therefore, from the example: - - Class: User - - Policy name: L_PolicyPreventRun_1 - - Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - - URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` +- Class: User +- Policy name: L_PolicyPreventRun_1 +- Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 +- URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` ## ADMX-backed app policy examples diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index e7f45f2ce6..ca8daa77fc 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -31,30 +31,30 @@ This represents an inventory of installed Win32 applications on the device. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram* +**Win32InstalledProgram/**InstalledProgram A node that contains information for a specific application. -**Win32InstalledProgram/***InstalledProgram***/Name** +**Win32InstalledProgram/**InstalledProgram**/Name** A string that specifies the name of the application. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram***/Publisher** +**Win32InstalledProgram/**InstalledProgram**/Publisher** A string that specifies the publisher of the application. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram***/Version** +**Win32InstalledProgram/**InstalledProgram**/Version** A string that specifies the version of the application. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram***/Language** +**Win32InstalledProgram/**InstalledProgram**/Language** A string that specifies the language of the application. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram***/RegKey** +**Win32InstalledProgram/**InstalledProgram**/RegKey** A string that specifies product code or registry subkey. For MSI-based applications this is the product code. @@ -63,17 +63,17 @@ For applications found in Add/Remove Programs, this is the registry subkey. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram***/Source** +**Win32InstalledProgram/**InstalledProgram**/Source** A string that specifies where the application was discovered, such as MSI or Add/Remove Programs. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram***/MsiProductCode** +**Win32InstalledProgram/**InstalledProgram**/MsiProductCode** A GUID that uniquely identifies a particular MSI product. The supported operation is Get. -**Win32InstalledProgram/***InstalledProgram***/MsiPackageCode** +**Win32InstalledProgram/**InstalledProgram**/MsiPackageCode** A GUID that identifies an MSI package. Multiple products can make up a single package. The supported operation is Get. @@ -83,9 +83,9 @@ The supported operation is Get. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index e3a582a6cb..d77a45c430 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -233,9 +233,9 @@ The following list describes the characteristics and parameters. [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index aa2c16fc0b..0aa177f8cf 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -34,7 +34,7 @@ Enters a product key for an edition upgrade of Windows 10 desktop devices. > [!NOTE]   > This upgrade process requires a system restart. -  + The date type is a chr. @@ -47,7 +47,7 @@ After the device restarts, the edition upgrade process completes. The user will > [!IMPORTANT]   > If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail. -  + If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. @@ -58,7 +58,7 @@ This node can also be used to activate or change a product key on a particular e > [!IMPORTANT]   > The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. -  + The following are valid edition upgrade paths when using this node through an MDM: @@ -100,7 +100,7 @@ Provides a license for an edition upgrade of Windows 10 mobile devices. > [!NOTE]   > This upgrade process does not require a system restart. -  + The date type is XML. @@ -109,7 +109,7 @@ The supported operation is Execute. > [!IMPORTANT]   > The XML license file contents must be properly escaped (that is, it should not simply be a copied XML), otherwise the edition upgrade on Windows 10 mobile devices will fail. For more information on proper escaping of the XML license file, see Section 2.4 of the [W3C XML spec](http://www.w3.org/TR/xml/) . The XML license file is acquired from the Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. -  + The following are valid edition upgrade paths when using this node through an MDM or provisioning package: @@ -219,7 +219,7 @@ Values: > [!NOTE]   > `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. -  + **Edition** @@ -300,7 +300,7 @@ Values: > [!NOTE]   > `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. -  + **UpgradeEditionWithLicense** @@ -463,9 +463,9 @@ Values: [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index d2d05e8ced..634c1ed5cf 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -21,7 +21,7 @@ Windows Management Infrastructure (WMI) providers (and the classes they support) > **Note**  Applications installed using WMI classes are not removed when the MDM account is removed from device. -  + The child node names of the result from a WMI query are separated by a forward slash (/) and not URI escaped. Here is an example query. @@ -69,55 +69,55 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro -[MDM_AppInstallJob](https://msdn.microsoft.com/library/windows/hardware/dn610368) +MDM_AppInstallJob

                                                                                          Currently testing.

                                                                                          -[MDM_Application](https://msdn.microsoft.com/library/windows/hardware/dn610369) +MDM_Application

                                                                                          Currently testing.

                                                                                          -[MDM_ApplicationFramework](https://msdn.microsoft.com/library/windows/hardware/dn610370) +MDM_ApplicationFramework

                                                                                          Currently testing.

                                                                                          -[MDM_ApplicationSetting](https://msdn.microsoft.com/library/windows/hardware/dn610382) +MDM_ApplicationSetting

                                                                                          Currently testing.

                                                                                          -[MDM_BrowserSecurityZones](https://msdn.microsoft.com/library/windows/hardware/dn610383) +MDM_BrowserSecurityZones cross mark -[MDM_BrowserSettings](https://msdn.microsoft.com/library/windows/hardware/dn610384) +MDM_BrowserSettings cross mark -[MDM_Certificate](https://msdn.microsoft.com/library/windows/hardware/dn610385) +MDM_Certificate cross mark -[MDM_CertificateEnrollment](https://msdn.microsoft.com/library/windows/hardware/dn610386) +MDM_CertificateEnrollment cross mark -[MDM_Client](https://msdn.microsoft.com/library/windows/hardware/dn610387) +MDM_Client

                                                                                          Currently testing.

                                                                                          -[MDM_ConfigSetting](https://msdn.microsoft.com/library/windows/hardware/dn610388) +MDM_ConfigSetting cross mark -[MDM_DeviceRegistrationInfo](https://msdn.microsoft.com/library/windows/hardware/dn610389) +MDM_DeviceRegistrationInfo -[MDM_EASPolicy](https://msdn.microsoft.com/library/windows/hardware/dn610390) +MDM_EASPolicy cross mark -[MDM_MgMtAuthority](https://msdn.microsoft.com/library/windows/hardware/dn610391) +MDM_MgMtAuthority cross mark @@ -129,39 +129,39 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro -[MDM_RemoteApplication](https://msdn.microsoft.com/library/windows/hardware/dn610371) +MDM_RemoteApplication

                                                                                          Test not started.

                                                                                          -[MDM_RemoteAppUseCookie](https://msdn.microsoft.com/library/windows/hardware/dn610372) +MDM_RemoteAppUseCookie

                                                                                          Test not started.

                                                                                          -[MDM_Restrictions](https://msdn.microsoft.com/library/windows/hardware/dn610392) +MDM_Restrictions cross mark -[MDM_RestrictionsUser](https://msdn.microsoft.com/library/windows/hardware/dn610393) +MDM_RestrictionsUser

                                                                                          Test not started.

                                                                                          -[MDM_SecurityStatus](https://msdn.microsoft.com/library/windows/hardware/dn610394) +MDM_SecurityStatus cross mark -[MDM_SideLoader](https://msdn.microsoft.com/library/windows/hardware/dn610395) +MDM_SideLoader -[MDM_SecurityStatusUser](https://msdn.microsoft.com/library/windows/hardware/dn920104) +MDM_SecurityStatusUser

                                                                                          Currently testing.

                                                                                          -[MDM_Updates](https://msdn.microsoft.com/library/windows/hardware/dn920105) +MDM_Updates cross mark -[MDM_VpnApplicationTrigger](https://msdn.microsoft.com/library/windows/hardware/dn610396) +MDM_VpnApplicationTrigger cross mark @@ -169,45 +169,45 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro -[MDM_WebApplication](https://msdn.microsoft.com/library/windows/hardware/dn610373) +MDM_WebApplication

                                                                                          Currently testing.

                                                                                          -[MDM_WirelessProfile](https://msdn.microsoft.com/library/windows/hardware/dn610397) +MDM_WirelessProfile cross mark -[MDM_WirelesssProfileXML](https://msdn.microsoft.com/library/windows/hardware/dn610398) +MDM_WirelesssProfileXML cross mark -[MDM_WNSChannel](https://msdn.microsoft.com/library/windows/hardware/dn610399) +MDM_WNSChannel cross mark -[MDM_WNSConfiguration](https://msdn.microsoft.com/library/windows/hardware/dn610400) +MDM_WNSConfiguration cross mark -[MSFT_NetFirewallProfile](https://msdn.microsoft.com/library/windows/hardware/jj676842) +MSFT_NetFirewallProfile cross mark -[MSFT_VpnConnection](https://msdn.microsoft.com/library/windows/hardware/jj206647) +MSFT_VpnConnection cross mark -[SoftwareLicensingProduct](https://msdn.microsoft.com/library/windows/hardware/cc534596) +SoftwareLicensingProduct -[SoftwareLicensingService](https://msdn.microsoft.com/library/windows/hardware/cc534597) +SoftwareLicensingService -  + ### Parental control WMI classes @@ -224,7 +224,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro | [**wpcusersettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | | [**wpcwebsettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | -  + ### Win32 WMI classes @@ -298,16 +298,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro [**Win32\_UTCTime**](https://msdn.microsoft.com/library/windows/hardware/aa394510) | ![cross mark](images/checkmark.png) [**Win32\_VideoController**](https://msdn.microsoft.com/library/windows/hardware/aa394505) | **Win32\_WindowsUpdateAgentVersion** | -  + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) -  + -  + 10/10/2016 diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 5734ee454b..1117085ca7 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -63,7 +63,7 @@ A list of the physical disks that are attached to the computer should be display Disk 0 Online **size* GB 0 B * ``` -If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (*) in the **GPT** column. +If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk () in the **GPT* column. If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. @@ -94,28 +94,28 @@ Check whether the Boot Configuration Database (BCD) has all the correct entries. To verify the BCD entries: -1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. +1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. - An example output if the computer is UEFI-based: + An example output if the computer is UEFI-based: - ``` - device partition=\Device\HarddiskVolume2 - path \EFI\Microsoft\Boot\bootmgfw.efi - ``` + ``` + device partition=\Device\HarddiskVolume2 + path \EFI\Microsoft\Boot\bootmgfw.efi + ``` - An example output if the machine is BIOS based: - ``` - Device partition=C: - ``` - >[!NOTE] - >This output may not contain a path. + An example output if the machine is BIOS based: + ``` + Device partition=C: + ``` + >[!NOTE] + >This output may not contain a path. -2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. - >[!NOTE] - >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. + >[!NOTE] + >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. - ![bcdedit](images/screenshot1.png) + ![bcdedit](images/screenshot1.png) If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** . @@ -138,20 +138,20 @@ D:\> Mkdir BootBackup R:\> Copy *.* D:\BootBackup ``` -2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows: +2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows: - ```cmd - Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL - ``` + ```cmd + Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL + ``` - For example: if we assign the ,System Drive> (WinRE drive) the letter R and the is the letter D, this command would be the following: + For example: if we assign the ,System Drive> (WinRE drive) the letter R and the is the letter D, this command would be the following: - ```cmd - Bcdboot D:\windows /s R: /f ALL - ``` + ```cmd + Bcdboot D:\windows /s R: /f ALL + ``` - >[!NOTE] - >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. + >[!NOTE] + >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: @@ -239,14 +239,14 @@ copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\c Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers: -1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**. +1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**. -2. Look for any **UpperFilters** or **LowerFilters** entries. +2. Look for any **UpperFilters** or **LowerFilters** entries. - >[!NOTE] - >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**. + >[!NOTE] + >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**. - The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** : + The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** : \Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index f4cd9a6e96..42fb6ef17e 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -44,18 +44,18 @@ To troubleshoot Stop error messages, follow these general steps: a. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - - [Windows 10, version 1809](https://support.microsoft.com/help/4464619) - - [Windows 10, version 1803](https://support.microsoft.com/help/4099479) - - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) - - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825) - - [Windows 10, version 1511](https://support.microsoft.com/help/4000824) - - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470) - - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469) + - [Windows 10, version 1809](https://support.microsoft.com/help/4464619) + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825) + - [Windows 10, version 1511](https://support.microsoft.com/help/4000824) + - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470) + - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469) - b. Make sure that the BIOS and firmware are up-to-date. + b. Make sure that the BIOS and firmware are up-to-date. - c. Run any relevant hardware and memory tests. + c. Run any relevant hardware and memory tests. 3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions. @@ -65,18 +65,18 @@ To troubleshoot Stop error messages, follow these general steps: 6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: - - The error message indicates that a specific driver is causing the problem. - - You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. - - You have made any software or hardware changes. + - The error message indicates that a specific driver is causing the problem. + - You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. + - You have made any software or hardware changes. - >[!NOTE] - >If there are no updates available from a specific manufacturer, it is recommended that you disable the related service. - > - >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135) - > - >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071). - > - >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). + >[!NOTE] + >If there are no updates available from a specific manufacturer, it is recommended that you disable the related service. + > + >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135) + > + >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071). + > + >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). ### Memory dump collection diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index ccd0edc346..2049a34777 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -105,13 +105,13 @@ You may also see CLOSE_WAIT state connections in the same output, however CLOSE_ > >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. -4. Open a command prompt in admin mode and run the below command +4. Open a command prompt in admin mode and run the below command - ```cmd - Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl - ``` + ```cmd + Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl + ``` -5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion. +5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion. ## Troubleshoot Port exhaustion diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md index e9862e61ae..7022b0feb4 100644 --- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -20,7 +20,7 @@ You might encounter an **RPC server unavailable** error when connecting to Windo This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. -Before getting in to troubleshooting the **RPC server unavailable*- error, let’s first understand basics about the error. There are a few important terms to understand: +Before getting in to troubleshooting the *RPC server unavailable- error, let’s first understand basics about the error. There are a few important terms to understand: - Endpoint mapper – a service listening on the server, which guides client apps to server apps by port and UUID. - Tower – describes the RPC protocol, to allow the client and server to negotiate a connection. @@ -113,24 +113,24 @@ The best thing to always troubleshoot RPC issues before even getting in to trace Portqry.exe -n -e 135 ``` -This would give you a lot of output to look for, but you should be looking for **ip_tcp*- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”: +This would give you a lot of output to look for, but you should be looking for *ip_tcp- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”: ```cmd Portqry.exe -n 169.254.0.2 -e 135 ``` Partial output below: ->Querying target system called: ->169.254.0.2 ->Attempting to resolve IP address to a name... ->IP address resolved to RPCServer.contoso.com ->querying... ->TCP port 135 (epmap service): LISTENING ->Using ephemeral source port ->Querying Endpoint Mapper Database... ->Server's response: ->UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d ->ncacn_ip_tcp:169.254.0.10**[49664]** +> Querying target system called: +> 169.254.0.2 +> Attempting to resolve IP address to a name... +> IP address resolved to RPCServer.contoso.com +> querying... +> TCP port 135 (epmap service): LISTENING +> Using ephemeral source port +> Querying Endpoint Mapper Database... +> Server's response: +> UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d +> ncacn_ip_tcp:169.254.0.10[49664] The one in bold is the ephemeral port number that you made a connection to successfully. @@ -140,14 +140,14 @@ The one in bold is the ephemeral port number that you made a connection to succe You can run the commands below to leverage Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation. - On the client -```cmd -Netsh trace start scenario=netconnection capture=yes tracefile=c:\client_nettrace.etl maxsize=512 overwrite=yes report=yes -``` + ```cmd + Netsh trace start scenario=netconnection capture=yes tracefile=c:\client_nettrace.etl maxsize=512 overwrite=yes report=yes + ``` - On the Server -```cmd -Netsh trace start scenario=netconnection capture=yes tracefile=c:\server_nettrace.etl maxsize=512 overwrite=yes report=yes -``` + ```cmd + Netsh trace start scenario=netconnection capture=yes tracefile=c:\server_nettrace.etl maxsize=512 overwrite=yes report=yes + ``` Now try to reproduce your issue from the client machine and as soon as you feel the issue has been reproduced, go ahead and stop the traces using the command ```cmd diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index d3c74ecb23..4c111bd5f7 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -87,58 +87,58 @@ If the computer is no longer frozen and now is running in a good state, use the > If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process. -1. Make sure that the computer is set up to get a complete memory dump file. To do this, follow these steps: +1. Make sure that the computer is set up to get a complete memory dump file. To do this, follow these steps: - 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. + 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. - 2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. + 2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. - 2. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. + 2. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. - 3. In the **Write Debugging Information** section, select **Complete Memory Dump**. + 3. In the **Write Debugging Information** section, select **Complete Memory Dump**. - > [!Note] - > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD): - >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled** + > [!Note] + > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD): + >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled** - 4. Select **Overwrite any existing file**. + 4. Select **Overwrite any existing file**. - 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). + 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). - Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). + Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). - 6. Make sure that there's more available space on the system drive than there is physical RAM. + 6. Make sure that there's more available space on the system drive than there is physical RAM. -2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: +2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: - 1. Go to Registry Editor, and then locate the following registry keys: + 1. Go to Registry Editor, and then locate the following registry keys: * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` - 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: - - **Value Name**: `CrashOnCtrlScroll` - - **Data Type**: `REG_DWORD` - - **Value**: `1` + - **Value Name**: `CrashOnCtrlScroll` + - **Data Type**: `REG_DWORD` + - **Value**: `1` - 3. Exit Registry Editor. + 3. Exit Registry Editor. - 4. Restart the computer. + 4. Restart the computer. -3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. +3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. - To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. + To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. - > [!Note] - > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146). + > [!Note] + > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146). -4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file. +4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file. - > [!Note] - > By default, the dump file is located in the following path:
                                                                                          - > %SystemRoot%\MEMORY.DMP + > [!Note] + > By default, the dump file is located in the following path:
                                                                                          + > %SystemRoot%\MEMORY.DMP ### Method 2: Data sanity check @@ -193,59 +193,59 @@ The Performance Monitor log is located in the path: C:\PERFLOGS If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: -1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps: - > [!Note] - > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. +1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps: + > [!Note] + > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. - 1. Try to access the desktop of the computer by any means. + 1. Try to access the desktop of the computer by any means. + + > [!Note] + > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured. + + 2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: + + * ` `*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` + + Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` + + On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles` + + If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys). + + If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size. > [!Note] - > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured. + > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). - 2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: + 3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. - * ` `*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` + 4. Make sure that there's more free space on the hard disk drives of the computer than there is physical RAM. - Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. +2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` + 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: - On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles` + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` - If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys). + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: - If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size. + **Value Name**: `CrashOnCtrlScroll` + **Data Type**: `REG_DWORD` + **Value**: `1` - > [!Note] - > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). + 3. Exit Registry Editor. - 3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. + 4. Restart the computer. - 4. Make sure that there's more free space on the hard disk drives of the computer than there is physical RAM. - -2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: - - 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: - - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` - - * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` - - 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: - - **Value Name**: `CrashOnCtrlScroll` - **Data Type**: `REG_DWORD` - **Value**: `1` - - 3. Exit Registry Editor. - - 4. Restart the computer. - -3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump. - > [!Note] - > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP +3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump. + > [!Note] + > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP ### Use Pool Monitor to collect data for the physical computer that is no longer frozen diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index a5ae117500..f78666d243 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -310,13 +310,13 @@ In addition to SCEP certificate management, Windows 10 Mobile supports deploymen Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile). Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently. ->**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you: -- View a summary of all personal certificates -- View the details of individual certificates -- View the certificates used for VPN, Wi-Fi, and email authentication -- Identify which certificates may have expired -- Verify the certificate path and confirm that you have the correct intermediate and root CA certificates -- View the certificate keys stored in the device TPM +> **Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you: +> - View a summary of all personal certificates +> - View the details of individual certificates +> - View the certificates used for VPN, Wi-Fi, and email authentication +> - Identify which certificates may have expired +> - Verify the certificate path and confirm that you have the correct intermediate and root CA certificates +> - View the certificate keys stored in the device TPM ### Wi-Fi profiles @@ -711,7 +711,7 @@ Microsoft aspires to update Windows 10 Mobile devices with the latest updates au Wi-Fi Device is connected to a personal or corporate Wi-Fi network (no data charges) Yes -Yes/td> +Yes/td> Yes Yes – outside of Active Hours (forced restart after 7 days if user postpones restart) @@ -771,7 +771,7 @@ Update availability depends on what servicing option you choose for the device. Windows Insider Builds As appropriate during development cycle, released to Windows Insiders only Variable, until the next Insider build is released to Windows Insiders -Allows Insiders to test new feature and application compatibility before a Feature Update is released/td> +Allows Insiders to test new feature and application compatibility before a Feature Update is released/td> Mobile @@ -779,7 +779,7 @@ Update availability depends on what servicing option you choose for the device. Immediately after the Feature Update is published to Windows Update by Microsoft Microsoft typically releases two Feature Updates per 12-month period (approximately every four months, though it can potentially be longer) Makes new features available to users as soon as possible -Mobile & Mobile Enterprise +Mobile & Mobile Enterprise Current Branch for Business (CBB) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 21ab9561f7..6e4fc5d47e 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -160,10 +160,9 @@ New or changed topic | Description ## October 2017 -New or changed topic | Description ---- | --- -[Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access | Removed **Guidelines for using Remote Desktop app**; the behavior for Remote Desktop has changed so that it's no longer necessary to turn off **Start connections in full screen** for assigned access. - +| New or changed topic | Description | +|---------------------------------------------------------------------------------------------|----------------------------------------------------------------| +| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access | ## RELEASE: Windows 10, version 1709 @@ -176,6 +175,7 @@ The topics in this library have been updated for Windows 10, version 1709 (also ## September 2017 + |New or changed topic | Description| |--- | ---| |[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|New conceptual info about Windows 10 and the upcoming GDPR-compliance requirements.| @@ -191,6 +191,7 @@ The topics in this library have been updated for Windows 10, version 1709 (also ## July 2017 + | New or changed topic | Description | | --- | --- | |[Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data-1703.md)|Updated categories and included diagnostic data.| diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 1b4742be79..0a333370c9 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -60,7 +60,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an Prevent users from customizing their Start Screen -

                                                                                          Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it

                                                                                          +

                                                                                          Use this policy in conjunction with a customized Start layout to prevent users from changing it

                                                                                          Prevent users from uninstalling applications from Start @@ -98,7 +98,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an Start Layout

                                                                                          This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in User Configuration or Computer Configuration.

                                                                                          -  +
                                                                                          @@ -108,7 +108,7 @@ These policy settings are available in **Administrative Templates\\Start Menu an -  + ## Deprecated Group Policy settings for Start @@ -144,7 +144,7 @@ The Start policy settings listed below do not work on Windows 10. Most of them | Remove user folder link from Start Menu | Windows 8 | | Remove Videos link from Start Menu | Windows 8 | -  + ## Related topics diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 905e898c97..4389cbd5e6 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -27,7 +27,7 @@ If you specify an app to be pinned that is not provisioned for the user on the c The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. > [!NOTE] -> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. +> In operating systems configured to use a right-to-left language, the taskbar order will be reversed. The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square). @@ -57,11 +57,11 @@ The following example shows how apps will be pinned: Windows default apps to the In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. The easiest way to find this data for an application is to: -1. Pin the application to the Start menu on a reference or testing PC. -2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. -3. Open the generated XML file. -4. Look for an entry corresponding to the app you pinned. -5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. +1. Pin the application to the Start menu on a reference or testing PC. +2. Open Windows PowerShell and run the `Export-StartLayout` cmdlet. +3. Open the generated XML file. +4. Look for an entry corresponding to the app you pinned. +5. Look for a property labeled `AppUserModelID` or `DesktopApplicationLinkPath`. ### Sample taskbar configuration XML file @@ -117,7 +117,7 @@ The easiest way to find this data for an application is to: ``` -##Keep default apps and add your own +## Keep default apps and add your own The `` section will append listed apps to the taskbar by default. The following sample keeps the default apps pinned and adds pins for Paint, Microsoft Reader, and a command prompt. @@ -145,7 +145,7 @@ The `` section will append listed apps to the tas ![default apps pinned to taskbar](images/taskbar-default.png) **After:** - + ![additional apps pinned to taskbar](images/taskbar-default-plus.png) ## Remove default apps and add your own @@ -172,7 +172,6 @@ If you only want to remove some of the default pinned apps, you would use this m - ``` **Before:** @@ -203,7 +202,6 @@ By adding `PinListPlacement="Replace"` to ``, you - ``` ## Configure taskbar by country or region @@ -248,7 +246,6 @@ The following example shows you how to configure taskbars by country or region. - ``` When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index e77a465300..8842961ced 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -25,24 +25,24 @@ This scenario turns on Azure AD and let's your employee use Cortana to manage an ## Turn on Azure AD This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. -1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**. +1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**. -2. Click your email address. +2. Click your email address. - A dialog box appears, showing the associated account info. + A dialog box appears, showing the associated account info. -3. Click your email address again, and then click **Sign out**. +3. Click your email address again, and then click **Sign out**. - This signs out the Microsoft account, letting you continue to add and use the Azure AD account. + This signs out the Microsoft account, letting you continue to add and use the Azure AD account. -4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request. +4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request. -5. Click **Sign-In** and follow the instructions. +5. Click **Sign-In** and follow the instructions. -6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com. +6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com. - >[!IMPORTANT] - >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it. + >[!IMPORTANT] + >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it. ## Use Cortana to manage the notebook content This process helps you to manage the content Cortana shows in your Notebook. diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index dc0428bfc4..53cd1f9039 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -35,7 +35,7 @@ When [a partial Start layout](#configure-a-partial-start-layout) is applied, the >[!NOTE] >Partial Start layout is only supported on Windows 10, version 1511 and later. -  + You can deploy the resulting .xml file to devices using one of the following methods: diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 6b8d7bd5ac..95610629f1 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -31,7 +31,7 @@ This topic describes how to update Group Policy settings to display a customized >[!WARNING]   >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. When you apply a taskbar layout, users will still be able to pin and unpin apps, and change the order of pinned apps. -  + **Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) @@ -59,7 +59,7 @@ Three features enable Start and taskbar layout control: >[!NOTE]   >To learn how customize Start to include your line-of-business apps when you deploy Windows 10, see [Customize the Windows 10 Start layout]( https://go.microsoft.com/fwlink/p/?LinkId=620863). -  + ## Use Group Policy to apply a customized Start layout in a domain @@ -89,32 +89,32 @@ This procedure adds the customized Start and taskbar layout to the user configur **To configure Start Layout policy settings in Local Group Policy Editor** -1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**. +1. On the test computer, press the Windows key, type **gpedit**, and then select **Edit group policy (Control panel)**. -2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. +2. Go to **User Configuration** or **Computer Configuration** > **Administrative Templates** >**Start Menu and Taskbar**. - ![start screen layout policy settings](images/starttemplate.jpg) + ![start screen layout policy settings](images/starttemplate.jpg) -3. Right-click **Start Layout** in the right pane, and click **Edit**. +3. Right-click **Start Layout** in the right pane, and click **Edit**. - This opens the **Start Layout** policy settings. + This opens the **Start Layout** policy settings. - ![policy settings for start screen layout](images/startlayoutpolicy.jpg) + ![policy settings for start screen layout](images/startlayoutpolicy.jpg) -4. Enter the following settings, and then click **OK**: +4. Enter the following settings, and then click **OK**: - 1. Select **Enabled**. + 1. Select **Enabled**. - 2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**. + 2. Under **Options**, specify the path to the .xml file that contains the Start and taskbar layout. For example, type **C:\\Users\\Test01\\StartScreenMarketing.xml**. - 3. Optionally, enter a comment to identify the Start and taskbar layout. + 3. Optionally, enter a comment to identify the Start and taskbar layout. - >[!IMPORTANT]   - >If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command: + > [!IMPORTANT] + > If you disable Start Layout policy settings that have been in effect and then re-enable the policy, users will not be able to make changes to Start, however the layout in the .xml file will not be reapplied unless the file has been updated. In Windows PowerShell, you can update the timestamp on a file by running the following command: + > + > `(ls ).LastWriteTime = Get-Date` - >`(ls ).LastWriteTime = Get-Date` - -   + ## Update a customized Start layout @@ -132,8 +132,8 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -  -  + + diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 320d3e6d56..a125aa663d 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -35,7 +35,7 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can us >[!WARNING]  >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. -  + ## How Start layout control works @@ -47,7 +47,7 @@ Two features enable Start layout control: >[!NOTE]   >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet. -   + - In Microsoft Intune, you select the Start layout XML file and add it to a device configuration profile. @@ -92,9 +92,9 @@ For other MDM solutions, you may need to use an OMA-URI setting for Start layout - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -  + -  + diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 3db4a537ab..d9b3a37932 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -140,9 +140,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -  + -  + diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index bd41749bd6..e2e249e9d1 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -20,7 +20,7 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -31,24 +31,24 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "ms.author": "jdecker", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-configuration", - "folder_relative_path_in_docset": "./" - } - } - }, + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows", + "ms.topic": "article", + "ms.author": "jdecker", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-configuration", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], "dest": "win-configuration", - "markdownEngineName": "dfm" + "markdownEngineName": "markdig" } } diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index cbaf963779..fa57936276 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -19,7 +19,7 @@ manager: dansimp **Applies to** -- Windows 10 +- Windows 10 You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. @@ -76,22 +76,22 @@ Enable Home Button | Show a Home button in Kiosk Browser. Home will return the b Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. ->[!IMPORTANT] ->To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: -> +> [!IMPORTANT] +> To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: +> > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. ->2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). ->3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). ->4. Save the XML file. ->5. Open the project again in Windows Configuration Designer. ->6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. - - ->[!TIP] ->To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information: ->- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton ->- Data type: Integer ->- Value: 1 +> 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +> 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). +> 4. Save the XML file. +> 5. Open the project again in Windows Configuration Designer. +> 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. +> +> +> [!TIP] +> To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information: +> - OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton +> - Data type: Integer +> - Value: 1 #### Rules for URLs in Kiosk Browser settings @@ -117,7 +117,7 @@ Additional guidelines for URLs: The following table describes the results for different combinations of blocked URLs and blocked URL exceptions. -Blocked URL rule | Block URL exception rule | Result +Blocked URL rule | Block URL exception rule | Result --- | --- | --- `*` | `contoso.com`
                                                                                          `fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains. `contoso.com` | `mail.contoso.com`
                                                                                          `.contoso.com`
                                                                                          `.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. @@ -125,18 +125,19 @@ Blocked URL rule | Block URL exception rule | Result The following table gives examples for blocked URLs. -Entry | Result ---- | --- -`contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com -`https://*` | Blocks all HTTPS requests to any domain. -`mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com -`.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. -`.www.contoso.com` | Blocks www.contoso.com but not its subdomains. -`*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. -`*:8080` | Blocks all requests to port 8080. -`contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. -`192.168.1.2` | Blocks requests to 192.168.1.2. -`youtube.com/watch?v=V1` | Blocks youtube video with id V1. + +| Entry | Result | +|--------------------------|-------------------------------------------------------------------------------| +| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com | +| `https://*` | Blocks all HTTPS requests to any domain. | +| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com | +| `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. | +| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. | +| `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. | +| `*:8080` | Blocks all requests to port 8080. | +| `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. | +| `192.168.1.2` | Blocks requests to 192.168.1.2. | +| `youtube.com/watch?v=V1` | Blocks youtube video with id V1. | ### Other browsers @@ -146,7 +147,7 @@ You can create your own web browser Windows app by using the WebView class. Lear - [Creating your own browser with HTML and JavaScript](https://blogs.windows.com/msedgedev/2015/08/27/creating-your-own-browser-with-html-and-javascript/) - [WebView class](https://msdn.microsoft.com/library/windows/apps/windows.ui.xaml.controls.webview.aspx) - [A web browser built with JavaScript as a Windows app](https://github.com/MicrosoftEdge/JSBrowser/tree/v1.0) - + ## Secure your information @@ -172,7 +173,7 @@ The above guidelines may help you select or develop an appropriate Windows app f -  + diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 9374add78b..053041d24b 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -69,30 +69,30 @@ In addition to the settings in the table, you may want to set up **automatic log **How to edit the registry to have an account sign in automatically** -1. Open Registry Editor (regedit.exe). +1. Open Registry Editor (regedit.exe). - >[!NOTE]   - >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   + >[!NOTE] + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). + -2. Go to +2. Go to - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** -3. Set the values for the following keys. +3. Set the values for the following keys. - - *AutoAdminLogon*: set value as **1**. + - *AutoAdminLogon*: set value as **1**. - - *DefaultUserName*: set value as the account that you want signed in. + - *DefaultUserName*: set value as the account that you want signed in. - - *DefaultPassword*: set value as the password for the account. + - *DefaultPassword*: set value as the password for the account. - > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. -4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. +4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. >[!TIP] >You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). @@ -120,7 +120,7 @@ The following table describes some features that have interoperability issues we

                                                                                          Accessibility

                                                                                          Assigned access does not change Ease of Access settings.

                                                                                          -

                                                                                          We recommend that you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:

                                                                                          +

                                                                                          We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features:

                                                                                          @@ -151,13 +151,13 @@ The following table describes some features that have interoperability issues we - + - - + + - - + + - - + + - - + + +

                                                                                          Learn how to use Shell Launcher to create a kiosk device that runs a Windows desktop application.

                                                                                          - - + + - - + + - + +

                                                                                          MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a custom OMA-URI setting for AboveLock/AllowActionCenterNotifications.

                                                                                          - - + + - + - - + + +

                                                                                          Learn how to use Assigned Access to create a kiosk device that runs a Universal Windows app.

                                                                                          - + - + - - + + - - + +

                                                                                          Assigned access Windows PowerShell cmdlets

                                                                                          In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](https://docs.microsoft.com/powershell/module/assignedaccess/?view=win10-ps).

                                                                                          In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference.

                                                                                          Key sequences blocked by assigned access

                                                                                          When in assigned access, some key combinations are blocked for assigned access users.

                                                                                          -

                                                                                          Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.

                                                                                          -

                                                                                          Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-settings).

                                                                                          +

                                                                                          Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations.

                                                                                          +

                                                                                          Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings.

                                                                                          @@ -216,30 +216,30 @@ The following table describes some features that have interoperability issues we

                                                                                          Keyboard Filter settings apply to other standard accounts.

                                                                                          - - + +

                                                                                          For more information on removing the power button or disabling the physical power button, see Custom Logon.

                                                                                          +

                                                                                          For more information, see Unified Write Filter.

                                                                                          +

                                                                                          If you need to use assigned access API, see WEDL_AssignedAccess.

                                                                                          +

                                                                                          For more information, see Custom Logon.

                                                                                          Key sequences blocked by [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)

                                                                                          If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) reference topic.

                                                                                          -

                                                                                          [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows 10 Enterprise or Windows 10 Education.

                                                                                          +

                                                                                          Key sequences blocked by Keyboard Filter

                                                                                          If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic.

                                                                                          +

                                                                                          Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education.

                                                                                          Power button

                                                                                          Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.

                                                                                          -

                                                                                          For more information on removing the power button or disabling the physical power button, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).

                                                                                          Unified Write Filter (UWF)

                                                                                          UWFsettings apply to all users, including those with assigned access.

                                                                                          -

                                                                                          For more information, see [Unified Write Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter).

                                                                                          WEDL_AssignedAccess class

                                                                                          Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.

                                                                                          -

                                                                                          If you need to use assigned access API, see [WEDL_AssignedAccess](whttps://docs.microsoft.com/windows-hardware/customize/enterprise/wedl-assignedaccess).

                                                                                          Welcome Screen

                                                                                          Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.

                                                                                          -

                                                                                          For more information, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).
                                                                                          diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index a9b6cd3bca..89c720dbc9 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -204,14 +204,14 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des - - - - - - - - + + + + + + + +
                                                                                          ![step one](images/one.png)![set up device](images/set-up-device.png)

                                                                                          Enable device setup if you want to configure settings on this page.

                                                                                          **If enabled:**

                                                                                          Enter a name for the device.

                                                                                          (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

                                                                                          Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

                                                                                          You can also select to remove pre-installed software from the device.                                                                                           		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
                                                                                          ![step two](images/two.png) ![set up network](images/set-up-network.png)

                                                                                          Enable network setup if you want to configure settings on this page.

                                                                                          **If enabled:**

                                                                                          Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.                                                                                          		![Enter network SSID and type](images/set-up-network-details.png)
                                                                                          ![step three](images/three.png) ![account management](images/account-management.png)

                                                                                          Enable account management if you want to configure settings on this page.

                                                                                          **If enabled:**

                                                                                          You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

                                                                                          To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

                                                                                          **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

                                                                                          To create a local administrator account, select that option and enter a user name and password.

                                                                                          **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.                                                                                           		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
                                                                                          ![step four](images/four.png) ![add applications](images/add-applications.png)

                                                                                          You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

                                                                                          **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.                                                                                           		![add an application](images/add-applications-details.png)
                                                                                          ![step five](images/five.png) ![add certificates](images/add-certificates.png)

                                                                                          To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.                                                                                          		![add a certificate](images/add-certificates-details.png)
                                                                                          ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

                                                                                          You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

                                                                                          If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.)

                                                                                          In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.                                                                                          		![Configure kiosk account and app](images/kiosk-account-details.png)
                                                                                          ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

                                                                                          On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.                                                                                          		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
                                                                                          ![finish](images/finish.png)

                                                                                          You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                                                                                          		![Protect your package](images/finish-details.png)
                                                                                          step oneset up device

                                                                                          Enable device setup if you want to configure settings on this page.

                                                                                          If enabled:

                                                                                          Enter a name for the device.

                                                                                          (Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.

                                                                                          Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

                                                                                          You can also select to remove pre-installed software from the device.                                                                                           		device name, upgrade to enterprise, shared use, remove pre-installed software
                                                                                          step two set up network

                                                                                          Enable network setup if you want to configure settings on this page.

                                                                                          If enabled:

                                                                                          Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.                                                                                          		Enter network SSID and type
                                                                                          step three account management

                                                                                          Enable account management if you want to configure settings on this page.

                                                                                          If enabled:

                                                                                          You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

                                                                                          To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

                                                                                          Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

                                                                                          To create a local administrator account, select that option and enter a user name and password.

                                                                                          Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.                                                                                           		join Active Directory, Azure AD, or create a local admin account
                                                                                          step four add applications

                                                                                          You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps

                                                                                          Warning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application.                                                                                           		add an application
                                                                                          step five add certificates

                                                                                          To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.                                                                                          		add a certificate
                                                                                          step six Configure kiosk account and app

                                                                                          You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.

                                                                                          If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)

                                                                                          In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.                                                                                          		Configure kiosk account and app
                                                                                          step seven configure kiosk common settings

                                                                                          On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.                                                                                          		set tablet mode and configure welcome and shutdown and turn off timeout settings
                                                                                          finish

                                                                                          You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                                                                                          		Protect your package
                                                                                          @@ -230,7 +230,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des -  + @@ -263,7 +263,7 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. -  + diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index ad9e27e9f8..ba2f56b8f5 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -114,7 +114,7 @@ In addition to specifying the apps that users can run, you should also restrict **Note**   To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. -   + To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442). diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 1a140df4cc..bc31032e3e 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,6 +1,6 @@ --- title: Set up a multi-app kiosk (Windows 10) -description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. +description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: manager: dansimp @@ -21,20 +21,18 @@ ms.topic: article **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. The following table lists changes to multi-app kiosk in recent updates. -New features and improvements | In update ---- | --- -- Configure [a single-app kiosk profile](#profile) in your XML file

                                                                                          - Assign [group accounts to a config profile](#config-for-group-accounts)

                                                                                          - Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 -- Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

                                                                                          - [Automatically launch an app](#allowedapps) when the user signs in

                                                                                          - Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

                                                                                          **Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `http://schemas.microsoft.com/AssignedAccess/201810/config`. - - +| New features and improvements | In update | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| - Configure [a single-app kiosk profile](#profile) in your XML file

                                                                                          - Assign [group accounts to a config profile](#config-for-group-accounts)

                                                                                          - Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | +| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

                                                                                          - [Automatically launch an app](#allowedapps) when the user signs in

                                                                                          - Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

                                                                                          **Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `http://schemas.microsoft.com/AssignedAccess/201810/config`. | >[!WARNING] >The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. @@ -87,7 +85,7 @@ Let's start by looking at the basic structure of the XML file. - A profile has no effect if it’s not associated to a config section. ![profile = app and config = account](images/profile-config.png) - + You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) ```xml @@ -164,8 +162,8 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: -1. Default rule is to allow all users to launch the signed package apps. -2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. +1. Default rule is to allow all users to launch the signed package apps. +2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. >[!NOTE] >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. @@ -174,26 +172,25 @@ When the mult-app kiosk configuration is applied to a device, AppLocker rules wi Here are the predefined assigned access AppLocker rules for **desktop apps**: -1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. -2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. -3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list. +1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. +2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. +3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list. The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. -```xml - - - - - - - - - - - -``` +xml +<AllAppsList> + <AllowedApps> + <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> + <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> + <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> + <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> + <App DesktopAppPath="%windir%\system32\mspaint.exe" /> + <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/> + </AllowedApps> +</AllAppsList> ##### FileExplorerNamespaceRestrictions @@ -281,13 +278,13 @@ The following example exposes the taskbar to the end user: ```xml ``` - + The following example hides the taskbar: ```xml ``` - + >[!NOTE] >This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. @@ -357,14 +354,14 @@ Individual accounts are specified using ``. - Local account can be entered as `machinename\account` or `.\account` or just `account`. - Domain account should be entered as `domain\account`. -- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. **AzureAD\someone@contoso.onmicrosoft.com**. +- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided AS IS (consider it’s a fixed domain name), then follow with the Azure AD email address, e.g. AzureAD\someone@contoso.onmicrosoft.com. >[!WARNING] >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. - + >[!NOTE] >For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. @@ -390,15 +387,15 @@ Group accounts are specified using ``. Nested groups are not supporte - + ``` -- Domain group: Both security and distribution groups are supported. Specify the group type as **ActiveDirectoryGroup**. Use the domain name as the prefix in the name attribute. +- Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. ```xml - + ``` - Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in. @@ -407,7 +404,7 @@ Group accounts are specified using ``. Nested groups are not supporte - + ``` >[!NOTE] @@ -423,7 +420,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L >[!IMPORTANT] >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 2. Choose **Advanced provisioning**. @@ -437,42 +434,42 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created. - ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) + ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) 8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. -8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. +9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. -8. On the **File** menu, select **Save.** +10. On the **File** menu, select **Save.** -9. On the **Export** menu, select **Provisioning package**. +11. On the **Export** menu, select **Provisioning package**. -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. +14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. +15. Click **Next**. -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +17. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -15. Copy the provisioning package to the root directory of a USB drive. + +18. Copy the provisioning package to the root directory of a USB drive. ### Apply provisioning package to device @@ -495,7 +492,7 @@ Provisioning packages can be applied to a device during the first-run experience 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. ![Provision this device](images/prov.jpg) - + 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. ![Choose a package](images/choose-package.png) @@ -503,9 +500,9 @@ Provisioning packages can be applied to a device during the first-run experience 5. Select **Yes, add it**. ![Do you trust this package?](images/trust-package.png) - - + + #### After setup, from a USB drive, network folder, or SharePoint site 1. Sign in with an admin account. @@ -573,34 +570,34 @@ When the multi-app assigned access configuration is applied on the device, certa The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. -| Setting | Value | +| Setting | Value | | --- | --- | -Remove access to the context menus for the task bar | Enabled -Clear history of recently opened documents on exit | Enabled -Prevent users from customizing their Start Screen | Enabled -Prevent users from uninstalling applications from Start | Enabled -Remove All Programs list from the Start menu | Enabled -Remove Run menu from Start Menu | Enabled -Disable showing balloon notifications as toast | Enabled -Do not allow pinning items in Jump Lists | Enabled -Do not allow pinning programs to the Taskbar | Enabled -Do not display or track items in Jump Lists from remote locations | Enabled -Remove Notifications and Action Center | Enabled -Lock all taskbar settings | Enabled -Lock the Taskbar | Enabled -Prevent users from adding or removing toolbars | Enabled -Prevent users from resizing the taskbar | Enabled -Remove frequent programs list from the Start Menu | Enabled +Remove access to the context menus for the task bar | Enabled +Clear history of recently opened documents on exit | Enabled +Prevent users from customizing their Start Screen | Enabled +Prevent users from uninstalling applications from Start | Enabled +Remove All Programs list from the Start menu | Enabled +Remove Run menu from Start Menu | Enabled +Disable showing balloon notifications as toast | Enabled +Do not allow pinning items in Jump Lists | Enabled +Do not allow pinning programs to the Taskbar | Enabled +Do not display or track items in Jump Lists from remote locations | Enabled +Remove Notifications and Action Center | Enabled +Lock all taskbar settings | Enabled +Lock the Taskbar | Enabled +Prevent users from adding or removing toolbars | Enabled +Prevent users from resizing the taskbar | Enabled +Remove frequent programs list from the Start Menu | Enabled Remove ‘Map Network Drive’ and ‘Disconnect Network Drive’ | Enabled -Remove the Security and Maintenance icon | Enabled -Turn off all balloon notifications | Enabled -Turn off feature advertisement balloon notifications | Enabled -Turn off toast notifications | Enabled -Remove Task Manager | Enabled -Remove Change Password option in Security Options UI | Enabled -Remove Sign Out option in Security Options UI | Enabled -Remove All Programs list from the Start Menu | Enabled – Remove and disable setting -Prevent access to drives from My Computer | Enabled - Restrict all drivers +Remove the Security and Maintenance icon | Enabled +Turn off all balloon notifications | Enabled +Turn off feature advertisement balloon notifications | Enabled +Turn off toast notifications | Enabled +Remove Task Manager | Enabled +Remove Change Password option in Security Options UI | Enabled +Remove Sign Out option in Security Options UI | Enabled +Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] >When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. @@ -612,25 +609,25 @@ Prevent access to drives from My Computer | Enabled - Restrict all drivers Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). -Setting | Value | System-wide +Setting | Value | System-wide --- | --- | --- -[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes -[Start/AllowPinnedFolderDocuments](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderDownloads](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderFileExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderHomeGroup](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderMusic](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderPersonalFolder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes -[Start/AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes +[Start/AllowPinnedFolderDocuments](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderDownloads](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdownloads) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderFileExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderHomeGroup](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderMusic](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderPersonalFolder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderPictures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +[Start/AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No -[Start/HidePeopleBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) | 1 - True (hide) | No -[Start/HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes -[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes -[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No -[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes +[Start/HidePeopleBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar) | 1 - True (hide) | No +[Start/HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes +[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No +[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes ## Provision .lnk files using Windows Configuration Designer diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index c37def1dff..d6ece913c6 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -39,34 +39,34 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

                                                                                          [Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

                                                                                          		[HORM](https://docs.microsoft.com/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)

                                                                                          Hibernate Once/Resume Many (HORM): Quick boot to device

                                                                                          		HORM

                                                                                          HORM is supported in Windows 10, version 1607 and later.

                                                                                          [Unified Write Filter](https://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

                                                                                          		[Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001.aspx)

                                                                                          Unified Write Filter: protect a device's physical storage media

                                                                                          		Unified Write Filter

                                                                                          The Unified Write Filter is continued in Windows 10.

                                                                                          [Keyboard Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations

                                                                                          		[Keyboard Filter](https://go.microsoft.com/fwlink/p/?LinkId=708391)

                                                                                          Keyboard Filter: block hotkeys and other key combinations

                                                                                          		Keyboard Filter

                                                                                          Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

                                                                                          [Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on

                                                                                          		[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)

                                                                                          Shell Launcher: launch a Windows desktop application on sign-on

                                                                                          		Shell Launcher

                                                                                          Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

                                                                                          -

                                                                                          Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.

                                                                                          [Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

                                                                                          		[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)

                                                                                          Application Launcher: launch a Universal Windows Platform (UWP) app on sign-on

                                                                                          		Assigned Access

                                                                                          The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus.

                                                                                          [Dialog Filter](https://go.microsoft.com/fwlink/p/?LinkId=626762): suppress system dialogs and control which processes can run

                                                                                          		[AppLocker](/windows/device-security/applocker/applocker-overview)

                                                                                          Dialog Filter: suppress system dialogs and control which processes can run

                                                                                          		AppLocker

                                                                                          Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing.

                                                                                          • Control over which processes are able to run will now be provided by AppLocker.

                                                                                            • @@ -74,48 +74,48 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

                                                                                          [Toast Notification Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626673): suppress toast notifications

                                                                                          Toast Notification Filter: suppress toast notifications

                                                                                          		 Mobile device management (MDM) and Group Policy

                                                                                          Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps.

                                                                                          Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications

                                                                                          -

                                                                                          MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a [custom OMA-URI setting](https://go.microsoft.com/fwlink/p/?LinkID=616317) for AboveLock/AllowActionCenterNotifications.

                                                                                          [Embedded Lockdown Manager](https://go.microsoft.com/fwlink/p/?LinkId=626763): configure lockdown features

                                                                                          		[Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkID=525483)

                                                                                          Embedded Lockdown Manager: configure lockdown features

                                                                                          		Windows Imaging and Configuration Designer (ICD)

                                                                                          The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager.

                                                                                          [USB Filter](https://go.microsoft.com/fwlink/p/?LinkId=626674): restrict USB devices and peripherals on system

                                                                                          USB Filter: restrict USB devices and peripherals on system

                                                                                          		 MDM and Group Policy

                                                                                          The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices.

                                                                                          Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

                                                                                          MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only).

                                                                                          [Assigned Access](https://go.microsoft.com/fwlink/p/?LinkID=613653): launch a UWP app on sign-in and lock access to system

                                                                                          		[Assigned Access](https://go.microsoft.com/fwlink/p/?LinkId=626608)

                                                                                          Assigned Access: launch a UWP app on sign-in and lock access to system

                                                                                          		Assigned Access

                                                                                          Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device.

                                                                                          In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed.

                                                                                          -

                                                                                          Learn [how to use Assigned Access to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Universal Windows app.

                                                                                          [Gesture Filter](https://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen

                                                                                          Gesture Filter: block swipes from top, left, and right edges of screen

                                                                                          		 MDM and Group Policy

                                                                                          In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#LockDown_AllowEdgeSwipe) policy.

                                                                                          In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the Allow edge swipe policy.

                                                                                          [Custom Logon]( https://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown

                                                                                          		[Embedded Logon](https://go.microsoft.com/fwlink/p/?LinkId=626760)

                                                                                          Custom Logon: suppress Windows UI elements during Windows sign-on, sign-off, and shutdown

                                                                                          		Embedded Logon

                                                                                          No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.

                                                                                          [Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626872): custom brand a device by removing or replacing Windows boot UI elements

                                                                                          		[Unbranded Boot](https://go.microsoft.com/fwlink/p/?LinkId=626873)

                                                                                          Unbranded Boot: custom brand a device by removing or replacing Windows boot UI elements

                                                                                          		Unbranded Boot

                                                                                          No changes. Applies only to Windows 10 Enterprise and Windows 10 Education.
                                                                                          -  -  -  + + + diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 9ed5328980..8cf37ded02 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -55,28 +55,28 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry **To set up Wi-Fi Sense using the Registry Editor** -1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\` +1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\` -2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**. -

                                                                                          Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see [How to configure Wi-Fi Sense on Windows 10 in an enterprise](https://go.microsoft.com/fwlink/p/?LinkId=620959). +2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**. +

                                                                                          Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see How to configure Wi-Fi Sense on Windows 10 in an enterprise. - ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png) + ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png) ### Using the Windows Provisioning settings You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**. **To set up Wi-Fi Sense using WiFISenseAllowed** -- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**. -

                                                                                          Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). +- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**. +

                                                                                          Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, WiFiSenseAllowed. ### Using Unattended Windows Setup settings If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**. **To set up Wi-Fi Sense using WiFISenseAllowed** -- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**. -

                                                                                          Setting this value to **0** turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the **Wi-Fi Settings** screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). +- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**. +

                                                                                          Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, WiFiSenseAllowed. ### How employees can change their own Wi-Fi Sense settings If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**. @@ -95,9 +95,9 @@ If you select the **Share network with my contacts** check box the first time yo - [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911) - [How to configure Wi-Fi Sense on Windows 10 in an enterprise](https://go.microsoft.com/fwlink/p/?LinkId=620959) -  + -  + diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md index f74a4f1a2e..28bf0b87e3 100644 --- a/windows/configuration/mobile-devices/lockdown-xml.md +++ b/windows/configuration/mobile-devices/lockdown-xml.md @@ -1,6 +1,6 @@ --- title: Configure Windows 10 Mobile using Lockdown XML (Windows 10) -description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. +description: Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. ms.assetid: 22C8F654-2EC3-4E6D-8666-1EA9FCF90F5F ms.reviewer: manager: dansimp @@ -20,9 +20,9 @@ ms.date: 07/27/2017 **Applies to** -- Windows 10 Mobile +- Windows 10 Mobile -Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. +Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. @@ -40,16 +40,16 @@ Let's start by looking at the basic structure of the lockdown XML file. You can ```xml - - - - - - - - - - + + + + + + + + + + ``` @@ -84,7 +84,7 @@ The following example is a complete lockdown XML file that disables Action Cente - + @@ -145,8 +145,8 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St - - + + ``` @@ -160,7 +160,7 @@ You can create and pin folders to Start by using the Apps setting. Each folder r - + Medium 4 @@ -183,7 +183,7 @@ To add apps to the folder, include **ParentFolderId** in the application XML, as 0 0 - 1 + 1 @@ -194,7 +194,7 @@ To add apps to the folder, include **ParentFolderId** in the application XML, as 4 0 - 1 + 1 @@ -226,11 +226,11 @@ In the following example, press-and-hold is disabled for the Back button. ```xml - - - + + + ``` @@ -238,10 +238,10 @@ If you don't specify a button event, all actions for the button are disabled. In ```xml - - - + + + ``` @@ -251,20 +251,20 @@ ButtonRemapList lets you change the app that a button will run. You can remap th > [!WARNING] > Button remapping can enable a user to open an application that is not in the allow list for that user role. Use button lock down to prevent application access for a user role. - + To remap a button, you specify the button, the event, and the product ID for the app that you want the event to open. In the following example, when a user presses the Search button, the phone dialer will open instead of the Search app. ```xml - - - + + + ``` @@ -273,7 +273,7 @@ In the following example, when a user presses the Search button, the phone diale ![XML for CSP Runner](../images/CSPRunnerXML.jpg) You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=717460) or [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx). - + CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role. In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section. @@ -285,21 +285,21 @@ Let's start with the structure of SyncML in the following example: ```xml SyncML> - - | - # - - - CSP Path - - - Data Type - - Value - - | - - + + | + # + + + CSP Path + + + Data Type + + Value + + | + + ``` @@ -360,85 +360,85 @@ If you list a setting or quick action in **Settings**, all settings and quick ac For a list of the settings and quick actions that you can allow or block, see [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md). - + ## Tiles - + ![XML for tiles](../images/TilesXML.png) - + By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. - + > [!IMPORTANT] > If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile. - + ```xml ``` - + ## Start screen size - + Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: - - - Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). - - Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). - - If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. - - [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340) - - + +- Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). +- Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). + + If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. + + [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340) + + ## Configure additional roles - + You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. - + [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). - + In the XML file, you define each role with a GUID and name, as shown in the following example: - + ```xml ``` You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. - + You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - + ```xml - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + ``` ## Validate your XML You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-xsd). - + ## Add lockdown XML to a provisioning package -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740) +Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740) 1. Follow the instructions at [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project. @@ -854,7 +854,6 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting - ``` ## Learn more diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index 7454b4e1c7..dabf9951dc 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -30,11 +30,11 @@ The **Provision Windows mobile devices** wizard lets you configure common settin ### Start a new project 1. Open Windows Configuration Designer: - - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut, + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut, - or + or - - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. 2. On the **Start** page, choose **Provision Windows mobile devices**. @@ -44,10 +44,10 @@ The **Provision Windows mobile devices** wizard lets you configure common settin ### Configure settings in the wizard - - - - + + + +
                                                                                          ![step one](../images/one.png)![set up device](../images/set-up-device-mobile.png)

                                                                                          Enter a device name.

                                                                                          Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise.                                                                                           		![device name, upgrade license](../images/set-up-device-details-mobile.png)
                                                                                          ![step two](../images/two.png) ![set up network](../images/set-up-network-mobile.png)

                                                                                          Toggle **On** or **Off** for wireless network connectivity.

                                                                                          If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.                                                                                          		![Enter network SSID and type](../images/set-up-network-details-mobile.png)
                                                                                          ![step three](../images/three.png) ![bulk enrollment in Azure Active Directory](../images/bulk-enroll-mobile.png)

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

                                                                                          Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

                                                                                          **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.                                                                                           		![Enter expiration and get bulk token](../images/bulk-enroll-mobile-details.png)
                                                                                          ![step four](../images/four.png) ![finish](../images/finish-mobile.png)

                                                                                          You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                                                                                          		![Protect your package](../images/finish-details-mobile.png)
                                                                                          step oneset up device

                                                                                          Enter a device name.

                                                                                          Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise.                                                                                           		device name, upgrade license
                                                                                          step two set up network

                                                                                          Toggle On or Off for wireless network connectivity.

                                                                                          If you select On, enter the SSID, network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.                                                                                          		Enter network SSID and type
                                                                                          step three bulk enrollment in Azure Active Directory

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

                                                                                          Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

                                                                                          Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.                                                                                           		Enter expiration and get bulk token
                                                                                          step four finish

                                                                                          You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                                                                                          		Protect your package
                                                                                          After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md index 8383fc4369..68b962d26f 100644 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ b/windows/configuration/mobile-devices/provisioning-nfc.md @@ -72,14 +72,14 @@ The following table describes the information that is required when writing to a The NFC provisioning helper device must split the provisioning package raw content into multiple parts and publish these in order. Each part should follow the following format: -
                                                                                          **Version**
                                                                                          (1 byte)                                                                                          		**Leading**
                                                                                          (1 byte)                                                                                          		**Order**
                                                                                          (1 byte)                                                                                          		**Total**
                                                                                          (1 byte)                                                                                          		**Chunk payload**
                                                                                          (N bytes)
                                                                                          +
                                                                                          Version
                                                                                          (1 byte)                                                                                          		Leading
                                                                                          (1 byte)                                                                                          		Order
                                                                                          (1 byte)                                                                                          		Total
                                                                                          (1 byte)                                                                                          		Chunk payload
                                                                                          (N bytes)
                                                                                          For each part: -- **Version** should always be 0x00. -- **Leading byte** should always be 0xFF. -- **Order** represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0). -- **Total** represents the total number of chunks to be transferred for the whole message. -- **Chunk payload** represents each of the split parts. +- Version should always be 0x00. +- Leading byte should always be 0xFF. +- Order represents which message chunk (out of the whole message) the part belongs to. The Order begins with zero (0). +- Total represents the total number of chunks to be transferred for the whole message. +- Chunk payload represents each of the split parts. The NFC provisioning helper device must publish the record in a type of Windows.ProvPlugins.Chunk. @@ -140,9 +140,9 @@ For detailed information and code samples on how to implement an NFC-enabled dev - [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) - [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md) -  + -  + diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md index 1a8dc3004c..736a35c4ed 100644 --- a/windows/configuration/mobile-devices/provisioning-package-splitter.md +++ b/windows/configuration/mobile-devices/provisioning-package-splitter.md @@ -49,13 +49,13 @@ Before you can use the tool, you must have a built provisioning package. The pac cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 ``` - - or - + - or - - On an x86 computer, type: + On an x86 computer, type: - ``` - cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 - ``` + ``` + cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 + ``` 3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command. @@ -83,9 +83,9 @@ ppkgtobase64.exe -i -o -s [-c] [/?] ## Related topics -  + -  + diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 1c4f74ec06..c5adf378ee 100644 --- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -36,7 +36,7 @@ Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows >[!NOTE] >The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. -  + ### Set up Enterprise Assigned Access in MDM @@ -186,7 +186,7 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or >[!TIP]   >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. -   + 2. Give the device to someone else, so they can use the device and only the one app you chose. 3. When they're done and you get the device back, press and hold Power ![power](../images/powericon.png), and then swipe right to exit Apps Corner. @@ -200,7 +200,7 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) -  + diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 6ff71e891d..f2a8d0bcc3 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -29,7 +29,7 @@ The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fw >[!NOTE]   >The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. - [See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809) + [See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809) ## What is a CSP? @@ -220,9 +220,9 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile E - [WindowsSecurityAuditing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723415) -  + -  + diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 545644f1b8..bd8806ab06 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -68,11 +68,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 2. Click **Provision desktop devices**. - ![ICD start options](../images/icd-create-options-1703.png) + ![ICD start options](../images/icd-create-options-1703.png) 3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. - ![ICD desktop provisioning](../images/icd-desktop-1703.png) + ![ICD desktop provisioning](../images/icd-desktop-1703.png) > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. @@ -81,12 +81,12 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L - - - - - - + + + + + +
                                                                                          ![step one](../images/one.png)![set up device](../images/set-up-device.png)

                                                                                          Enter a name for the device.

                                                                                          (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

                                                                                          Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)

                                                                                          You can also select to remove pre-installed software from the device.                                                                                           		![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png)
                                                                                          ![step two](../images/two.png) ![set up network](../images/set-up-network.png)

                                                                                          Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.                                                                                          		![Enter network SSID and type](../images/set-up-network-details-desktop.png)
                                                                                          ![step three](../images/three.png) ![account management](../images/account-management.png)

                                                                                          Enable account management if you want to configure settings on this page.

                                                                                          You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

                                                                                          To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

                                                                                          To create a local administrator account, select that option and enter a user name and password.

                                                                                          **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.                                                                                           		![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png)
                                                                                          ![step four](../images/four.png) ![add applications](../images/add-applications.png)

                                                                                          You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md).                                                                                           		![add an application](../images/add-applications-details.png)
                                                                                          ![step five](../images/five.png) ![add certificates](../images/add-certificates.png)

                                                                                          To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.                                                                                          		![add a certificate](../images/add-certificates-details.png)
                                                                                          ![finish](../images/finish.png)

                                                                                          You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                                                                                          		![Protect your package](../images/finish-details.png)
                                                                                          step oneset up device

                                                                                          Enter a name for the device.

                                                                                          (Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.

                                                                                          Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.

                                                                                          You can also select to remove pre-installed software from the device.                                                                                           		device name, upgrade to enterprise, shared use, remove pre-installed software
                                                                                          step two set up network

                                                                                          Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.                                                                                          		Enter network SSID and type
                                                                                          step three account management

                                                                                          Enable account management if you want to configure settings on this page.

                                                                                          You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

                                                                                          To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

                                                                                          To create a local administrator account, select that option and enter a user name and password.

                                                                                          Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.                                                                                           		join Active Directory, Azure AD, or create a local admin account
                                                                                          step four add applications

                                                                                          You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps.                                                                                           		add an application
                                                                                          step five add certificates

                                                                                          To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.                                                                                          		add a certificate
                                                                                          finish

                                                                                          You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.                                                                                          		Protect your package
                                                                                          After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. @@ -100,7 +100,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa - Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) -  + ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index e27c1630c3..1a383af035 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -46,11 +46,11 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi 2. Click **Advanced provisioning**. - ![ICD start options](../images/icdstart-option.png) + ![ICD start options](../images/icdstart-option.png) 3. Name your project and click **Next**. -3. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. +4. Select **All Windows desktop editions**, click **Next**, and then click **Finish**. ### Add a desktop app to your package @@ -124,42 +124,42 @@ For details about the settings you can customize in provisioning packages, see [ 1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. 2. Read the warning that project files may contain sensitive information, and click **OK**. -> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. 3. On the **Export** menu, click **Provisioning package**. -1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -10. Set a value for **Package Version**. +5. Set a value for **Package Version**. - > [!TIP]   - > You can make changes to existing packages and change the version number to update previously applied packages. + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - **Important**   - We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + **Important** + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

                                                                                          -Optionally, you can click **Browse** to change the default output location. +7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

                                                                                          + Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. +8. Click **Next**. -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

                                                                                          -If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. +9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

                                                                                          + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

                                                                                          -If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. +10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

                                                                                          + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: +11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - Shared network folder @@ -182,7 +182,7 @@ If your build is successful, the name of the provisioning package, output direct - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) -  + ## Related topics diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index 767dd03539..e7d1272fda 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -136,42 +136,42 @@ For details about the settings you can customize in provisioning packages, see [ 1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. 2. Read the warning that project files may contain sensitive information, and click **OK**. -> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + > **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. 3. On the **Export** menu, click **Provisioning package**. -1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -10. Set a value for **Package Version**. +5. Set a value for **Package Version**. - > [!TIP]   - > You can make changes to existing packages and change the version number to update previously applied packages. + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +6. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - **Important**   - We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + **Important** + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

                                                                                          -Optionally, you can click **Browse** to change the default output location. +7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

                                                                                          + Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. +8. Click **Next**. -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

                                                                                          -If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. +9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

                                                                                          + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

                                                                                          -If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. +10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

                                                                                          + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: +11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - Shared network folder @@ -194,7 +194,7 @@ If your build is successful, the name of the provisioning package, output direct - Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) -  + ## Related topics diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 23bbca9180..876859b5a0 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -1,6 +1,6 @@ --- title: Create a provisioning package (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,8 +18,8 @@ manager: dansimp **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. @@ -31,44 +31,46 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg) ## Start a new project 1. Open Windows Configuration Designer: - - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, - - or - - - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: ![Configuration Designer wizards](../images/icd-create-options-1703.png) - + - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards). - + - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) - + - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.* - + >[!TIP] > You can start a project in the simple wizard editor and then switch the project to the advanced editor. > > ![Switch to advanced editor](../images/icd-switch.png) - + 3. Enter a name for your project, and then click **Next**. 4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options. - | Windows edition | Settings available for customization | Provisioning package can apply to | - | --- | --- | --- | - | All Windows editions | Common settings | All Windows 10 devices | - | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) | - | All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices | - | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices | - | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) | - | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) | - + + | Windows edition | Settings available for customization | Provisioning package can apply to | + |-----------------------------------|-----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------| + | All Windows editions | Common settings | All Windows 10 devices | + | All Windows desktop editions | Common settings and settings specific to desktop devices | All Windows 10 desktop editions (Home, Pro, Enterprise, Pro Education, Enterprise Education) | + | All Windows mobile editions | Common settings and settings specific to mobile devices | All Windows 10 Mobile devices | + | Windows 10 IoT Core | Common settings and settings specific to Windows 10 IoT Core | All Windows 10 IoT Core devices | + | Windows 10 Holographic | Common settings and settings specific to Windows 10 Holographic | [Microsoft HoloLens](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) | + | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) | + + 5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning packge to import to your project, and then click **Finish**. >[!TIP] @@ -90,11 +92,11 @@ The settings in Windows Configuration Designer are based on Windows 10 configura The process for configuring settings is similar for all settings. The following table shows an example. - - - - - + + + + +
                                                                                          ![step one](../images/one.png)
                                                                                          Expand a category.                                                                                          		![Expand Certificates category](../images/icd-step1.png)
                                                                                          ![step two](../images/two.png)
                                                                                          Select a setting.                                                                                          		![Select ClientCertificates](../images/icd-step2.png)
                                                                                          ![step three](../images/three.png)
                                                                                          Enter a value for the setting. Click **Add** if the button is displayed.                                                                                          		![Enter a name for the certificate](../images/icd-step3.png)
                                                                                          ![step four](../images/four.png)
                                                                                          Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and additional settings are displayed.                                                                                          		![Additional settings for client certificate](../images/icd-step4.png)
                                                                                          ![step five](../images/five.png)
                                                                                          When the setting is configured, it is displayed in the **Selected customizations** pane.                                                                                          		![Selected customizations pane](../images/icd-step5.png)
                                                                                          step one
                                                                                          Expand a category.                                                                                          		Expand Certificates category
                                                                                          step two
                                                                                          Select a setting.                                                                                          		Select ClientCertificates
                                                                                          step three
                                                                                          Enter a value for the setting. Click Add if the button is displayed.                                                                                          		Enter a name for the certificate
                                                                                          step four
                                                                                          Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed.                                                                                          		Additional settings for client certificate
                                                                                          step five
                                                                                          When the setting is configured, it is displayed in the Selected customizations pane.                                                                                          		Selected customizations pane
                                                                                          For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. @@ -107,22 +109,22 @@ For details on each specific setting, see [Windows Provisioning settings referen 1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**. ![Export on top bar](../images/icd-export-menu.png) - + 2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**: - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field. - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages). - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0. - + 3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections. - - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen. - - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. + - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen. + - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - >[!NOTE] - >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. - > - >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. + >[!NOTE] + >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. + > + >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. 4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location. diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index b4ead25a3e..bf0de14b73 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -39,8 +39,8 @@ A **Target** can have more than one **TargetState**, and a **TargetState** can h The following table describes the logic for the target definition. - -
                                                                                          When all **Condition** elements are TRUE, **TargetState** is TRUE.![Target state is true when all conditions are true](../images/icd-multi-targetstate-true.png)
                                                                                          If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **Id** can be used for setting customizations.![Target is true if any target state is true](../images/icd-multi-target-true.png)
                                                                                          + +
                                                                                          When all Condition elements are TRUE, TargetState is TRUE.Target state is true when all conditions are true
                                                                                          If any of the TargetState elements is TRUE, Target is TRUE, and the Id can be used for setting customizations.Target is true if any target state is true
                                                                                          ### Conditions @@ -117,16 +117,16 @@ Follow these steps to create a provisioning package with multivariant capabiliti The following example shows the contents of a sample customizations.xml file. ```XML - - - + <?xml version="1.0" encoding="utf-8"?> + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} My Provisioning Package 1.0 OEM 50 - - + + @@ -139,25 +139,25 @@ Follow these steps to create a provisioning package with multivariant capabiliti - - + + ``` -4. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. +5. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. ```XML - - + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} My Provisioning Package 1.0 OEM 50 - - + + @@ -188,11 +188,11 @@ Follow these steps to create a provisioning package with multivariant capabiliti - - + + ``` -5. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this: +6. In the customizations.xml file, create a **Variant** section for the settings you need to customize. To do this: a. Define a child **TargetRefs** element. @@ -208,16 +208,16 @@ Follow these steps to create a provisioning package with multivariant capabiliti The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. ```XML - - - + <?xml version="1.0" encoding="utf-8"?> + + {6aaa4dfa-00d7-4aaa-8adf-73c6a7e2501e} My Provisioning Package 1.0 OEM 50 - - + + @@ -256,14 +256,14 @@ Follow these steps to create a provisioning package with multivariant capabiliti - - + + ``` -6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. +7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. -7. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. +8. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. For example: @@ -316,7 +316,7 @@ The following events trigger provisioning on Windows 10 devices: - [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) -  + diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 631502b910..b67d2c9fa7 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,6 +1,6 @@ --- title: Provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC ms.reviewer: manager: dansimp @@ -19,16 +19,16 @@ ms.date: 07/27/2017 **Applies to** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. -A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. -The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). +The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). @@ -75,16 +75,16 @@ Provisioning packages can be: The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. - - - - - - - - - -
                                                                                          **Step****Description****Desktop wizard****Mobile wizard****Kiosk wizard****HoloLens wizard**
                                                                                          Set up deviceAssign device name,
                                                                                          enter product key to upgrade Windows,
                                                                                          configure shared used,
                                                                                          remove pre-installed software                                                                                          		![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                                                                                          (Only device name and upgrade key)                                                                                          		![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                                                                                          Set up networkConnect to a Wi-Fi network![yes](../images/checkmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                                                                                          Account managementEnroll device in Active Directory,
                                                                                          enroll device in Azure Active Directory,
                                                                                          or create a local administrator account                                                                                          		![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                                                                                          Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).                                                                                          		![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)![no](../images/crossmark.png)
                                                                                          Add applicationsInstall applications using the provisioning package.![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)
                                                                                          Add certificatesInclude a certificate file in the provisioning package.![yes](../images/checkmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![yes](../images/checkmark.png)
                                                                                          Configure kiosk account and appCreate local account to run the kiosk mode app,
                                                                                          specify the app to run in kiosk mode                                                                                          		![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)
                                                                                          Configure kiosk common settingsSet tablet mode,
                                                                                          configure welcome and shutdown screens,
                                                                                          turn off timeout settings                                                                                          		![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)![no](../images/crossmark.png)
                                                                                          Developer SetupEnable Developer Mode.![no](../images/crossmark.png)![no](../images/crossmark.png)![no](../images/crossmark.png)![yes](../images/checkmark.png)
                                                                                          + + + + + + + + + +
                                                                                          StepDescriptionDesktop wizardMobile wizardKiosk wizardHoloLens wizard
                                                                                          Set up deviceAssign device name,
                                                                                          enter product key to upgrade Windows,
                                                                                          configure shared used,
                                                                                          remove pre-installed software                                                                                          		yesyes
                                                                                          (Only device name and upgrade key)                                                                                          		yesyes
                                                                                          Set up networkConnect to a Wi-Fi networkyesyesyesyes
                                                                                          Account managementEnroll device in Active Directory,
                                                                                          enroll device in Azure Active Directory,
                                                                                          or create a local administrator account                                                                                          		yesnoyesyes
                                                                                          Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

                                                                                          Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization.                                                                                          		noyesnono
                                                                                          Add applicationsInstall applications using the provisioning package.yesnoyesno
                                                                                          Add certificatesInclude a certificate file in the provisioning package.yesnoyesyes
                                                                                          Configure kiosk account and appCreate local account to run the kiosk mode app,
                                                                                          specify the app to run in kiosk mode                                                                                          		nonoyesno
                                                                                          Configure kiosk common settingsSet tablet mode,
                                                                                          configure welcome and shutdown screens,
                                                                                          turn off timeout settings                                                                                          		nonoyesno
                                                                                          Developer SetupEnable Developer Mode.nononoyes
                                                                                          - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) @@ -99,19 +99,21 @@ The following table describes settings that you can configure using the wizards The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. -| Customization options | Examples | -|--------------------------|-----------------------------------------------------------------------------------------------| + +| Customization options | Examples | +|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------| | Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | -| Applications | Windows apps, line-of-business applications | -| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | -| Certificates | Root certification authority (CA), client certificates | -| Connectivity profiles | Wi-Fi, proxy settings, Email | -| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | -| Data assets | Documents, music, videos, pictures | -| Start menu customization | Start menu layout, application pinning | -| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | +| Applications | Windows apps, line-of-business applications | +| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | +| Certificates | Root certification authority (CA), client certificates | +| Connectivity profiles | Wi-Fi, proxy settings, Email | +| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | +| Data assets | Documents, music, videos, pictures | +| Start menu customization | Start menu layout, application pinning | +| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | + \* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. -  + For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). @@ -131,7 +133,7 @@ Windows ICD in Windows 10, version 1607, supported the following scenarios for I > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) * **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - + * **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) @@ -166,9 +168,9 @@ Windows ICD in Windows 10, version 1607, supported the following scenarios for I -  - -  + + + diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 6453f58e9c..ad7c341563 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -26,13 +26,13 @@ Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. Th - - - - - - - + + + + + + +
                                                                                          CmdletUse this cmdlet toSyntax
                                                                                          Add-ProvisioningPackage Apply a provisioning package```Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-WprpFile ] []```
                                                                                          Remove-ProvisioningPackageRemove a provisioning package ```Remove-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
                                                                                          ```Remove-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
                                                                                          ```Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
                                                                                          Get-ProvisioningPackage Get information about an installed provisioning package ```Get-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
                                                                                          ```Get-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
                                                                                          ```Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
                                                                                          Export-ProvisioningPackage Extract the contents of a provisioning package ```Export-ProvisioningPackage -PackageId -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
                                                                                          ```Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
                                                                                          Install-TrustedProvisioningCertificate Adds a certificate to the Trusted Certificate store ```Install-TrustedProvisioningCertificate ```
                                                                                          Get-TrustedProvisioningCertificate List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the **Uninstall-TrustedProvisioningCertificate** cmdlet```Get-TrustedProvisioningCertificate```
                                                                                          Uninstall-TrustedProvisioningCertificate Remove a previously installed provisioning certificate```Uninstall-TrustedProvisioningCertificate ```
                                                                                          Add-ProvisioningPackage Apply a provisioning packageAdd-ProvisioningPackage [-Path] <string> [-ForceInstall] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Remove-ProvisioningPackageRemove a provisioning package Remove-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Remove-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Get-ProvisioningPackage Get information about an installed provisioning package Get-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Get-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Export-ProvisioningPackage Extract the contents of a provisioning package Export-ProvisioningPackage -PackageId <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Export-ProvisioningPackage -Path <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>]
                                                                                          Install-TrustedProvisioningCertificate Adds a certificate to the Trusted Certificate store Install-TrustedProvisioningCertificate <path to local certificate file on disk>
                                                                                          Get-TrustedProvisioningCertificate List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the Uninstall-TrustedProvisioningCertificate cmdletGet-TrustedProvisioningCertificate
                                                                                          Uninstall-TrustedProvisioningCertificate Remove a previously installed provisioning certificateUninstall-TrustedProvisioningCertificate <thumbprint>
                                                                                          >[!NOTE] @@ -67,9 +67,9 @@ Trace logs are captured when using cmdlets. The following logs are available in -  + -  + diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 5f9e19da4e..1871931333 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -26,16 +26,16 @@ Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 1 > [!NOTE] > If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. -##Shared PC mode concepts +## Shared PC mode concepts A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. -###Account models +### Account models It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode. -###Account management +### Account management When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. -###Maintenance and sleep +### Maintenance and sleep Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. @@ -48,7 +48,7 @@ Use one of the following methods to configure Windows Update: [Learn more about the AllowAutoUpdate settings](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_AllowAutoUpdate) -###App behavior +### App behavior Apps can take advantage of shared PC mode with the following three APIs: @@ -57,7 +57,7 @@ Apps can take advantage of shared PC mode with the following three APIs: - [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle diagnostic data differently or hide advertising functionality. -###Customization +### Customization Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table. | Setting | Value | @@ -81,7 +81,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re [Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. -##Configuring shared PC mode on Windows +## Configuring shared PC mode on Windows You can configure Windows to be in shared PC mode in a couple different ways: - Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) @@ -118,36 +118,36 @@ Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC 1. [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md) -1. Open Windows Configuration Designer. -2. On the **Start page**, select **Advanced provisioning**. -3. Enter a name and (optionally) a description for the project, and click **Next**. -4. Select **All Windows desktop editions**, and click **Next**. -5. Click **Finish**. Your project opens in Windows Configuration Designer. -6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization) -7. On the **File** menu, select **Save.** -8. On the **Export** menu, select **Provisioning package**. -9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -10. Set a value for **Package Version**. +2. Open Windows Configuration Designer. +3. On the **Start page**, select **Advanced provisioning**. +4. Enter a name and (optionally) a description for the project, and click **Next**. +5. Select **All Windows desktop editions**, and click **Next**. +6. Click **Finish**. Your project opens in Windows Configuration Designer. +7. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization) +8. On the **File** menu, select **Save.** +9. On the **Export** menu, select **Provisioning package**. +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +11. Set a value for **Package Version**. > [!TIP] > You can make changes to existing packages and change the version number to update previously applied packages. -   -11. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + +12. (*Optional*) In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - > [!IMPORTANT]   - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. -   -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location. + > [!IMPORTANT] + > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. + +13. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. +14. Click **Next**. +15. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +16. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: +17. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - Shared network folder @@ -168,11 +168,11 @@ You can apply the provisioning package to a PC during initial setup or to a PC t 2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. - - If there is only one provisioning package on the USB drive, the provisioning package is applied. + - If there is only one provisioning package on the USB drive, the provisioning package is applied. - - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install. + - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install. - ![Set up device?](images/setupmsg.jpg) + ![Set up device?](images/setupmsg.jpg) 3. Complete the setup process. @@ -224,34 +224,34 @@ Shared PC mode sets local group policies to configure the device. Some of these

                                                                                          Policy name

                                                                                          Value

                                                                                          When set?

                                                                                          -

                                                                                          Admin Templates > Control Panel > Personalization

                                                                                          +

                                                                                          Admin Templates > Control Panel > Personalization

                                                                                          Prevent enabling lock screen slide show

                                                                                          Enabled

                                                                                          Always

                                                                                          Prevent changing lock screen and logon image

                                                                                          Enabled

                                                                                          Always

                                                                                          -

                                                                                          Admin Templates > System > Power Management > Button Settings

                                                                                          +

                                                                                          Admin Templates > System > Power Management > Button Settings

                                                                                          Select the Power button action (plugged in)

                                                                                          Sleep

                                                                                          SetPowerPolicies=True

                                                                                          Select the Power button action (on battery)

                                                                                          Sleep

                                                                                          SetPowerPolicies=True

                                                                                          Select the Sleep button action (plugged in)

                                                                                          Sleep

                                                                                          SetPowerPolicies=True

                                                                                          Select the lid switch action (plugged in)

                                                                                          Sleep

                                                                                          SetPowerPolicies=True

                                                                                          Select the lid switch action (on battery)

                                                                                          Sleep

                                                                                          SetPowerPolicies=True

                                                                                          -

                                                                                          Admin Templates > System > Power Management > Sleep Settings

                                                                                          +

                                                                                          Admin Templates > System > Power Management > Sleep Settings

                                                                                          Require a password when a computer wakes (plugged in)

                                                                                          Enabled

                                                                                          SignInOnResume=True

                                                                                          Require a password when a computer wakes (on battery)

                                                                                          Enabled

                                                                                          SignInOnResume=True

                                                                                          -

                                                                                          Specify the system sleep timeout (plugged in)

                                                                                          *SleepTimeout*

                                                                                          SetPowerPolicies=True

                                                                                          -

                                                                                          Specify the system sleep timeout (on battery)

                                                                                          *SleepTimeout*

                                                                                          SetPowerPolicies=True

                                                                                          +

                                                                                          Specify the system sleep timeout (plugged in)

                                                                                          SleepTimeout

                                                                                          SetPowerPolicies=True

                                                                                          +

                                                                                          Specify the system sleep timeout (on battery)

                                                                                          SleepTimeout

                                                                                          SetPowerPolicies=True

                                                                                          Turn off hybrid sleep (plugged in)

                                                                                          Enabled

                                                                                          SetPowerPolicies=True

                                                                                          Turn off hybrid sleep (on battery)

                                                                                          Enabled

                                                                                          SetPowerPolicies=True

                                                                                          -

                                                                                          Specify the unattended sleep timeout (plugged in)

                                                                                          *SleepTimeout*

                                                                                          SetPowerPolicies=True

                                                                                          -

                                                                                          Specify the unattended sleep timeout (on battery)

                                                                                          *SleepTimeout*

                                                                                          SetPowerPolicies=True

                                                                                          +

                                                                                          Specify the unattended sleep timeout (plugged in)

                                                                                          SleepTimeout

                                                                                          SetPowerPolicies=True

                                                                                          +

                                                                                          Specify the unattended sleep timeout (on battery)

                                                                                          SleepTimeout

                                                                                          SetPowerPolicies=True

                                                                                          Allow standby states (S1-S3) when sleeping (plugged in)

                                                                                          Enabled

                                                                                          SetPowerPolicies=True

                                                                                          Allow standby states (S1-S3) when sleeping (on battery)

                                                                                          Enabled

                                                                                          SetPowerPolicies=True

                                                                                          Specify the system hibernate timeout (plugged in)

                                                                                          Enabled, 0

                                                                                          SetPowerPolicies=True

                                                                                          Specify the system hibernate timeout (on battery)

                                                                                          Enabled, 0

                                                                                          SetPowerPolicies=True

                                                                                          -

                                                                                          Admin Templates>System>Power Management>Video and Display Settings

                                                                                          -

                                                                                          Turn off the display (plugged in)

                                                                                          *SleepTimeout*

                                                                                          SetPowerPolicies=True

                                                                                          -

                                                                                          Turn off the display (on battery

                                                                                          *SleepTimeout*

                                                                                          SetPowerPolicies=True

                                                                                          -

                                                                                          Admin Templates>System>Power Management>Energy Saver Settings

                                                                                          +

                                                                                          Admin Templates>System>Power Management>Video and Display Settings

                                                                                          +

                                                                                          Turn off the display (plugged in)

                                                                                          SleepTimeout

                                                                                          SetPowerPolicies=True

                                                                                          +

                                                                                          Turn off the display (on battery

                                                                                          SleepTimeout

                                                                                          SetPowerPolicies=True

                                                                                          +

                                                                                          Admin Templates>System>Power Management>Energy Saver Settings

                                                                                          Energy Saver Battery Threshold (on battery)70SetPowerPolicies=True -

                                                                                          Admin Templates>System>Logon

                                                                                          +

                                                                                          Admin Templates>System>Logon

                                                                                          Show first sign-in animation

                                                                                          Disabled

                                                                                          Always

                                                                                          Hide entry points for Fast User Switching

                                                                                          Enabled

                                                                                          Always

                                                                                          Turn on convenience PIN sign-in

                                                                                          Disabled

                                                                                          Always

                                                                                          @@ -260,35 +260,35 @@ Shared PC mode sets local group policies to configure the device. Some of these

                                                                                          Allow users to select when a password is required when resuming from connected standby

                                                                                          Disabled

                                                                                          SignInOnResume=True

                                                                                          Block user from showing account details on sign-in

                                                                                          Enabled

                                                                                          Always

                                                                                          -

                                                                                          Admin Templates>System>User Profiles

                                                                                          +

                                                                                          Admin Templates>System>User Profiles

                                                                                          Turn off the advertising ID

                                                                                          Enabled

                                                                                          SetEduPolicies=True

                                                                                          -

                                                                                          Admin Templates>Windows Components

                                                                                          +

                                                                                          Admin Templates>Windows Components

                                                                                          Do not show Windows Tips

                                                                                          Enabled

                                                                                          SetEduPolicies=True

                                                                                          Turn off Microsoft consumer experiences

                                                                                          Enabled

                                                                                          SetEduPolicies=True

                                                                                          Microsoft Passport for Work

                                                                                          Disabled

                                                                                          Always

                                                                                          Prevent the usage of OneDrive for file storage

                                                                                          Enabled

                                                                                          Always

                                                                                          -

                                                                                          Admin Templates>Windows Components>Biometrics

                                                                                          +

                                                                                          Admin Templates>Windows Components>Biometrics

                                                                                          Allow the use of biometrics

                                                                                          Disabled

                                                                                          Always

                                                                                          Allow users to log on using biometrics

                                                                                          Disabled

                                                                                          Always

                                                                                          Allow domain users to log on using biometrics

                                                                                          Disabled

                                                                                          Always

                                                                                          -

                                                                                          Admin Templates>Windows Components>Data Collection and Preview Builds

                                                                                          +

                                                                                          Admin Templates>Windows Components>Data Collection and Preview Builds

                                                                                          Toggle user control over Insider builds

                                                                                          Disabled

                                                                                          Always

                                                                                          Disable pre-release features or settings

                                                                                          Disabled

                                                                                          Always

                                                                                          Do not show feedback notifications

                                                                                          Enabled

                                                                                          Always

                                                                                          Allow TelemetryBasic, 0SetEduPolicies=True -

                                                                                          Admin Templates>Windows Components>File Explorer

                                                                                          +

                                                                                          Admin Templates>Windows Components>File Explorer

                                                                                          Show lock in the user tile menu

                                                                                          Disabled

                                                                                          Always

                                                                                          -

                                                                                          Admin Templates>Windows Components>Maintenance Scheduler

                                                                                          -

                                                                                          Automatic Maintenance Activation Boundary

                                                                                          *MaintenanceStartTime*

                                                                                          Always

                                                                                          +

                                                                                          Admin Templates>Windows Components>Maintenance Scheduler

                                                                                          +

                                                                                          Automatic Maintenance Activation Boundary

                                                                                          MaintenanceStartTime

                                                                                          Always

                                                                                          Automatic Maintenance Random Delay

                                                                                          Enabled, 2 hours

                                                                                          Always

                                                                                          Automatic Maintenance WakeUp Policy

                                                                                          Enabled

                                                                                          Always

                                                                                          -

                                                                                          Admin Templates>Windows Components>Windows Hello for Business

                                                                                          +

                                                                                          Admin Templates>Windows Components>Windows Hello for Business

                                                                                          Use phone sign-in

                                                                                          Disabled

                                                                                          Always

                                                                                          Use Windows Hello for Business

                                                                                          Disabled

                                                                                          Always

                                                                                          Use biometrics

                                                                                          Disabled

                                                                                          Always

                                                                                          -

                                                                                          Admin Templates>Windows Components>OneDrive

                                                                                          +

                                                                                          Admin Templates>Windows Components>OneDrive

                                                                                          Prevent the usage of OneDrive for file storage

                                                                                          Enabled

                                                                                          Always

                                                                                          -

                                                                                          Windows Settings>Security Settings>Local Policies>Security Options

                                                                                          +

                                                                                          Windows Settings>Security Settings>Local Policies>Security Options

                                                                                          Interactive logon: Do not display last user name

                                                                                          Enabled, Disabled when account model is only guest

                                                                                          Always

                                                                                          Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

                                                                                          Disabled

                                                                                          Always

                                                                                          @@ -302,7 +302,7 @@ Shared PC mode sets local group policies to configure the device. Some of these -  + diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index e8ae01a7f5..b6a9ef0edc 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -289,7 +289,7 @@ Additionally, users may see blank tiles if logon was attempted without network c 1. The App or Apps work fine when you click on the tiles. 2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information. 3. The app is missing, but listed as installed via Powershell and works if you launch via URI. - - Example: `windows-feedback://` + - Example: `windows-feedback://` 4. In some cases, Start can be blank, and Action Center and Cortana do not launch. >[!Note] diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index d810a3ebce..98e4062fa9 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -543,9 +543,9 @@ Once you have created the LayoutModification.xml file and it is present in the d - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) - [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md) -  + -  + diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index f926aa5034..5c93aacf5e 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -75,11 +75,11 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension. 3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references. - - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` - - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images. + - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` + - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images. - >[!TIP] - >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images. + >[!TIP] + >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images. 4. In Windows PowerShell, enter the following command: @@ -136,7 +136,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L >[!IMPORTANT] >When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). 2. Choose **Advanced provisioning**. @@ -157,56 +157,56 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the assets.xml file in a later step. -7. Save your project and close Windows Configuration Designer. +10. Save your project and close Windows Configuration Designer. -7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) +11. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) -7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: +12. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: - ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png) + ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png) -7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). +13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). -8. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape). +14. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape). -8. Save and close the customizations.xml file. +15. Save and close the customizations.xml file. -8. Open Windows Configuration Designer and open your project. +16. Open Windows Configuration Designer and open your project. -8. On the **File** menu, select **Save.** +17. On the **File** menu, select **Save.** -9. On the **Export** menu, select **Provisioning package**. +18. On the **Export** menu, select **Provisioning package**. -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** +19. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. +20. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. +21. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. -13. Click **Next**. +22. Click **Next**. -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +23. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +24. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -16. Copy the provisioning package to the target device. +25. Copy the provisioning package to the target device. -17. Double-click the ppkg file and allow it to install. +26. Double-click the ppkg file and allow it to install. - ## Related topics + ## Related topics - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 7c51d0f913..68f04ffda2 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -153,7 +153,7 @@ The Process data type is a container used to describe processes to be monitored -  + **Processes** The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence. @@ -202,7 +202,7 @@ Settings is a container for all the settings that apply to a particular template -  + ### Name Element @@ -217,7 +217,7 @@ UE-V does not reference external DTDs, so it is not possible to use named entiti See for a complete list of character entities. UTF-8-encoded documents may include the Unicode characters directly. Saving templates through the UE-V template generator converts character entities to their Unicode representations automatically. -  + ### ID Element @@ -262,7 +262,7 @@ This value is queried to determine if a new version of a template should be appl - When the microsoft\\uev:SettingsLocationTemplate Update method is called through WMI -  + ### Author Element @@ -328,7 +328,7 @@ A value of **True** indicates that the string contains illegal characters. Here **Note**   The UE-V template generator encodes the greater than and less than characters as > and < respectively. -  + In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplication.exe` should be specified instead of `MyApplication`. The second example will not apply the template to the process if the actual name of the executable file is “MyApplication.exe”. @@ -345,7 +345,7 @@ If this element is absent, the settings location template ignores the process’ **Note**   UE-V does not support ARM processors in this version. -  + ### ProductName @@ -494,11 +494,11 @@ Application is a container for settings that apply to a particular application.

                                                                                          Name

                                                                                          -

                                                                                          Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).

                                                                                          +

                                                                                          Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.

                                                                                          ID

                                                                                          -

                                                                                          Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).

                                                                                          +

                                                                                          Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see ID.

                                                                                          Description

                                                                                          @@ -514,7 +514,7 @@ Application is a container for settings that apply to a particular application.

                                                                                          Version

                                                                                          -

                                                                                          Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).

                                                                                          +

                                                                                          Identifies the version of the settings location template for administrative tracking of changes. For more information, see Version.

                                                                                          DeferToMSAccount

                                                                                          @@ -530,16 +530,16 @@ Application is a container for settings that apply to a particular application.

                                                                                          Processes

                                                                                          -

                                                                                          A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).

                                                                                          +

                                                                                          A container for a collection of one or more Process elements. For more information, see Processes.

                                                                                          Settings

                                                                                          -

                                                                                          A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data21).

                                                                                          +

                                                                                          A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in Data types.

                                                                                          -  + ### Common Element @@ -557,11 +557,11 @@ Common is similar to an Application element, but it is always associated with tw

                                                                                          Name

                                                                                          -

                                                                                          Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).

                                                                                          +

                                                                                          Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.

                                                                                          ID

                                                                                          -

                                                                                          Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).

                                                                                          +

                                                                                          Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see ID.

                                                                                          Description

                                                                                          @@ -577,7 +577,7 @@ Common is similar to an Application element, but it is always associated with tw

                                                                                          Version

                                                                                          -

                                                                                          Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).

                                                                                          +

                                                                                          Identifies the version of the settings location template for administrative tracking of changes. For more information, see Version.

                                                                                          DeferToMSAccount

                                                                                          @@ -593,12 +593,12 @@ Common is similar to an Application element, but it is always associated with tw

                                                                                          Settings

                                                                                          -

                                                                                          A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in [Data types](#data21).

                                                                                          +

                                                                                          A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see Settings in Data types.

                                                                                          -  + ### SettingsLocationTemplate Element @@ -616,11 +616,11 @@ This element defines the settings for a single application or a suite of applica

                                                                                          Name

                                                                                          -

                                                                                          Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).

                                                                                          +

                                                                                          Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see Name.

                                                                                          ID

                                                                                          -

                                                                                          Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).

                                                                                          +

                                                                                          Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see ID.

                                                                                          Description

                                                                                          @@ -637,7 +637,7 @@ This element defines the settings for a single application or a suite of applica -  + ### Appendix: SettingsLocationTemplate.xsd diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 7ff6d9a8c8..913d80ac7c 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -72,13 +72,13 @@ The following policy settings can be configured for UE-V.

                                                                                          Settings storage path

                                                                                          Computers and Users

                                                                                          This Group Policy setting configures where the user settings are to be stored.

                                                                                          -

                                                                                          Enter a Universal Naming Convention (UNC) path and variables such as \\Server\SettingsShare\%username%.

                                                                                          +

                                                                                          Enter a Universal Naming Convention (UNC) path and variables such as \Server\SettingsShare%username%.

                                                                                          Settings template catalog path

                                                                                          Computers Only

                                                                                          This Group Policy setting configures where custom settings location templates are stored. This policy setting also configures whether the catalog is to be used to replace the default Microsoft templates that are installed with the UE-V service.

                                                                                          -

                                                                                          Enter a Universal Naming Convention (UNC) path such as \\Server\TemplateShare or a folder location on the computer.

                                                                                          +

                                                                                          Enter a Universal Naming Convention (UNC) path such as \Server\TemplateShare or a folder location on the computer.

                                                                                          Select the check box to replace the default Microsoft templates.

                                                                                          @@ -109,23 +109,23 @@ The following policy settings can be configured for UE-V.

                                                                                          Use User Experience Virtualization (UE-V)

                                                                                          Computers and Users

                                                                                          This Group Policy setting lets you enable or disable User Experience Virtualization (UE-V).

                                                                                          -

                                                                                          This setting only has an effect for UE-V 2.x and earlier. For UE-V in Windows 10, version 1607, use the **Enable UE-V** setting.

                                                                                          +

                                                                                          This setting only has an effect for UE-V 2.x and earlier. For UE-V in Windows 10, version 1607, use the Enable UE-V setting.

                                                                                          Enable UE-V

                                                                                          Computers and Users

                                                                                          This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect.

                                                                                          -

                                                                                          This setting only has an effect for UE-V in Windows 10, version 1607. For UE-V 2.x and earlier, choose the **Use User Experience Virtualization (UE-V)** setting.

                                                                                          +

                                                                                          This setting only has an effect for UE-V in Windows 10, version 1607. For UE-V 2.x and earlier, choose the Use User Experience Virtualization (UE-V) setting.

                                                                                          -  + **Note**   In addition, Group Policy settings are available for many desktop applications and Windows apps. You can use these settings to enable or disable settings synchronization for specific applications. -  + **Windows App Group Policy settings** @@ -166,7 +166,7 @@ In addition, Group Policy settings are available for many desktop applications a -  + For more information about synchronizing Windows apps, see [Windows App List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist). diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index fd141d4e87..049e9cff9f 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -80,7 +80,7 @@ The UE-V Configuration Pack includes tools to: -   + - Verify compliance by confirming that UE-V is running. @@ -107,7 +107,7 @@ It might be necessary to change the PowerShell execution policy to allow these s 1. Select **Administration > Client Settings > Properties** 2. In the **User Agent** tab, set the **PowerShell Execution Policy** to **Bypass** -  + **Create the first UE-V policy configuration item** @@ -240,9 +240,9 @@ You can download the [System Center 2012 Configuration Pack for Microsoft User E [Manage Configurations for UE-V](uev-manage-configurations.md) -  + -  + diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index e5c118093c..edb70df39e 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -123,7 +123,7 @@ UE-V for Windows 10, version 1607 includes a new template generator. If you are ![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png) -3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. +3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. 4. See [Working with Custom UE-V Templates and the UE-V Template Generator](uev-working-with-custom-templates-and-the-uev-generator.md) for information about how to use the template generator. diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 623f29e522..0884ef68c4 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -92,10 +92,10 @@ Restoring a user’s device restores the currently registered Template’s setti If the user’s UE-V settings storage path, domain, and Computer name match the current user then all of the settings for that user are synchronized, with only the latest settings applied. If a user logs on to a new device for the first time and these criteria are met, the settings data is applied to that device. - **Note**   + **Note** Accessibility and Windows Desktop settings require the user to re-logon to Windows to be applied. -   + - **Manual Restore** @@ -131,7 +131,7 @@ WMI and Windows PowerShell commands let you restore application and Windows sett -   + **To restore application settings and Windows settings with WMI** @@ -158,12 +158,14 @@ WMI and Windows PowerShell commands let you restore application and Windows sett -   - **Note**   - UE-V does not provide a settings rollback for Windows apps. -   +~~~ +**Note** +UE-V does not provide a settings rollback for Windows apps. +~~~ + + diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index 3661b0812c..332f881bf8 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -29,7 +29,7 @@ The WMI and Windows PowerShell features of UE-V include the ability to enable, d You must have administrator permissions to update, register, or unregister a settings location template. Administrator permissions are not required to enable, disable, or list templates. -****To manage settings location templates by using Windows PowerShell**** +***To manage settings location templates by using Windows PowerShell*** 1. Use an account with administrator rights to open a Windows PowerShell command prompt. @@ -158,7 +158,7 @@ You must have administrator permissions to update, register, or unregister a set -   + The UE-V Windows PowerShell features enable you to manage a group of settings templates that are deployed in your enterprise. Use the following procedure to manage a group of templates by using Windows PowerShell. diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index 7277b457db..191b74f140 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -26,169 +26,169 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m ## To configure the UE-V service with Windows PowerShell -1. Open a Windows PowerShell window. To manage computer settings that affect all users of the computer by using the *Computer* parameter, open the window with an account that has administrator rights. +1. Open a Windows PowerShell window. To manage computer settings that affect all users of the computer by using the *Computer* parameter, open the window with an account that has administrator rights. -2. Use the following Windows PowerShell commands to configure the service. +2. Use the following Windows PowerShell commands to configure the service. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                          Windows PowerShell commandDescription

                                                                                          Enable-UEV

                                                                                          -

                                                                                          Turns on the UE-V service. Requires reboot.

                                                                                          Disable-UEV

                                                                                          Turns off the UE-V service. Requires reboot.

                                                                                          Get-UevStatus

                                                                                          Displays whether UE-V service is enabled or disabled, using a Boolean value.

                                                                                          Get-UevConfiguration

                                                                                          -

                                                                                          Gets the effective UE-V service settings. User-specific settings have precedence over the computer settings.

                                                                                          Get-UevConfiguration -CurrentComputerUser

                                                                                          -

                                                                                          Gets the UE-V service settings values for the current user only.

                                                                                          Get-UevConfiguration -Computer

                                                                                          Gets the UE-V service configuration settings values for all users on the computer.

                                                                                          Get-UevConfiguration -Details

                                                                                          Gets the details for each configuration setting. Displays where the setting is configured or if it uses the default value. Is displayed if the current setting is valid.

                                                                                          Set-UevConfiguration -Computer -EnableDontSyncWindows8AppSettings

                                                                                          Configures the UE-V service to not synchronize any Windows apps for all users on the computer.

                                                                                          Set-UevConfiguration -CurrentComputerUser -EnableDontSyncWindows8AppSettings

                                                                                          Configures the UE-V service to not synchronize any Windows apps for the current computer user.

                                                                                          Set-UevConfiguration -Computer -EnableFirstUseNotification

                                                                                          Configures the UE-V service to display notification the first time the service runs for all users on the computer.

                                                                                          Set-UevConfiguration -Computer -DisableFirstUseNotification

                                                                                          Configures the UE-V service to not display notification the first time that the service runs for all users on the computer.

                                                                                          Set-UevConfiguration -Computer -EnableSettingsImportNotify

                                                                                          Configures the UE-V service to notify all users on the computer when settings synchronization is delayed.

                                                                                          -

                                                                                          Use the DisableSettingsImportNotify parameter to disable notification.

                                                                                          Set-UevConfiguration -CurrentComputerUser -EnableSettingsImportNotify

                                                                                          Configures the UE-V service to notify the current user when settings synchronization is delayed.

                                                                                          -

                                                                                          Use the DisableSettingsImportNotify parameter to disable notification.

                                                                                          Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps

                                                                                          Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

                                                                                          -

                                                                                          Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.

                                                                                          Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps

                                                                                          Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

                                                                                          -

                                                                                          Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.

                                                                                          Set-UevConfiguration -Computer -DisableSync

                                                                                          Disables UE-V for all the users on the computer.

                                                                                          -

                                                                                          Use the EnableSync parameter to enable or re-enable.

                                                                                          Set-UevConfiguration -CurrentComputerUser -DisableSync

                                                                                          Disables UE-V for the current user on the computer.

                                                                                          -

                                                                                          Use the EnableSync parameter to enable or re-enable.

                                                                                          Set-UevConfiguration -Computer -EnableTrayIcon

                                                                                          Enables the UE-V icon in the notification area for all users of the computer.

                                                                                          -

                                                                                          Use the DisableTrayIcon parameter to disable the icon.

                                                                                          Set-UevConfiguration -Computer -MaxPackageSizeInBytes <size in bytes>

                                                                                          Configures the UE-V service to report when a settings package file size reaches the defined threshold for all users on the computer. Sets the threshold package size in bytes.

                                                                                          Set-UevConfiguration -CurrentComputerUser -MaxPackageSizeInBytes <size in bytes>

                                                                                          Configures the UE-V service to report when a settings package file size reaches the defined threshold. Sets the package size warning threshold for the current user.

                                                                                          Set-UevConfiguration -Computer -SettingsImportNotifyDelayInSeconds

                                                                                          Specifies the time in seconds before the user is notified for all users of the computer

                                                                                          Set-UevConfiguration -CurrentComputerUser -SettingsImportNotifyDelayInSeconds

                                                                                          Specifies the time in seconds before notification for the current user is sent.

                                                                                          Set-UevConfiguration -Computer -SettingsStoragePath <path to _settings_storage_location>

                                                                                          Defines a per-computer settings storage location for all users of the computer.

                                                                                          Set-UevConfiguration -CurrentComputerUser -SettingsStoragePath <path to _settings_storage_location>

                                                                                          Defines a per-user settings storage location.

                                                                                          Set-UevConfiguration -Computer -SettingsTemplateCatalogPath <path to catalog>

                                                                                          Sets the settings template catalog path for all users of the computer.

                                                                                          Set-UevConfiguration -Computer -SyncMethod <sync method>

                                                                                          Sets the synchronization method for all users of the computer: SyncProvider or None.

                                                                                          Set-UevConfiguration -CurrentComputerUser -SyncMethod <sync method>

                                                                                          Sets the synchronization method for the current user: SyncProvider or None.

                                                                                          Set-UevConfiguration -Computer -SyncTimeoutInMilliseconds <timeout in milliseconds>

                                                                                          Sets the synchronization time-out in milliseconds for all users of the computer

                                                                                          Set-UevConfiguration -CurrentComputerUser -SyncTimeoutInMilliseconds <timeout in milliseconds>

                                                                                          Set the synchronization time-out for the current user.

                                                                                          Clear-UevConfiguration -Computer -<setting name>

                                                                                          Clears the specified setting for all users on the computer.

                                                                                          Clear-UevConfiguration -CurrentComputerUser -<setting name>

                                                                                          Clears the specified setting for the current user only.

                                                                                          Export-UevConfiguration <settings migration file>

                                                                                          Exports the UE-V computer configuration to a settings migration file. The file name extension must be .uev.

                                                                                          -

                                                                                          The Export cmdlet exports all UE-V service settings that are configurable with the Computer parameter.

                                                                                          Import-UevConfiguration <settings migration file>

                                                                                          Imports the UE-V computer configuration from a settings migration file. The file name extension must be .uev.

                                                                                          + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                          Windows PowerShell commandDescription

                                                                                          Enable-UEV

                                                                                          +

                                                                                          Turns on the UE-V service. Requires reboot.

                                                                                          Disable-UEV

                                                                                          Turns off the UE-V service. Requires reboot.

                                                                                          Get-UevStatus

                                                                                          Displays whether UE-V service is enabled or disabled, using a Boolean value.

                                                                                          Get-UevConfiguration

                                                                                          +

                                                                                          Gets the effective UE-V service settings. User-specific settings have precedence over the computer settings.

                                                                                          Get-UevConfiguration -CurrentComputerUser

                                                                                          +

                                                                                          Gets the UE-V service settings values for the current user only.

                                                                                          Get-UevConfiguration -Computer

                                                                                          Gets the UE-V service configuration settings values for all users on the computer.

                                                                                          Get-UevConfiguration -Details

                                                                                          Gets the details for each configuration setting. Displays where the setting is configured or if it uses the default value. Is displayed if the current setting is valid.

                                                                                          Set-UevConfiguration -Computer -EnableDontSyncWindows8AppSettings

                                                                                          Configures the UE-V service to not synchronize any Windows apps for all users on the computer.

                                                                                          Set-UevConfiguration -CurrentComputerUser -EnableDontSyncWindows8AppSettings

                                                                                          Configures the UE-V service to not synchronize any Windows apps for the current computer user.

                                                                                          Set-UevConfiguration -Computer -EnableFirstUseNotification

                                                                                          Configures the UE-V service to display notification the first time the service runs for all users on the computer.

                                                                                          Set-UevConfiguration -Computer -DisableFirstUseNotification

                                                                                          Configures the UE-V service to not display notification the first time that the service runs for all users on the computer.

                                                                                          Set-UevConfiguration -Computer -EnableSettingsImportNotify

                                                                                          Configures the UE-V service to notify all users on the computer when settings synchronization is delayed.

                                                                                          +

                                                                                          Use the DisableSettingsImportNotify parameter to disable notification.

                                                                                          Set-UevConfiguration -CurrentComputerUser -EnableSettingsImportNotify

                                                                                          Configures the UE-V service to notify the current user when settings synchronization is delayed.

                                                                                          +

                                                                                          Use the DisableSettingsImportNotify parameter to disable notification.

                                                                                          Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps

                                                                                          Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in Managing UE-V Settings Location Templates Using Windows PowerShell and WMI.

                                                                                          +

                                                                                          Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.

                                                                                          Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps

                                                                                          Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in Managing UE-V Settings Location Templates Using Windows PowerShell and WMI.

                                                                                          +

                                                                                          Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.

                                                                                          Set-UevConfiguration -Computer -DisableSync

                                                                                          Disables UE-V for all the users on the computer.

                                                                                          +

                                                                                          Use the EnableSync parameter to enable or re-enable.

                                                                                          Set-UevConfiguration -CurrentComputerUser -DisableSync

                                                                                          Disables UE-V for the current user on the computer.

                                                                                          +

                                                                                          Use the EnableSync parameter to enable or re-enable.

                                                                                          Set-UevConfiguration -Computer -EnableTrayIcon

                                                                                          Enables the UE-V icon in the notification area for all users of the computer.

                                                                                          +

                                                                                          Use the DisableTrayIcon parameter to disable the icon.

                                                                                          Set-UevConfiguration -Computer -MaxPackageSizeInBytes <size in bytes>

                                                                                          Configures the UE-V service to report when a settings package file size reaches the defined threshold for all users on the computer. Sets the threshold package size in bytes.

                                                                                          Set-UevConfiguration -CurrentComputerUser -MaxPackageSizeInBytes <size in bytes>

                                                                                          Configures the UE-V service to report when a settings package file size reaches the defined threshold. Sets the package size warning threshold for the current user.

                                                                                          Set-UevConfiguration -Computer -SettingsImportNotifyDelayInSeconds

                                                                                          Specifies the time in seconds before the user is notified for all users of the computer

                                                                                          Set-UevConfiguration -CurrentComputerUser -SettingsImportNotifyDelayInSeconds

                                                                                          Specifies the time in seconds before notification for the current user is sent.

                                                                                          Set-UevConfiguration -Computer -SettingsStoragePath <path to _settings_storage_location>

                                                                                          Defines a per-computer settings storage location for all users of the computer.

                                                                                          Set-UevConfiguration -CurrentComputerUser -SettingsStoragePath <path to _settings_storage_location>

                                                                                          Defines a per-user settings storage location.

                                                                                          Set-UevConfiguration -Computer -SettingsTemplateCatalogPath <path to catalog>

                                                                                          Sets the settings template catalog path for all users of the computer.

                                                                                          Set-UevConfiguration -Computer -SyncMethod <sync method>

                                                                                          Sets the synchronization method for all users of the computer: SyncProvider or None.

                                                                                          Set-UevConfiguration -CurrentComputerUser -SyncMethod <sync method>

                                                                                          Sets the synchronization method for the current user: SyncProvider or None.

                                                                                          Set-UevConfiguration -Computer -SyncTimeoutInMilliseconds <timeout in milliseconds>

                                                                                          Sets the synchronization time-out in milliseconds for all users of the computer

                                                                                          Set-UevConfiguration -CurrentComputerUser -SyncTimeoutInMilliseconds <timeout in milliseconds>

                                                                                          Set the synchronization time-out for the current user.

                                                                                          Clear-UevConfiguration -Computer -<setting name>

                                                                                          Clears the specified setting for all users on the computer.

                                                                                          Clear-UevConfiguration -CurrentComputerUser -<setting name>

                                                                                          Clears the specified setting for the current user only.

                                                                                          Export-UevConfiguration <settings migration file>

                                                                                          Exports the UE-V computer configuration to a settings migration file. The file name extension must be .uev.

                                                                                          +

                                                                                          The Export cmdlet exports all UE-V service settings that are configurable with the Computer parameter.

                                                                                          Import-UevConfiguration <settings migration file>

                                                                                          Imports the UE-V computer configuration from a settings migration file. The file name extension must be .uev.

                                                                                          -   + ## To export UE-V package settings and repair UE-V templates with Windows PowerShell @@ -346,7 +346,7 @@ When you are finished configuring the UE-V service with WMI and Windows PowerShe -   + diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index f9c1a27a4a..4ed5adc8a9 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -42,7 +42,7 @@ Simply copying the files and folders does not preserve the security settings and **Note**   To monitor the copy progress, open MySettings.txt with a log viewer such as Trace32. -   + 4. Grant share-level permissions to the new share. Leave the NTFS file system permissions as they were set by Robocopy. diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index b23ac98d20..794ec9df43 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -369,7 +369,7 @@ Enable this configuration using one of these methods: Restart the device to allow the settings to synchronize. - >**Note** -These methods do not work for pooled virtual desktop infrastructure (VDI) environments. + These methods do not work for pooled virtual desktop infrastructure (VDI) environments. >**Note** diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index 98c8311810..3dc4b9727d 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -41,7 +41,7 @@ The following table explains the trigger events for classic applications and Win

                                                                                          Windows Logon

                                                                                          • Application and Windows settings are imported to the local cache from the settings storage location.

                                                                                            • -

                                                                                          • [Asynchronous Windows settings](uev-prepare-for-deployment.md#windows-settings-synchronized-by-default) are applied.

                                                                                            • +

                                                                                          • Asynchronous Windows settings are applied.

                                                                                          • Synchronous Windows settings will be applied during the next Windows logon.

                                                                                          • Application settings will be applied when the application starts.

                                                                                          @@ -83,19 +83,18 @@ The following table explains the trigger events for classic applications and Win

                                                                                          Application and Windows settings are synchronized between the settings storage location and the local cache.

                                                                                          -Note   -

                                                                                          Settings changes are not cached locally until an application closes. This trigger will not export changes made to a currently running application.

                                                                                          +Note

                                                                                          Settings changes are not cached locally until an application closes. This trigger will not export changes made to a currently running application.

                                                                                          For Windows settings, this means that any changes will not be cached locally and exported until the next Lock (Asynchronous) or Logoff (Asynchronous and Synchronous).

                                                                                          -  +

                                                                                          Settings are applied in these cases:

                                                                                          • Asynchronous Windows settings are applied directly.

                                                                                          • Application settings are applied when the application starts.

                                                                                          • Both asynchronous and synchronous Windows settings are applied during the next Windows logon.

                                                                                            • -

                                                                                          • Windows app (AppX) settings are applied during the next refresh. See [Monitor Application Settings](uev-changing-the-frequency-of-scheduled-tasks.md#monitor-application-settings) for more information.

                                                                                            • +

                                                                                          • Windows app (AppX) settings are applied during the next refresh. See Monitor Application Settings for more information.

                                                                                          NA

                                                                                          @@ -107,7 +106,7 @@ The following table explains the trigger events for classic applications and Win -  + @@ -123,9 +122,9 @@ The following table explains the trigger events for classic applications and Win [Choose the Configuration Method for UE-V](uev-deploy-required-features.md) -  - -  + + + diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 63c3424caf..d2e019723d 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -37,7 +37,7 @@ UE-V monitors when an application opens by the program name and, optionally, by **Note**   If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**. -   + 4. Start the App-V package. @@ -51,9 +51,9 @@ UE-V monitors when an application opens by the program name and, optionally, by [Administering UE-V](uev-administering-uev.md) -  + -  + diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index ec6edad301..a2663f503d 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -101,7 +101,7 @@ Use the UE-V template generator to edit settings location templates. When the re >**Note**   A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template. -   + 2. Open the settings location template file with an XML editor. 3. Edit the settings location template file. All changes must conform to the UE-V schema file that is defined in [SettingsLocationTempate.xsd](uev-application-template-schema-reference.md). By default, a copy of the .xsd file is located in \\ProgramData\\Microsoft\\UEV\\Templates. @@ -157,9 +157,9 @@ Before you deploy any settings location template that you have downloaded from t [Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md) -  + -  + diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 079372256a..b91890550a 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -57,7 +57,7 @@ To add a new item under the browser's **Favorites** list: 2. In the **Available customizations** pane, select the friendly name that you just created, and in the text field, enter the URL for the item. -For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "http://www.contoso.com" for the URL. +For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "" for the URL. ## PartnerSearchCode diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index c5bbf37872..b9b724b0b7 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -211,29 +211,29 @@ UserEnabled | Select **Yes** to show the user setting if RCS is enabled on the d ### SMS -Setting | Description ---- | --- -AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver. -DefaultMCC | Set the default mobile country code (MCC). -Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:

                                                                                          - Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)
                                                                                          - Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction) -Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms). -Encodings > OctetEncodingPage | Set the octet (binary) encoding. -Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding. -Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding. -Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language). -IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation. -MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds. -SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. -SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message. -SmsStoreDeleteSize | Set the number of messages that can be deleted when a "message full" indication is received from the modem. -SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. -Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. -Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. -Type3GPP > IMS > AttemptThresholdForIMS | Set the maximum number of tries to send SMS on IMS. -Type3GPP > IMS > RetryEnabled | Configure whether to enable one automatic retry after failure to send over IMS. -Type 3GPP > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. -Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. -Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. +| Setting | Description | +|----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver. | +| DefaultMCC | Set the default mobile country code (MCC). | +| Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:

                                                                                          - Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)
                                                                                          - Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction) | +| Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]). | +| Encodings > OctetEncodingPage | Set the octet (binary) encoding. | +| Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding. | +| Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding. | +| Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language). | +| IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation. | +| MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds. | +| SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. | +| SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message. | +| SmsStoreDeleteSize | Set the number of messages that can be deleted when a "message full" indication is received from the modem. | +| SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. | +| Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. | +| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. | +| Type3GPP > IMS > AttemptThresholdForIMS | Set the maximum number of tries to send SMS on IMS. | +| Type3GPP > IMS > RetryEnabled | Configure whether to enable one automatic retry after failure to send over IMS. | +| Type 3GPP > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. | +| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. | +| Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. | ### UIX @@ -338,31 +338,26 @@ SuppressDePersoUI | Suppress DePerso UI to unlock Perso. (Removed in Windows 10 ### General -Setting | Description ---- | --- -atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:

                                                                                          - **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
                                                                                          - **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
                                                                                          - **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC. -atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:

                                                                                          - **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator.
                                                                                          - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator. -AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network. -CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`. -CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to `310:410,311:*,404:012,310:70`. -CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone. -Critical > MultivariantProvisionedSPN | Used to change the default friendly SIM names in dual SIM phones. By default, the OS displays SIM 1 or SIM 2 as the default friendly name for the SIM in slot 1 or slot 2 if the service provider name (SPN) or mobile operator name has not been set. Partners can use this setting to change the default name read from the SIM to define the SPN for SIM cards that do not contain this information or to generate the default friendly name for the SIM. The OS uses the default value as the display name for the SIM or SPN in the Start screen and other parts of the UI including the SIM settings screen. For dual SIM phones that contain SIMs from the same mobile operator, the names that appear in the UI may be similar. See [Values for MultivariantProvisionedSPN](#spn). -Critical > SimNameWithoutMSISDNENabled | Use this setting to remove the trailing MSISDN digits from the service provider name (SPN) in the phone UI. By default, the OS appends the trailing MSISDN digits to the service provider name (SPN) in the phone UI, including on the phone and messaging apps. If required by mobile operators, OEMs can use the SimNameWithoutMSISDNEnabled setting to remove the trailing MSISDN digits. However, you must use this setting together with **MultivariantProvisionedSPN** to suppress the MSISDN digits. -DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming. -EnableIMSWhenRoaming | Set to **Yes** to enable IMS when roaming. -ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`). -LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE. -LTEForced | Select **Yes** to force LTE. -NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:

                                                                                          - system type 4: 2G (GSM)
                                                                                          - system type 8: 3G (UMTS)
                                                                                          - system type 16: LTE
                                                                                          - system type 32: 3G (TS-SCDMA)

                                                                                          Select the system type that you added, and enter the network name and suffix that you want displayed. -NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`. -OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030. (Removed in Windows 10, version 1803.) -OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator. (Removed in Windows 10, version 1803.) -SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming. - - - - - +| Setting | Description | +|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| atomicRoamingTableSettings3GPP | If you enable 3GPP roaming, configure the following settings:

                                                                                          - **Exceptions** maps the SerialNumber key to the Exceptions value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Exceptions" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Exceptions). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
                                                                                          - **HomePLMN** maps the SerialNumber key to the HomePLMN value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "HomePLMN" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (HomePLMN). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC.
                                                                                          - **TargetImsi** maps the SerialNubmer key to the TargetIMSI value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "TargetImsi" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (TargetImsi). The data in the regvalue is a string representing an MCC-MNC pair, such as "410510" where 410 is the MCC and 510 is the MNC. | +| atomicRoamingTableSettings3GPP2 | If you enable 3GPP2 roaming, configure the following settings:

                                                                                          - **Home** maps the SerialNumber key to the Home value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Home" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Home). The data in the regvalue is a DWORD representing the Roaming Indicator.
                                                                                          - **Roaming** maps the SerialNumber key to the Roaming value. The wildcard, $(SerialNumber), is a 3-digit decimal serial number (000 through 999) represented as a string. The wildcard is used as a regvalue under the "Roaming" subkey. Multiple reg values in this form may be configured or customized by the OEM, all placed under the same subkey (Roaming). The data in the regvalue is a DWORD representing the Roaming Indicator. | +| AvoidStayingInManualSelection | You can enable permanent automatic mode for mobile networks that require the cellular settings to revert to automatic network selection after the user has manually selected another network when roaming or out of range of the home network. | +| CardAllowList | Define the list of SIM cards allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards allowed in the first slot, set the value for CardAllowList to a comma-separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to \`310:410,311:*,404:012,310:70\`. | +| CardBlockList | Define the list of SIM cards that are not allowed in the first slot of a C+G dual SIM phone. This setting is used only if **CardLock** is set to allow it. If **CardLock** is not set, this list is ignored. To configure the list of SIM cards that are not allowed in the first slot, set the value for CardBlockList to a comma separated MCC:MNC list. You can also use wild cards, represented by an asterisk (*), to accept any value. For example, you can set the value to \`310:410,311:*,404:012,310:70\`. | +| CardLock | Used to enforce either the card allow list or both the card allow and block lists on a C+G dual SIM phone. | +| Critical > MultivariantProvisionedSPN | Used to change the default friendly SIM names in dual SIM phones. By default, the OS displays SIM 1 or SIM 2 as the default friendly name for the SIM in slot 1 or slot 2 if the service provider name (SPN) or mobile operator name has not been set. Partners can use this setting to change the default name read from the SIM to define the SPN for SIM cards that do not contain this information or to generate the default friendly name for the SIM. The OS uses the default value as the display name for the SIM or SPN in the Start screen and other parts of the UI including the SIM settings screen. For dual SIM phones that contain SIMs from the same mobile operator, the names that appear in the UI may be similar. See [Values for MultivariantProvisionedSPN](#spn). | +| Critical > SimNameWithoutMSISDNENabled | Use this setting to remove the trailing MSISDN digits from the service provider name (SPN) in the phone UI. By default, the OS appends the trailing MSISDN digits to the service provider name (SPN) in the phone UI, including on the phone and messaging apps. If required by mobile operators, OEMs can use the SimNameWithoutMSISDNEnabled setting to remove the trailing MSISDN digits. However, you must use this setting together with **MultivariantProvisionedSPN** to suppress the MSISDN digits. | +| DisableLTESupportWhenRoaming | Set to **Yes** to disable LTE support when roaming. | +| EnableIMSWhenRoaming | Set to **Yes** to enable IMS when roaming. | +| ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`). | +| LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE. | +| LTEForced | Select **Yes** to force LTE. | +| NetworkSuffix | To meet branding requirements for some mobile operators, you can add a suffix to the network name that is displayed on the phone. For example, you can change from ABC to ABC 3G when under 3G coverage. This feature can be applied for any radio access technology (RAT). For TD-SCDMA RAT, a 3G suffix is always appended by default, but partners can also customize this the same way as with any other RAT. In the setting name, set SYSTEMTYPE to the network type that you want to append the network name to and click **Add**:

                                                                                          - system type 4: 2G (GSM)
                                                                                          - system type 8: 3G (UMTS)
                                                                                          - system type 16: LTE
                                                                                          - system type 32: 3G (TS-SCDMA)

                                                                                          Select the system type that you added, and enter the network name and suffix that you want displayed. | +| NitzFiltering | For mobile networks that can receive Network Identity and Time Zone (NITZ) information from multiple sources, partners can set the phone to ignore the time received from an LTE network. Time received from a CDMA network is not affected. Set the value of NitzFiltering to `0x10`. | +| OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC (MCC:MNC) for which system types should be restricted. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can specify the MCC and MNC of other specific operators that the main mobile operator wishes to limit. If the UICC's MCC and MNC matches any of the pairs that OEMs can specify for the operator, a specified RIL system type will be removed from the UICC regardless of its app types, slot position, or executor mapping. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. Set the value of the OperatorListForExcludedSystemTypes setting a comma separated list of MCC:MNC pairs for which the system types should be restricted. For example, the value can be set to 310:026,310:030 to restrict operators with an MCC:MNC of 310:026 and 310:030. (Removed in Windows 10, version 1803.) | +| OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator. (Removed in Windows 10, version 1803.) | +| SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming. | ### RCS @@ -374,27 +369,26 @@ See descriptions in Windows Configuration Designer. ### SMS -Setting | Description ---- | --- -AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver. -DefaultMCC | Set the default mobile country code (MCC). -Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:

                                                                                          - Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)
                                                                                          - Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction) -Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/add-encoding-extension-tables-for-sms). -Encodings > OctetEncodingPage | Set the octet (binary) encoding. -Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding. -Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding. -Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language). -IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation. -MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds. -SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. -SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message. -SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. -Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. -Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. -Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. -Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. -Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. - +| Setting | Description | +|----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| AckExpirySeconds | Set the value, in seconds, for how long to wait for a client ACK before trying to deliver. | +| DefaultMCC | Set the default mobile country code (MCC). | +| Encodings > GSM7BitEncodingPage | Enter the code page value for the 7-bit GSM default alphabet encoding. Values:

                                                                                          - Code page value: 55000 (Setting value: 0xD6D8)(Code page: default alphabet)
                                                                                          - Code page value: 55001 (Setting value: 0xD6D9)(Code page: GSM with single shift for Spanish)- Code page value: 55002 (Setting value: 0xD6DA)(Code page: GSM with single shift for Portuguese)- Code page value: 55003 (Setting value: 0xD6DB)(Code page: GSM with single shift for Turkish)- Code page value: 55004 (Setting value: 0xD6DC)(Code page: SMS Greek Reduction) | +| Encodings > GSM8BitEncodingPage | Enter the code page value for GSM 8-bit encoding (OEM set). OEM-created code page IDs should be in the range 55050–55099. For more information, see [Add encoding extension tables for SMS]). | +| Encodings > OctetEncodingPage | Set the octet (binary) encoding. | +| Encodings > SendUDHNLSS | Set the 7 bit GSM shift table encoding. | +| Encodings > UseASCII | Set the 7 bit ASCII encoding. Used only for CDMA carriers that use 7-bit ASCII encoding instead of GSM 7-bit encoding. | +| Encodings > UseKeyboardLangague | Set whether to use the keyboard language (Portuguese, Spanish, or Turkish) based encoding (set shift table based on keyboard language). | +| IncompleteMsgDeliverySeconds | Set the value, in seconds, for long to wait for all parts of multisegment Sprint messages for concatenation. | +| MessageExpirySeconds | Partners can set the expiration time before the phone deletes the received parts of a long SMS message. For example, if the phone is waiting for a three-part SMS message and the first part has been received, the first part will be deleted when the time expires and the other part of the message has not arrived. If the second part of the message arrives before the time expires, the first and second parts of the message will be deleted if the last part does not arrive after the time expires. The expiration time is reset whenever the next part of the long message is received. Set MessageExpirySeconds to the number seconds that the phone should wait before deleting the received parts of a long SMS messages. This value should be in hexadecimal and must be prefixed with 0x. The default value is 0x15180, which is equivalent to 1 day or 86,400 seconds. | +| SmsFragmentLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsFragmentLimit to set the maximum number of bytes in the user data body of an SMS message. You must set the value between 16 (0x10) and 140 (0x8C). You must also use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. | +| SmsPageLimit | Partners can specify a maximum length for SMS messages. This requires setting both the maximum number of SMS fragments per SMS message, from 1 to 255, and the maximum size in bytes of each SMS fragment, from 16 to 140 bytes. Use SmsPageLimit to set the maximum number of segments in a concatenated SMS message. You must set the value to 255 (0xFF) or smaller. You must also use SmsFragmentLimit to set the maximum number of bytes in the body of the SMS message. | +| SprintFragmentInfoInBody | Partners can enable the messaging client to allow users to enter more than 160 characters per message. Messages longer than 160 characters are sent as multiple SMS messages that contain a tag at the beginning of the message in the form "(1/2)", where the first number represents the segment or part number and the second number represents the total number of segments or parts. Multiple messages are limited to 6 total segments. When enabled, the user cannot enter more characters after the 6 total segments limit is reached. Any message received with tags at the beginning is recombined with its corresponding segments and shown as one composite message. | +| Type3GPP > ErrorHandling > ErrorType | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error type that you added as **Transient Failure** or **Permanent Failure**. | +| Type3GPP > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. | +| Type3GPP > IMS > SmsUse16BitReferenceNumbers | Configure whether to use 8-bit or 16-bit message ID (reference number) in the UDH. | +| Type3GPP2 > ErrorHandling > FriendlyErrorClass | Enter a name for ERRORCODE3GPP2, and click **Add**. Configure the error class that you added as **generic error**, **invalid recepient address**, or **network connectivity trouble**. | +| Type3GPP2 > ErrorHandling > UseReservedAsPermanent | Set the 3GPP2 permanent error type. | ### UTK @@ -448,4 +442,4 @@ No|Yes|Yes|If SPN string >= 12: *SPN*1234

                                                                                          If SPN string < 12: *SPN*" "1 No|No|No|*SIM 1* or *SIM 2* No|Yes|No|SPN (up to 16 characters) No|No|Yes|*SIM 1* or *SIM 2* - + diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md index d9a69fb3a4..2e62c61759 100644 --- a/windows/configuration/wcd/wcd-kioskbrowser.md +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -35,12 +35,12 @@ Enable Home Button | Show a Home button in Kiosk Browser. Home will return the b Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. ->[!IMPORTANT] ->To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: -> +> [!IMPORTANT] +> To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: +> > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. ->2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). ->3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). ->4. Save the XML file. ->5. Open the project again in Windows Configuration Designer. ->6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. +> 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +> 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). +> 4. Save the XML file. +> 5. Open the project again in Windows Configuration Designer. +> 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index ad08bf24f0..c8086eebd5 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -40,7 +40,7 @@ This section describes the **Policies** settings that you can configure in [prov | [DefaultAssociationsConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | | -##ApplicationManagement +## ApplicationManagement | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | @@ -511,55 +511,54 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl ## Update -| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | --- | :---: | :---: | :---: | :---: | :---: | -| [ActiveHoursEnd](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | -| [ActiveHoursMaxRange](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | -| [ActiveHoursStart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | -| [AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | -| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X | -| [AllowMUUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | -| [AllowNonMicrosoftSignedUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | -| [AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X | -| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | -| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | -| [AutoRestartNotificationSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X | -| [AutoRestartRequiredNotificationDismissal](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X | -| [BranchReadinessLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | -| [DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X | -| [DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X | -| [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X | -| [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X | -| [DetectionFrequency](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | -| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X | -| [EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | -| [EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | -| [EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | -| [EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | -| [EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | -| [EngagedRestartTransitionScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | -| [ExcludeWUDriversInQualityUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | X | | X | | X | -| [FillEmptyContentUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X | -| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X | -| PhoneUpdateRestrictions | Deprecated | | X | | | | -| [RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | -| [ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X | -| [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X | -| [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X | -| [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X | -| [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X | -| [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X | -| [ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | -| [ScheduleImminentRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X || -| [ScheduleRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X | -| [SetAutoRestartNotificationDisable](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X | -| [SetDisablePauseUXAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | X | X | X | | X | -| [SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | X | X | X | | X | -| [SetEDURestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X | -| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | | X | -| [UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | -| [UpdateServiceUrlAlternate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | - +| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------:|:---------------:|:-----------:|:--------:|:--------:| +| [ActiveHoursEnd](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | +| [ActiveHoursMaxRange](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | +| [ActiveHoursStart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | +| [AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | +| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork) | Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X | +| [AllowMUUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | +| [AllowNonMicrosoftSignedUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | +| [AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X | +| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | +| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | +| [AutoRestartNotificationSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X | +| [AutoRestartRequiredNotificationDismissal](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X | +| [BranchReadinessLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | +| [DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X | +| [DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X | +| [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X | +| [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) | Specify upgrade delays for up to 8 months. | X | X | X | X | X | +| [DetectionFrequency](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | +| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X | +| [EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | +| [EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | +| [EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | +| [EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | +| [EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | +| [EngagedRestartTransitionScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | +| [ExcludeWUDriversInQualityUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | X | | X | | X | +| [FillEmptyContentUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X | +| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X | +| PhoneUpdateRestrictions | Deprecated | | X | | | | +| [RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | +| [ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X | +| [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X | +| [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X | +| [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X | +| [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X | +| [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X | +| [ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | +| [ScheduleImminentRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X | +| [ScheduleRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X | +| [SetAutoRestartNotificationDisable](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X | +| [SetDisablePauseUXAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | X | X | X | | X | +| [SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | X | X | X | | X | +| [SetEDURestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X | +| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | | X | +| [UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | +| [UpdateServiceUrlAlternate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | ## WiFi diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index ff978590a8..4d4cb11374 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -43,7 +43,7 @@ When set to True, students can print in the Take A Test app. Enter the account to use when taking a test. -To specify a domain account, enter **domain\user**. To specify an AAD account, enter **username@tenant.com**. To specify a local account, enter the username. +To specify a domain account, enter **domain\user**. To specify an AAD account, enter username@tenant.com. To specify a local account, enter the username. ## Related topics diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index ca8ebe7797..55ae0af5f2 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -68,7 +68,7 @@ The following table lists the different parts of Start and any applicable policy [Learn how to customize and export Start layout](customize-and-export-start-layout.md) - ## Taskbar options + ## Taskbar options Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. @@ -77,8 +77,8 @@ There are three categories of apps that might be pinned to a taskbar: * Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) * Apps pinned by the enterprise, such as in an unattended Windows setup - >[!NOTE] - >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file. + >[!NOTE] + >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file. The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json index 4fb4193ddc..564f47ae8b 100644 --- a/windows/configure/docfx.json +++ b/windows/configure/docfx.json @@ -30,14 +30,15 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.windows-configure" - } - } - }, + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.windows-configure" + } + } + }, "fileMetadata": {}, "template": [], - "dest": "windows-configure" + "dest": "windows-configure", + "markdownEngineName": "markdig" } -} \ No newline at end of file +} diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json index 9f1758ca22..e287ca8721 100644 --- a/windows/deploy/docfx.json +++ b/windows/deploy/docfx.json @@ -30,15 +30,16 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.windows-deploy", - "folder_relative_path_in_docset": "./" - } - } - }, + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.windows-deploy", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], - "dest": "windows-deploy" + "dest": "windows-deploy", + "markdownEngineName": "markdig" } } diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 47348cfc92..b360daf8b8 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -37,11 +37,11 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: -1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: -- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 -- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -3. The admin can now assign subscription licenses to users. +1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: +2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 +3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 +4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. +5. The admin can now assign subscription licenses to users. >Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: @@ -161,7 +161,7 @@ Now the device is Azure AD joined to the company’s subscription. Windows 10 Pro activated -**Figure 7a - Windows 10 Pro activation in Settings** +Figure 7a - Windows 10 Pro activation in Settings Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). @@ -219,17 +219,17 @@ Use the following figures to help you troubleshoot when users experience these c Windows 10 not activated and subscription active -**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings** +Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings Windows 10 activated and subscription not active -**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings** +Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings Windows 10 not activated and subscription not active -**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings** +Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings ### Review requirements on devices diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 4188539a6e..0903aea0ea 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -35,7 +35,7 @@ Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be do **Note**   Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. -  + ### Linked deployment shares in MDT LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option. @@ -86,70 +86,70 @@ Setting up DFS-R for replication is a quick and straightforward process. You pre ### Configure the deployment share When you have multiple deployment servers sharing the same content, you need to configure the Bootstrap.ini file with information about which server to connect to based on where the client is located. In MDT, that can be done by using the DefaultGateway property. -1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this: +1. On MDT01, using Notepad, navigate to the **E:\\MDTProduction\\Control** folder and modify the Boostrap.ini file to look like this: - ``` syntax - [Settings] - Priority=DefaultGateway, Default - [DefaultGateway] - 192.168.1.1=NewYork - 192.168.2.1=Stockholm - [NewYork] - DeployRoot=\\MDT01\MDTProduction$ - [Stockholm] - DeployRoot=\\MDT02\MDTProduction$ - [Default] - UserDomain=CONTOSO - UserID=MDT_BA - SkipBDDWelcome=YES - ``` - **Note**   - The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). -   -2. Save the Bootstrap.ini file. -3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. + ``` syntax + [Settings] + Priority=DefaultGateway, Default + [DefaultGateway] + 192.168.1.1=NewYork + 192.168.2.1=Stockholm + [NewYork] + DeployRoot=\\MDT01\MDTProduction$ + [Stockholm] + DeployRoot=\\MDT02\MDTProduction$ + [Default] + UserDomain=CONTOSO + UserID=MDT_BA + SkipBDDWelcome=YES + ``` + **Note** + The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). + +2. Save the Bootstrap.ini file. +3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. - ![figure 4](../images/mdt-10-fig04.png) + ![figure 4](../images/mdt-10-fig04.png) - Figure 4. Updating the MDT Production deployment share. + Figure 4. Updating the MDT Production deployment share. -4. Use the default settings for the Update Deployment Share Wizard. -5. After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**. +4. Use the default settings for the Update Deployment Share Wizard. +5. After the update is complete, use the Windows Deployment Services console. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**. - ![figure 5](../images/mdt-10-fig05.png) + ![figure 5](../images/mdt-10-fig05.png) - Figure 5. Replacing the updated boot image in WDS. + Figure 5. Replacing the updated boot image in WDS. -6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. -## Replicate the content -Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. -### Create the replication group -1. On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**. -2. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**. -3. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**. -4. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**. +6. Browse and select the **E:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings. + ## Replicate the content + Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. + ### Create the replication group +7. On MDT01, using DFS Management, right-click **Replication**, and select **New Replication Group**. +8. On the **Replication Group Type** page, select **Multipurpose replication group**, and click **Next**. +9. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**. +10. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**. ![figure 6](../images/mdt-10-fig06.png) Figure 6. Adding the Replication Group Members. -5. On the **Topology Selection** page, select the **Full mesh** option and click **Next**. -6. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**. -7. On the **Primary Member** page, select **MDT01** and click **Next**. -8. On the **Folders to Replicate** page, click **Add**, type in **E:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**. -9. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**. -10. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**. +11. On the **Topology Selection** page, select the **Full mesh** option and click **Next**. +12. On the **Replication Group Schedule and Bandwidth** page, accept the default settings and click **Next**. +13. On the **Primary Member** page, select **MDT01** and click **Next**. +14. On the **Folders to Replicate** page, click **Add**, type in **E:\\MDTProduction** as the folder to replicate, click **OK**, and then click **Next**. +15. On the **Local Path of MDTProduction** on the **Other Members** page, select **MDT02**, and click **Edit**. +16. On the **Edit** page, select the **Enabled** option, type in **E:\\MDTProduction** as the local path of folder, select the **Make the selected replicated folder on this member read-only** check box, click **OK**, and then click **Next**. ![figure 7](../images/mdt-10-fig07.png) Figure 7. Configure the MDT02 member. -11. On the **Review Settings and Create Replication Group** page, click **Create**. -12. On the **Confirmation** page, click **Close**. -### Configure replicated folders -1. On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**. -2. In the middle pane, right-click the **MDT01** member and select **Properties**. -3. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**: +17. On the **Review Settings and Create Replication Group** page, click **Create**. +18. On the **Confirmation** page, click **Close**. + ### Configure replicated folders +19. On MDT01, using DFS Management, expand **Replication** and then select **MDTProduction**. +20. In the middle pane, right-click the **MDT01** member and select **Properties**. +21. On the **MDT01 (MDTProduction) Properties** page, configure the following and then click **OK**: 1. In the **Staging** tab, set the quota to **20480 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**. In this scenario the size of the deployment share is known, but you might need to change the values for your environment. A good rule of thumb is to get the size of the 16 largest files and make sure they fit in the staging area. Here is a Windows PowerShell example that calculates the size of the 16 largest files in the E:\\MDTProduction deployment share: @@ -162,14 +162,14 @@ Once the MDT01 and MDT02 servers are prepared, you are ready to configure the ac Figure 8. Configure the Staging settings. -4. In the middle pane, right-click the **MDT02** member and select **Properties**. -5. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**: +22. In the middle pane, right-click the **MDT02** member and select **Properties**. +23. On the **MDT02 (MDTProduction) Properties** page, configure the following and then click **OK**: 1. In the **Staging** tab, set the quota to **20480 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**. **Note**   It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. -  + ### Verify replication 1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder. 2. Using DFS Management, expand **Replication**, right-click **MDTProduction**, and select **Create Diagnostics Report**. @@ -225,5 +225,5 @@ Now you should have a solution ready for deploying the Windows 10 client to the [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) [Configure MDT settings](configure-mdt-settings.md) -  -  + + diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md index b01696d8a6..7b2a140db5 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-for-userexit-scripts.md @@ -56,7 +56,7 @@ The first three lines of the script make up a header that all UserExit scripts h **Note**   The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. -  + ## Related topics [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) diff --git a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md index c1545028cc..b65fab47d6 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -156,7 +156,7 @@ After you create the task sequence, we recommend that you configure the task seq >[!NOTE]   >The Request State Store and Release State Store actions need to be added for common computer replace scenarios. -  + ## Move the packages diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index e8d1aa12e2..f55a7d85a9 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -26,7 +26,7 @@ For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, an >[!NOTE] >For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). -  + ![figure 1](../images/mdt-08-fig01.png) Figure 1. The machines used in this topic. @@ -45,14 +45,14 @@ With Windows 10, there is no hard requirement to create reference images; howev ### Create the MDT build lab deployment share -- On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**. -- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -- Use the following settings for the New Deployment Share Wizard: -- Deployment share path: E:\\MDTBuildLab -- Share name: MDTBuildLab$ -- Deployment share description: MDT Build Lab -- <default> -- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. +- On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. +- Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. +- Use the following settings for the New Deployment Share Wizard: +- Deployment share path: E:\\MDTBuildLab +- Share name: MDTBuildLab$ +- Deployment share description: MDT Build Lab +- <default> +- Verify that you can access the \\\\MDT01\\MDTBuildLab$ share. ![figure 2](../images/mdt-08-fig02.png) @@ -82,7 +82,7 @@ MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images t >[!NOTE]   >Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. -  + ### Add Windows 10 Enterprise x64 (full source) In these steps we assume that you have copied the content of a Windows 10 Enterprise x64 ISO to the **E:\\Downloads\\Windows 10 Enterprise x64** folder. @@ -122,7 +122,7 @@ In these examples, we assume that you downloaded the software in this list to th >[!NOTE]   >All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). -  + ### Create the install: Microsoft Office Professional Plus 2013 x86 You can customize Office 2013. In the volume license versions of Office 2013, there is an Office Customization Tool you can use to customize the Office installation. In these steps we assume you have copied the Office 2013 installation files to the E:\\Downloads\\Office2013 folder. @@ -140,7 +140,7 @@ You also can customize the Office installation using a Config.xml file. But we r >[!NOTE]  >If you don't see the Office Products tab, verify that you are using a volume license version of Office. If you are deploying Office 365, you need to download the Admin folder from Microsoft. -   + 3. In the Office Customization Tool dialog box, select the Create a new Setup customization file for the following product option, select the Microsoft Office Professional Plus 2013 (32-bit) product, and click OK. 4. Use the following settings to configure the Office 2013 setup to be fully unattended: 1. Install location and organization name @@ -162,7 +162,7 @@ You also can customize the Office installation using a Config.xml file. But we r >[!NOTE]  >The reason for naming the file with a 0 (zero) at the beginning is that the Updates folder also handles Microsoft Office updates, and they are installed in alphabetical order. The Office 2013 setup works best if the customization file is installed before any updates. -   + 6. Close the Office Customization Tool, click Yes in the dialog box, and in the **Install - Microsoft Office 2013 Pro Plus - x86 Properties** window, click **OK**. ### Connect to the deployment share using Windows PowerShell @@ -324,14 +324,14 @@ The steps below walk you through the process of editing the Windows 10 referenc 1. State Restore. Enable the Windows Update (Pre-Application Installation) action. **Note**   Enable an action by going to the Options tab and clearing the Disable this step check box. -   + 2. State Restore. Enable the Windows Update (Post-Application Installation) action. 3. State Restore. Enable the Windows Update (Post-Application Installation) action. State Restore. After the **Tattoo** action, add a new **Group** action with the following setting: - Name: Custom Tasks (Pre-Windows Update) 4. State Restore. After Windows Update (Post-Application Installation) action, rename Custom Tasks to Custom Tasks (Post-Windows Update). **Note**   The reason for adding the applications after the Tattoo action but before running Windows Update is simply to save time during the deployment. This way we can add all applications that will upgrade some of the built-in components and avoid unnecessary updating. -   + 5. State Restore / Custom Tasks (Pre-Windows Update). Add a new Install Roles and Features action with the following settings: 1. Name: Install - Microsoft NET Framework 3.5.1 2. Select the operating system for which roles are to be installed: Windows 10 @@ -339,7 +339,7 @@ The steps below walk you through the process of editing the Windows 10 referenc >[!IMPORTANT] >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. -   + ![figure 7](../images/fig8-cust-tasks.png) Figure 7. The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action. @@ -381,7 +381,7 @@ When using MDT, you don't need to edit the Unattend.xml file very often because >[!NOTE]   >You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. -  + Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: 1. Using the Deployment Workbench, right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. @@ -462,7 +462,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which >[!NOTE]   >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. -   + 4. In the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: 1. Image description: MDT Build Lab x86 @@ -475,7 +475,7 @@ For that reason, add only a minimal set of rules to Bootstrap.ini, such as which >[!NOTE]   >In MDT, the x86 boot image can deploy both x86 and x64 operating systems (except on computers based on Unified Extensible Firmware Interface). -  + ### Update the deployment share @@ -486,7 +486,7 @@ After the deployment share has been configured, it needs to be updated. This is >[!NOTE]   >The update process will take 5 to 10 minutes. -  + ### The rules explained Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it is time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. @@ -497,7 +497,7 @@ The CustomSettings.ini file is normally stored on the server, in the Deployment >[!NOTE]   >The settings, or properties, that are used in the rules (CustomSettings.ini and Bootstrap.ini) are listed in the MDT documentation, in the Microsoft Deployment Toolkit Reference / Properties / Property Definition section. -  + ### The Bootstrap.ini file The Bootstrap.ini file is available via the deployment share's Properties dialog box, or via the E:\\MDTBuildLab\\Control folder on MDT01. @@ -520,12 +520,12 @@ So, what are these settings? >[!WARNING]   >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. -   + - **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. >[!NOTE]   >All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. -  + ### The CustomSettings.ini file The CustomSettings.ini file, whose content you see on the Rules tab of the deployment share Properties dialog box, contains most of the properties used in the configuration. @@ -572,7 +572,7 @@ SkipFinalSummary=YES **Note**   The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. -   + - **JoinWorkgroup.** Configures Windows to join a workgroup. - **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. - **FinishAction.** Instructs MDT what to do when the task sequence is complete. @@ -603,7 +603,7 @@ This steps below outline the process used to boot a virtual machine using an ISO **Note**   Remember, in MDT you can use the x86 boot image to deploy both x86 and x64 operating system images. That's why you can use the x86 boot image instead of the x64 boot image. -   + 2. Create a virtual machine with the following settings: 1. Name: REFW10X64-001 2. Location: C:\\VMs @@ -615,7 +615,7 @@ This steps below outline the process used to boot a virtual machine using an ISO **Note**   Taking a snapshot is useful if you need to restart the process and want to make sure you can start clean. -   + 4. Start the REFW10X64-001 virtual machine. After booting into Windows PE, complete the Windows Deployment Wizard using the following settings: 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image 2. Specify whether to capture an image: Capture an image of this reference computer diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 03a9af6eac..772a8c3af8 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -31,38 +31,38 @@ Figure 1. The machines used in this topic. >[!NOTE] >For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). -  + ## Step 1: Configure Active Directory permissions These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. -1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**. -2. Select the **Service Accounts** organizational unit (OU) and create the MDT\_JD account using the following settings: - 1. Name: MDT\_JD - 2. User logon name: MDT\_JD - 3. Password: P@ssw0rd - 4. User must change password at next logon: Clear - 5. User cannot change password: Select - 6. Password never expires: Select -3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command: - ```powershell - Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force - Set-Location C:\Setup\Scripts - .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" - ``` -4. The Set-OUPermissions.ps1 script allows the MDT\_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted: - 1. Scope: This object and all descendant objects - 1. Create Computer objects - 2. Delete Computer objects - 2. Scope: Descendant Computer objects - 1. Read All Properties - 2. Write All Properties - 3. Read Permissions - 4. Modify Permissions - 5. Change Password - 6. Reset Password - 7. Validated write to DNS host name - 8. Validated write to service principal name +1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**. +2. Select the **Service Accounts** organizational unit (OU) and create the MDT\_JD account using the following settings: + 1. Name: MDT\_JD + 2. User logon name: MDT\_JD + 3. Password: P@ssw0rd + 4. User must change password at next logon: Clear + 5. User cannot change password: Select + 6. Password never expires: Select +3. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands and press **Enter** after each command: + ```powershell + Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force + Set-Location C:\Setup\Scripts + .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" + ``` +4. The Set-OUPermissions.ps1 script allows the MDT\_JD user account permissions to manage computer accounts in the Contoso / Computers OU. Below you find a list of the permissions being granted: + 1. Scope: This object and all descendant objects + 1. Create Computer objects + 2. Delete Computer objects + 2. Scope: Descendant Computer objects + 1. Read All Properties + 2. Write All Properties + 3. Read Permissions + 4. Modify Permissions + 5. Change Password + 6. Reset Password + 7. Validated write to DNS host name + 8. Validated write to service principal name ## Step 2: Set up the MDT production deployment share @@ -72,13 +72,13 @@ When you are ready to deploy Windows 10 in a production environment, you will f ### Create the MDT production deployment share The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd.** -2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction** and click **Next**. -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. -5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. -6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. +1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. +2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction** and click **Next**. +4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. +5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. +6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. +7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ## Step 3: Add a custom image @@ -97,7 +97,7 @@ In these steps, we assume that you have completed the steps in the [Create a Win >[!NOTE]   >The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image. -  + ![figure 2](../images/fig2-importedos.png) @@ -134,7 +134,7 @@ For boot images, you need to have storage and network drivers; for the operating >[!NOTE] >You should only add drivers to the Windows PE images if the default drivers don't work. Adding drivers that are not necessary will only make the boot image larger and potentially delay the download time. -  + ### Create the driver source structure in the file system The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. @@ -156,7 +156,7 @@ The key to successful management of drivers for MDT, as well as for any other de >[!NOTE] >Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. -  + ### Create the logical driver structure in MDT When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. @@ -266,36 +266,36 @@ This section will show you how to create the task sequence used to deploy your p ### Create a task sequence for Windows 10 Enterprise -1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. -2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: W10-X64-001 - 2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image - 3. Task sequence comments: Production Image - 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 10 Enterprise x64 RTM Custom Image - 6. Specify Product Key: Do not specify a product key at this time - 7. Full Name: Contoso - 8. Organization: Contoso - 9. Internet Explorer home page: about:blank - 10. Admin Password: Do not specify an Administrator Password at this time -### Edit the Windows 10 task sequence +1. Using the Deployment Workbench, select **Task Sequences** in the **MDT Production** node, and create a folder named **Windows 10**. +2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + 1. Task sequence ID: W10-X64-001 + 2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image + 3. Task sequence comments: Production Image + 4. Template: Standard Client Task Sequence + 5. Select OS: Windows 10 Enterprise x64 RTM Custom Image + 6. Specify Product Key: Do not specify a product key at this time + 7. Full Name: Contoso + 8. Organization: Contoso + 9. Internet Explorer home page: about:blank + 10. Admin Password: Do not specify an Administrator Password at this time + ### Edit the Windows 10 task sequence -1. Right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. -2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: - 1. Preinstall. After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set DriverGroup001 - 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Make%\\%Model% - 2. Configure the **Inject Drivers** action with the following settings: - 1. Choose a selection profile: Nothing - 2. Install all drivers from the selection profile +3. Right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. +4. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: + 1. Preinstall. After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: + 1. Name: Set DriverGroup001 + 2. Task Sequence Variable: DriverGroup001 + 3. Value: Windows 10 x64\\%Make%\\%Model% + 2. Configure the **Inject Drivers** action with the following settings: + 1. Choose a selection profile: Nothing + 2. Install all drivers from the selection profile - >[!NOTE]   - >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. -   - 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. - 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. -3. Click **OK**. + >[!NOTE] + >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + + 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. + 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. +5. Click **OK**. ![figure 6](../images/fig6-taskseq.png) @@ -307,81 +307,81 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh ### Configure the rules -1. On MDT01, using File Explorer, copy the following files from the **D:\\Setup\\Sample Files\\MDT Production\\Control** folder to **E:\\MDTProduction\\Control**. Overwrite the existing files. - 1. Bootstrap.ini - 2. CustomSettings.ini -2. Right-click the **MDT Production** deployment share and select **Properties**. -3. Select the **Rules** tab and modify using the following information: +1. On MDT01, using File Explorer, copy the following files from the **D:\\Setup\\Sample Files\\MDT Production\\Control** folder to **E:\\MDTProduction\\Control**. Overwrite the existing files. + 1. Bootstrap.ini + 2. CustomSettings.ini +2. Right-click the **MDT Production** deployment share and select **Properties**. +3. Select the **Rules** tab and modify using the following information: - ``` syntax - [Settings] - Priority=Default - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - AdminPassword=P@ssw0rd - JoinDomain=contoso.com - DomainAdmin=CONTOSO\MDT_JD - DomainAdminPassword=P@ssw0rd - MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com - SLShare=\\MDT01\Logs$ - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - WSUSServer=mdt01.contoso.com:8530 - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=NO - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - ``` -4. Click **Edit Bootstrap.ini** and modify using the following information: + ``` syntax + [Settings] + Priority=Default + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + AdminPassword=P@ssw0rd + JoinDomain=contoso.com + DomainAdmin=CONTOSO\MDT_JD + DomainAdminPassword=P@ssw0rd + MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com + SLShare=\\MDT01\Logs$ + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + WSUSServer=mdt01.contoso.com:8530 + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=NO + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + ``` +4. Click **Edit Bootstrap.ini** and modify using the following information: - ``` syntax - [Settings] - Priority=Default - [Default] - DeployRoot=\\MDT01\MDTProduction$ - UserDomain=CONTOSO - UserID=MDT_BA - SkipBDDWelcome=YES - ``` -5. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. -6. In the **General** sub tab, configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - 1. Image description: MDT Production x86 - 2. ISO file name: MDT Production x86.iso + ``` syntax + [Settings] + Priority=Default + [Default] + DeployRoot=\\MDT01\MDTProduction$ + UserDomain=CONTOSO + UserID=MDT_BA + SkipBDDWelcome=YES + ``` +5. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. +6. In the **General** sub tab, configure the following settings: + - In the **Lite Touch Boot Image Settings** area: + 1. Image description: MDT Production x86 + 2. ISO file name: MDT Production x86.iso - >[!NOTE] - - >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. -   -7. In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. -8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -9. In the **General** sub tab, configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - 1. Image description: MDT Production x64 - 2. ISO file name: MDT Production x64.iso + > [!NOTE] + > + > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + +7. In the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. +8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +9. In the **General** sub tab, configure the following settings: + - In the **Lite Touch Boot Image Settings** area: + 1. Image description: MDT Production x64 + 2. ISO file name: MDT Production x64.iso 10. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. 11. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. 12. Click **OK**. >[!NOTE] >It will take a while for the Deployment Workbench to create the monitoring database and web service. -  + ![figure 8](../images/mdt-07-fig08.png) @@ -460,24 +460,24 @@ troubleshoot MDT deployments, as well as troubleshoot Windows itself. ### Add DaRT 10 to the boot images If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following: -- Install DaRT 10 (part of MDOP 2015 R1). -- Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share. -- Configure the deployment share to add DaRT. -In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to the E:\\Setup\\DaRT 10 folder on MDT01. -1. On MDT01, install DaRT 10 (MSDaRT10.msi) using the default settings. -2. Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. -3. Copy the Toolsx64.cab file to **E:\\MDTProduction\\Tools\\x64**. -4. Copy the Toolsx86.cab file to **E:\\MDTProduction\\Tools\\x86**. -5. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. -6. In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. -7. In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. +- Install DaRT 10 (part of MDOP 2015 R1). +- Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share. +- Configure the deployment share to add DaRT. + In these steps, we assume that you downloaded MDOP 2015 R1 and copied DaRT 10 to the E:\\Setup\\DaRT 10 folder on MDT01. +- On MDT01, install DaRT 10 (MSDaRT10.msi) using the default settings. +- Using File Explorer, navigate to the **C:\\Program Files\\Microsoft DaRT\\v10** folder. +- Copy the Toolsx64.cab file to **E:\\MDTProduction\\Tools\\x64**. +- Copy the Toolsx86.cab file to **E:\\MDTProduction\\Tools\\x86**. +- Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. +- In the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. +- In the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. - ![figure 8](../images/mdt-07-fig09.png) + ![figure 8](../images/mdt-07-fig09.png) - Figure 8. Selecting the DaRT 10 feature in the deployment share. + Figure 8. Selecting the DaRT 10 feature in the deployment share. -8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. -9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. +8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. +9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. 10. Click **OK**. ### Update the deployment share @@ -488,7 +488,7 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee >[!NOTE] >The update process will take 5 to 10 minutes. -  + ## Step 8: Deploy the Windows 10 client image These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process. @@ -598,7 +598,7 @@ In these steps, you generate offline media from the MDT Production deployment sh >[!NOTE] >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. -   + 2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. 3. Use the following settings for the New Media Wizard: - General Settings diff --git a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md index 6032552261..88d3f8935b 100644 --- a/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md +++ b/windows/deployment/deploy-windows-mdt/mdt-lite-touch-components.md @@ -84,7 +84,7 @@ MDT comes with nine default task sequence templates. You can also create your ow **Note**   It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. -   + - **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. - **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. - **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). @@ -110,7 +110,7 @@ MDT uses many log files during operating system deployments. By default the logs **Note**   The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). -  + ## Monitoring On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 287a0eb609..477b2b3911 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -43,22 +43,22 @@ MDT requires the following components: ## Install Windows ADK for Windows 10 These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder. -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**. -2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**. -3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings: - 1. Deployment Tools - 2. Windows Preinstallation Environment (Windows PE) - 3. User State Migration Tool (USMT) +1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. +2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**. +3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings: + 1. Deployment Tools + 2. Windows Preinstallation Environment (Windows PE) + 3. User State Migration Tool (USMT) - >[!IMPORTANT] - >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information. + >[!IMPORTANT] + >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information. ## Install MDT These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01. -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**. -2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings. +1. On MDT01, log on as Administrator in the CONTOSO domain using a password of P@ssw0rd. +2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings. ## Create the OU structure diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md index dd3d42a2e5..4d40164354 100644 --- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md @@ -48,7 +48,7 @@ During the computer refresh, USMT uses a feature called Hard-Link Migration Stor >[!NOTE]  >In addition to the USMT backup, you can enable an optional full Windows Imaging (WIM) backup of the machine by configuring the MDT rules. If you do this, a .wim file is created in addition to the USMT backup. The .wim file will contain the entire volume from the computer, and helpdesk personnel can extract content from it if needed. Please note that this is a data WIM backup only. Using this backup to restore the entire machine is not a supported scenario. -  + ### Multi-user migration By default, ScanState in USMT backs up all profiles on the machine, including local computer profiles. If you have a machine that has been in your environment for a while, it likely has several domain-based profiles on it, including those of former users. You can limit which profiles are backed up @@ -58,7 +58,7 @@ As an example, the following line configures USMT to migrate only domain user pr >[!NOTE]  >You also can combine the preceding switches with the /uel switch, which excludes profiles that have not been accessed within a specific number of days. For example, adding /uel:60 will configure ScanState (or LoadState) not to include profiles that haven't been accessed for more than 60 days. -  + ### Support for additional settings In addition to the command-line switches that control which profiles to migrate, the XML templates control exactly what data is being migrated. You can control data within and outside the user profiles @@ -93,26 +93,26 @@ After adding the additional USMT template and configuring the CustomSettings.ini >[!NOTE]    >MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property in the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). -  + ### Upgrade (refresh) a Windows 7 SP1 client -1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings: +1. On PC0001, log on as **CONTOSO\\Administrator**. Start the Lite Touch Deploy Wizard by executing **\\\\MDT01\\MDTProduction$\\Scripts\\Litetouch.vbs**. Complete the deployment guide using the following settings: - * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM - * Computer name: <default> - * Specify where to save a complete computer backup: Do not back up the existing computer - >[!NOTE] - >Skip this optional full WIM backup. The USMT backup will still run. -   -2. Select one or more applications to install: Install - Adobe Reader XI - x86 + * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM + * Computer name: <default> + * Specify where to save a complete computer backup: Do not back up the existing computer + >[!NOTE] + >Skip this optional full WIM backup. The USMT backup will still run. + +2. Select one or more applications to install: Install - Adobe Reader XI - x86 -3. The setup now starts and does the following: +3. The setup now starts and does the following: - * Backs up user settings and data using USMT. - * Installs the Windows 10 Enterprise x64 operating system. - * Installs the added application(s). - * Updates the operating system via your local Windows Server Update Services (WSUS) server. - * Restores user settings and data using USMT. + * Backs up user settings and data using USMT. + * Installs the Windows 10 Enterprise x64 operating system. + * Installs the added application(s). + * Updates the operating system via your local Windows Server Update Services (WSUS) server. + * Restores user settings and data using USMT. ![Start the computer refresh from the running Windows 7 client](../images/fig2-taskseq.png "Start the computer refresh from the running Windows 7 client") diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md index ea1bb7d18b..2ef8e1293f 100644 --- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -40,31 +40,31 @@ When preparing for the computer replace, you need to create a folder in which to ### Create and share the MigData folder -1. On MDT01, log on as **CONTOSO\\Administrator**. +1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: - ``` syntax - New-Item -Path E:\MigData -ItemType directory - New-SmbShare ?Name MigData$ ?Path E:\MigData - -ChangeAccess EVERYONE - icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)' - ``` -### Create a backup only (replace) task sequence +2. Create and share the **E:\\MigData** folder by running the following three commands in an elevated Windows PowerShell prompt: + ``` syntax + New-Item -Path E:\MigData -ItemType directory + New-SmbShare ?Name MigData$ ?Path E:\MigData + -ChangeAccess EVERYONE + icacls E:\MigData /grant '"MDT_BA":(OI)(CI)(M)' + ``` + ### Create a backup only (replace) task sequence -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**. +3. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node and create a new folder named **Other**. -2. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: +4. Right-click the **Other** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - * Task sequence ID: REPLACE-001 - * Task sequence name: Backup Only Task Sequence - * Task sequence comments: Run USMT to backup user data and settings - * Template: Standard Client Replace Task Sequence + * Task sequence ID: REPLACE-001 + * Task sequence name: Backup Only Task Sequence + * Task sequence comments: Run USMT to backup user data and settings + * Template: Standard Client Replace Task Sequence -3. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. +5. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions. - ![The Backup Only Task Sequence action list](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list") + ![The Backup Only Task Sequence action list](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list") - Figure 2. The Backup Only Task Sequence action list. + Figure 2. The Backup Only Task Sequence action list. ## Perform the computer replace @@ -90,7 +90,7 @@ During a computer replace, these are the high-level steps that occur: >[!NOTE]   >If you are replacing the computer at a remote site you should create the MigData folder on MDT02 and use that share instead. -   + 2. Specify where to save a complete computer backup: Do not back up the existing computer 3. Password: P@ssw0rd diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 29abf6c0bd..cca2fc6ff4 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -31,7 +31,7 @@ To configure your environment for BitLocker, you will need to do the following: >[!NOTE] >Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. -  + For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). ## Configure Active Directory for BitLocker @@ -40,7 +40,7 @@ To enable BitLocker to store the recovery key and TPM information in Active Dire >[!NOTE] >Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. -  + In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. ![figure 2](../images/mdt-09-fig02.png) @@ -84,7 +84,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor >[!NOTE] >If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. -  + ### Set permissions in Active Directory for BitLocker In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01. @@ -142,7 +142,7 @@ When configuring a task sequence to run any BitLocker tool, either directly or u - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. **Note**   It is common for organizations wrapping these tools in scripts to get additional logging and error handling. -   + - **Restart computer.** Self-explanatory, reboots the computer. - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. - **Enable BitLocker.** Runs the built-in action to activate BitLocker. diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 2d5369b6cb..81847807c4 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -21,23 +21,23 @@ ms.topic: article This topic will walk you through the process of creating a simulated environment on which to test your Windows 10 deployment using MDT. When working with advanced settings and rules, especially those like database calls, it is most efficient to be able to test the settings without having to run through a complete deployment. Luckily, MDT enables you to perform a simulated deployment by running the Gather process by itself. The simulation works best when you are using a domain-joined machine (client or server). In the following example, you use the PC0001 Windows 10 client. For the purposes of this topic, you already will have either downloaded and installed the free Microsoft System Center 2012 R2 Configuration Manager Toolkit, or copied Configuration Manager Trace (CMTrace) if you have access to the System Center 2012 R2 Configuration Manager media. We also assume that you have downloaded the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery. -1. On PC0001, log on as **CONTOSO\\Administrator** using the password **P@ssw0rd**. -2. Using Computer Management, add the **CONTOSO\\MDT\_BA** user account to the local **Administrators** group. -3. Log off, and then log on to PC0001 as **CONTOSO\\MDT\_BA**. -4. Using File Explorer, create a folder named **C:\\MDT**. -5. Copy the downloaded Gather.ps1 script to the **C:\\MDT** folder. -6. From the **\\\\MDT01\\MDTProduction$\\Scripts** folder, copy the following files to **C:\\MDT**: - 1. ZTIDataAccess.vbs - 2. ZTIGather.wsf - 3. ZTIGather.xml - 4. ZTIUtility.vbs -7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**. -8. In the **C:\\MDT** folder, create a subfolder named **X64**. -9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**. +1. On PC0001, log on as **CONTOSO\\Administrator** using the password P@ssw0rd. +2. Using Computer Management, add the **CONTOSO\\MDT\_BA** user account to the local **Administrators** group. +3. Log off, and then log on to PC0001 as **CONTOSO\\MDT\_BA**. +4. Using File Explorer, create a folder named **C:\\MDT**. +5. Copy the downloaded Gather.ps1 script to the **C:\\MDT** folder. +6. From the **\\\\MDT01\\MDTProduction$\\Scripts** folder, copy the following files to **C:\\MDT**: + 1. ZTIDataAccess.vbs + 2. ZTIGather.wsf + 3. ZTIGather.xml + 4. ZTIUtility.vbs +7. From the **\\\\MDT01\\MDTProduction$\\Control** folder, copy the CustomSettings.ini file to **C:\\MDT**. +8. In the **C:\\MDT** folder, create a subfolder named **X64**. +9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**. - ![figure 6](../images/mdt-09-fig06.png) + ![figure 6](../images/mdt-09-fig06.png) - Figure 6. The C:\\MDT folder with the files added for the simulation environment. + Figure 6. The C:\\MDT folder with the files added for the simulation environment. 10. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press Enter after each command: ``` syntax @@ -45,9 +45,9 @@ For the purposes of this topic, you already will have either downloaded and inst .\Gather.ps1 ``` 11. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. -**Note**   -Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment. -  + **Note** + Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment. + ![figure 7](../images/mdt-09-fig07.png) diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md index bdd6d15d94..6a0ecfb6b6 100644 --- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md @@ -23,7 +23,7 @@ MDT can integrate with System Center 2012 R2 Orchestrator, which is a component **Note**   If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. -  + ## Orchestrator terminology Before diving into the core details, here is a quick course in Orchestrator terminology: @@ -37,39 +37,39 @@ Before diving into the core details, here is a quick course in Orchestrator term **Note**   To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554). -  + ## Create a sample runbook This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. -1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). -2. In the **E:\\Logfile** folder, create the DeployLog.txt file. - **Note**   - Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt. -   - ![figure 23](../images/mdt-09-fig23.png) +1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). +2. In the **E:\\Logfile** folder, create the DeployLog.txt file. + **Note** + Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt. + + ![figure 23](../images/mdt-09-fig23.png) - Figure 23. The DeployLog.txt file. + Figure 23. The DeployLog.txt file. -3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder. +3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder. - ![figure 24](../images/mdt-09-fig24.png) + ![figure 24](../images/mdt-09-fig24.png) - Figure 24. Folder created in the Runbooks node. + Figure 24. Folder created in the Runbooks node. -4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. -5. On the ribbon bar, click **Check Out**. -6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. -7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: - 1. Runbook Control / Initialize Data - 2. Text File Management / Append Line -8. Connect **Initialize Data** to **Append Line**. +4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. +5. On the ribbon bar, click **Check Out**. +6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. +7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: + 1. Runbook Control / Initialize Data + 2. Text File Management / Append Line +8. Connect **Initialize Data** to **Append Line**. - ![figure 25](../images/mdt-09-fig25.png) + ![figure 25](../images/mdt-09-fig25.png) - Figure 25. Activities added and connected. + Figure 25. Activities added and connected. -9. Right-click the **Initialize Data** activity, and select **Properties** +9. Right-click the **Initialize Data** activity, and select **Properties** 10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**. ![figure 26](../images/mdt-09-fig26.png) @@ -100,14 +100,14 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O Figure 29. The expanded text box after all subscriptions have been added. 19. On the **Append Line Properties** page, click **Finish**. -## Test the demo MDT runbook -After the runbook is created, you are ready to test it. -1. On the ribbon bar, click **Runbook Tester**. -2. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**: + ## Test the demo MDT runbook + After the runbook is created, you are ready to test it. +20. On the ribbon bar, click **Runbook Tester**. +21. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**: - OSDComputerName: PC0010 -3. Verify that all activities are green (for additional information, see each target). -4. Close the **Runbook Tester**. -5. On the ribbon bar, click **Check In**. +22. Verify that all activities are green (for additional information, see each target). +23. Close the **Runbook Tester**. +24. On the ribbon bar, click **Check In**. ![figure 30](../images/mdt-09-fig30.png) @@ -142,7 +142,7 @@ Figure 31. The ready-made task sequence. Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment. **Note**   Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555). -  + 1. On PC0001, log on as **CONTOSO\\MDT\_BA**. 2. Using an elevated command prompt (run as Administrator), type the following command: diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 2e37483bd8..7b720cee45 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -92,28 +92,28 @@ Figure 20. The result from the MDT Sample web service. After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment. -1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: - ``` syntax - [Settings] - Priority=Default, GetComputerName - [Default] - OSInstall=YES - [GetComputerName] - WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName - Parameters=Model,SerialNumber - OSDComputerName=string - ``` - ![figure 21](../images/mdt-09-fig21.png) +1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: + ``` syntax + [Settings] + Priority=Default, GetComputerName + [Default] + OSInstall=YES + [GetComputerName] + WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName + Parameters=Model,SerialNumber + OSDComputerName=string + ``` + ![figure 21](../images/mdt-09-fig21.png) - Figure 21. The updated CustomSettings.ini file. + Figure 21. The updated CustomSettings.ini file. -2. Save the CustomSettings.ini file. -3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ``` syntax - Set-Location C:\MDT - .\Gather.ps1 - ``` -4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. +2. Save the CustomSettings.ini file. +3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: + ``` syntax + Set-Location C:\MDT + .\Gather.ps1 + ``` +4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. ![figure 22](../images/mdt-09-fig22.png) @@ -134,4 +134,4 @@ Figure 22. The OSDCOMPUTERNAME value obtained from the web service. [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) -  + diff --git a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 9ff6999c7e..461dd38fa8 100644 --- a/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -51,7 +51,7 @@ This section will show you how to import some network and storage drivers for Wi >[!NOTE]   >The Updating Boot Image part of the wizard will appear to hang when displaying Done. It will complete in a minute or two. -  + ## Add drivers for Windows 10 @@ -76,7 +76,7 @@ This section illustrates how to add drivers for Windows 10 through an example in >[!NOTE]   >The package path does not yet exist, so you have to type it in. The wizard will create the new package in that folder. -   + 5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. diff --git a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 6ea9e7940c..ba0499f7ea 100644 --- a/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -97,9 +97,9 @@ The following steps show you how to create the Adobe Reader XI application. This [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -  + -  + diff --git a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 5ee8e8de8b..c8d777a200 100644 --- a/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -70,36 +70,36 @@ To support additional server-side logging in Configuration Manager, you create a This section will show you how to configure the rules (the Windows 10 x64 Settings package) to support the Contoso environment. -1. On CM01, using File Explorer, navigate to the **E:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder. +1. On CM01, using File Explorer, navigate to the **E:\\Sources\\OSD\\Settings\\Windows 10 x64 Settings** folder. -2. Using Notepad, edit the CustomSetting.ini file with the following settings: +2. Using Notepad, edit the CustomSetting.ini file with the following settings: - ``` syntax - [Settings] - Priority=Default - Properties=OSDMigrateConfigFiles,OSDMigrateMode - [Default] - DoCapture=NO - ComputerBackupLocation=NONE - MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com - OSDMigrateMode=Advanced - OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* - OSDMigrateConfigFiles=Miguser.xml,Migapp.xml - SLSHARE=\\CM01\Logs$ - EventService=http://CM01:9800 - ApplyGPOPack=NO - ``` + ``` syntax + [Settings] + Priority=Default + Properties=OSDMigrateConfigFiles,OSDMigrateMode + [Default] + DoCapture=NO + ComputerBackupLocation=NONE + MachineObjectOU=ou=Workstations,ou=Computers,ou=Contoso,dc=contoso,dc=com + OSDMigrateMode=Advanced + OSDMigrateAdditionalCaptureOptions=/ue:*\* /ui:CONTOSO\* + OSDMigrateConfigFiles=Miguser.xml,Migapp.xml + SLSHARE=\\CM01\Logs$ + EventService=http://CM01:9800 + ApplyGPOPack=NO + ``` - ![Settings package during deployment](../images/fig30-settingspack.png) + ![Settings package during deployment](../images/fig30-settingspack.png) - *Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment* + *Figure 27. The Settings package, holding the rules and the Unattend.xml template used during deployment* -3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. +3. Update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. - >[!NOTE]   - >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes. + >[!NOTE] + >Although you have not yet added a distribution point, you still need to select Update Distribution Points. That process also updates the Configuration Manager 2012 content library with changes. -  + ## Distribute content to the CM01 distribution portal @@ -117,27 +117,27 @@ In Configuration Manager, you can distribute all packages needed by a task seque This sections provides steps to help you create a deployment for the task sequence. -1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. +1. On CM01, using the Configuration Manager Console, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. -2. On the **General** page, select the **All Unknown Computers** collection and click **Next**. +2. On the **General** page, select the **All Unknown Computers** collection and click **Next**. -3. On the **Deployment Settings** page, use the following settings and then click **Next**: +3. On the **Deployment Settings** page, use the following settings and then click **Next**: - * Purpose: Available + * Purpose: Available - * Make available to the following: Only media and PXE + * Make available to the following: Only media and PXE - ![Configure the deployment settings](../images/mdt-06-fig33.png) + ![Configure the deployment settings](../images/mdt-06-fig33.png) - *Figure 28. Configure the deployment settings* + *Figure 28. Configure the deployment settings* -4. On the **Scheduling** page, accept the default settings and click **Next**. +4. On the **Scheduling** page, accept the default settings and click **Next**. -5. On the **User Experience** page, accept the default settings and click **Next**. +5. On the **User Experience** page, accept the default settings and click **Next**. -6. On the **Alerts** page, accept the default settings and click **Next**. +6. On the **Alerts** page, accept the default settings and click **Next**. -7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**. +7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**. ![Task sequence deployed](../images/fig32-deploywiz.png) @@ -150,15 +150,15 @@ You can have Configuration Manager prompt you for a computer name or you can use This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names. -1. Using the Configuration Manager Console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. +1. Using the Configuration Manager Console, in the Asset and Compliance workspace, select **Device Collections**, right-click **All Unknown Computers**, and select **Properties**. -2. In the **Collection Variables** tab, create a new variable with the following settings: +2. In the **Collection Variables** tab, create a new variable with the following settings: - * Name: OSDComputerName + * Name: OSDComputerName - * Clear the **Do not display this value in the Configuration Manager console** check box. + * Clear the **Do not display this value in the Configuration Manager console** check box. -3. Click **OK**. +3. Click **OK**. >[!NOTE]   >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard. @@ -190,4 +190,4 @@ This section provides steps to help you configure the All Unknown Computers coll [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -  + diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index eb6a0afd40..e924b37e36 100644 --- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -86,44 +86,44 @@ Figure 6. The Configuration Manager service accounts used for operating system d In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. -1. On DC01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**. +1. On DC01, log on as Administrator in the CONTOSO domain using the password P@ssw0rd. -2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command: +2. In an elevated Windows PowerShell prompt (run as Administrator), run the following commands, pressing **Enter** after each command: - ``` syntax - Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force + ``` syntax + Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force - Set-Location C:\Setup\Scripts + Set-Location C:\Setup\Scripts - .\Set-OUPermissions.ps1 -Account CM_JD - -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" - ``` + .\Set-OUPermissions.ps1 -Account CM_JD + -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" + ``` -3. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted: +3. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted: - * Scope: This object and all descendant objects + * Scope: This object and all descendant objects - * Create Computer objects + * Create Computer objects - * Delete Computer objects + * Delete Computer objects - * Scope: Descendant Computer objects + * Scope: Descendant Computer objects - * Read All Properties + * Read All Properties - * Write All Properties + * Write All Properties - * Read Permissions + * Read Permissions - * Modify Permissions + * Modify Permissions - * Change Password + * Change Password - * Reset Password + * Reset Password - * Validated write to DNS host name + * Validated write to DNS host name - * Validated write to service principal name + * Validated write to service principal name ## Review the Sources folder structure @@ -164,19 +164,19 @@ Figure 7. The E:\\Sources\\OSD folder structure. To extend the Configuration Manager console with MDT wizards and templates, you install MDT in the default location and run the integration setup. In these steps, we assume you have downloaded MDT to the C:\\Setup\\MDT2013 folder on CM01. -1. On CM01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**. +1. On CM01, log on as Administrator in the CONTOSO domain using the password P@ssw0rd. -2. Make sure the Configuration Manager Console is closed before continuing. +2. Make sure the Configuration Manager Console is closed before continuing. -3. Using File Explorer, navigate to the **C:\\Setup\\MDT** folder. +3. Using File Explorer, navigate to the **C:\\Setup\\MDT** folder. -4. Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard. +4. Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard. -5. From the Start screen, run Configure ConfigManager Integration with the following settings: +5. From the Start screen, run Configure ConfigManager Integration with the following settings: - * Site Server Name: CM01.contoso.com + * Site Server Name: CM01.contoso.com - * Site code: PS1 + * Site code: PS1 ![figure 8](../images/mdt-06-fig08.png) @@ -274,9 +274,9 @@ Configuration Manager has many options for starting a deployment, but starting v [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -  + -  + diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index ee78e43273..7198518c72 100644 --- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -73,7 +73,7 @@ In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with >[!NOTE]  >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. -  + ## Create a new deployment @@ -93,7 +93,7 @@ Using the Configuration Manager console, in the Software Library workspace, sele >[!NOTE]   >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. -   + - Scheduling diff --git a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 84de477107..e79dae3cec 100644 --- a/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -34,31 +34,31 @@ In this topic, you will create a backup-only task sequence that you run on PC000 ## Create a replace task sequence -1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. +1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Operating Systems**, right-click **Task Sequences**, and select **Create MDT Task Sequence**. -2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**. +2. On the **Choose Template** page, select the **Client Replace Task Sequence** template and click **Next**. -3. On the **General** page, assign the following settings and click **Next**: +3. On the **General** page, assign the following settings and click **Next**: - * Task sequence name: Replace Task Sequence + * Task sequence name: Replace Task Sequence - * Task sequence comments: USMT backup only + * Task sequence comments: USMT backup only -4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. +4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. -5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**. +5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**. -6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. +6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. -7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**. +7. On the **Settings Package** page, browse and select the **OSD / Windows 10 x64 Settings** package. Then click **Next**. -8. On the **Summary** page, review the details and then click **Next**. +8. On the **Summary** page, review the details and then click **Next**. -9. On the **Confirmation** page, click **Finish**. +9. On the **Confirmation** page, click **Finish**. 10. Review the Replace Task Sequence. ->[!NOTE] ->This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence. + >[!NOTE] + >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the Client Replace Task Sequence template when creating the task sequence. ![The back-up only task sequence](../images/mdt-06-fig42.png "The back-up only task sequence") @@ -184,7 +184,7 @@ This section assumes that you have a machine named PC0004 with the Configuration >[!NOTE]   >It may take a few minutes for the user state store location to be populated. -  + ## Deploy the new computer @@ -230,9 +230,9 @@ When the process is complete, you will have a new Windows 10 machine in your dom [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) -  + -  + diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index a6ccb3c072..a8a3a8828e 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -19,7 +19,7 @@ ms.topic: article **Applies to** -- Windows 10 +- Windows 10 This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. @@ -36,7 +36,7 @@ The following is a list of items that you should be aware of before you start th * When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive. -- System Center 2012 Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=619148). +* System Center 2012 Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=619148). * If you are planning on using a USB drive duplicator to duplicate Windows To Go drives, do not configure offline domain join or BitLocker on the drive. @@ -53,8 +53,8 @@ Completing these steps will give you a generic Windows To Go drive that can be d In this step we are creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](https://go.microsoft.com/fwlink/p/?LinkId=619174) using a combination of Windows PowerShell and command-line tools. ->[!WARNING]   ->The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. +>[!WARNING] +>The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education. #### To create a Windows To Go workspace with the Windows To Go Creator Wizard @@ -62,21 +62,21 @@ In this step we are creating the operating system image that will be used on the 2. Insert the USB drive that you want to use as your Windows To Go drive into your PC. -3. Verify that the .wim file location (which can be a network share, a DVD , or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. +3. Verify that the .wim file location (which can be a network share, a DVD , or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments. - >[!NOTE]   + >[!NOTE] >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=619150). For more information about using sysprep, see [Sysprep Overview](https://go.microsoft.com/fwlink/p/?LinkId=619151). 4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. The **Windows To Go Creator Wizard** opens. 5. On the **Choose the drive you want to use** page select the drive that represents the USB drive you inserted previously, then click **Next.** -6. On the **Choose a Windows image** page, click **Add Search Location** and then navigate to the .wim file location and click select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then click **Next**. +6. On the **Choose a Windows image** page, click **Add Search Location** and then navigate to the .wim file location and click select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then click **Next**. 7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you do not wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](https://go.microsoft.com/fwlink/p/?LinkId=619152) for instructions. r - >[!WARNING]   + >[!WARNING] >If you plan to use a USB-Duplicator to create multiple Windows To Go drives, do not enable BitLocker. Drives protected with BitLocker should not be duplicated. If you choose to encrypt the Windows To Go drive now: @@ -84,13 +84,15 @@ r - Type a password that is at least eight characters long and conforms to your organizations password complexity policy. This password will be provided before the operating system is started so any characters you use must be able to be interpreted by the firmware. Some firmware does not support non-ASCII characters. - >[!IMPORTANT]   - >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](https://go.microsoft.com/fwlink/p/?LinkId=619157).   +~~~ + >[!IMPORTANT] + >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](https://go.microsoft.com/fwlink/p/?LinkId=619157). +~~~ 8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then click **Create** to start the Windows To Go workspace creation process. - >[!WARNING]   - >The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased.   + >[!WARNING] + >The USB drive identified will be reformatted as part of the Windows To Go provisioning process and any data on the drive will be erased. 9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer. @@ -98,7 +100,7 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a #### Windows PowerShell equivalent commands -The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC. +The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. This procedure can only be used on PCs that are running Windows 10. Before starting, ensure that only the USB drive that you want to provision as a Windows To Go drive is connected to the PC. 1. Using Cortana, search for **powershell**, right-click **Windows PowerShell**, and then select **Run as administrator**. @@ -140,7 +142,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as 3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM): - >[!TIP]   + >[!TIP] >The index number must be set correctly to a valid Enterprise image in the .WIM file. ``` syntax @@ -151,9 +153,11 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as 4. Now use the [bcdboot](https://go.microsoft.com/fwlink/p/?LinkId=619163) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step: - ``` syntax - W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: - ``` +~~~ +``` syntax +W:\Windows\System32\bcdboot W:\Windows /f ALL /s S: +``` +~~~ 5. Apply SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. This is done by creating and saving a **san\_policy.xml** file on the disk. The following example illustrates this step: @@ -221,7 +225,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as After the answer file has been saved, copy unattend.xml into the sysprep folder on the Windows To Go drive (for example, W:\\Windows\\System32\\sysprep\) - >[!IMPORTANT]   + >[!IMPORTANT] >Setup unattend files are processed based on their location. Setup will place a temporary unattend file into the **%systemroot%\\panther** folder which is the first location that setup will check for installation information. You should make sure that folder does not contain a previous version of an unattend.xml file to ensure that the one you just created is used. If you do not wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC. @@ -232,21 +236,21 @@ Your Windows To Go workspace is now ready to be started. You can now [prepare a ### To prepare a host computer -Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it is attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace. +Computers running Windows 8 and later can be configured as host computers that use Windows To Go automatically whenever a Windows To Go workspace is available at startup. When the Windows To Go startup options are enabled on a host computer, Windows will divert startup to the Windows To Go drive whenever it is attached to the computer. This makes it easy to switch from using the host computer to using the Windows To Go workspace. ->[!TIP]   ->If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. +>[!TIP] +>If you will be using a PC running Windows 7 as your host computer, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) for information to help you prepare the host computer. If you want to use the Windows To Go workspace, simply shut down the computer, plug in the Windows To Go drive, and turn on the computer. To use the host computer, shut down the Windows To Go workspace, unplug the Windows To Go drive, and turn on the computer. -To set the Windows To Go Startup options for host computers running Windows 10: +To set the Windows To Go Startup options for host computers running Windows 10: 1. Using Cortana, search for **Windows To Go startup options** and then press **Enter**. 2. In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB -For host computers running Windows 8 or Windows 8.1: +For host computers running Windows 8 or Windows 8.1: 1. Press **Windows logo key+W**, search for **Windows To Go startup options**, and then press **Enter**. @@ -283,7 +287,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i **Prerequisites for remote access scenario** -- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer +- A domain-joined computer running Windows 8 or later and is configured as a Windows To Go host computer - A Windows To Go drive that hasn’t been booted or joined to the domain using unattend settings. @@ -299,7 +303,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i djoin /provision /domain /machine /certtemplate /policynames /savefile /reuse ``` - >[!NOTE]   + >[!NOTE] >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information see the [Offline Domain Join Step-by-Step guide](https://go.microsoft.com/fwlink/p/?LinkId=619171). 2. Insert the Windows To Go drive. @@ -345,66 +349,68 @@ Making sure that Windows To Go workspaces are effective when used off premises i 5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM): - >[!TIP]   - >The index number must be set correctly to a valid Enterprise image in the .WIM file. +~~~ +>[!TIP] +>The index number must be set correctly to a valid Enterprise image in the .WIM file. - ``` syntax - #The WIM file must contain a sysprep generalized image. - dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ - ``` +``` syntax +#The WIM file must contain a sysprep generalized image. +dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\ +``` +~~~ -6. After those commands have completed, run the following command: +6. After those commands have completed, run the following command: - ``` syntax - djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows - ``` + ``` syntax + djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows + ``` -7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](https://go.microsoft.com/fwlink/p/?LinkId=619172): +7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](https://go.microsoft.com/fwlink/p/?LinkId=619172): - ``` syntax - - - - - true - - true - 1 - Work - - + ``` syntax + + + - true - - true - 1 - Work + processorArchitecture="x86" + publicKeyToken="31bf3856ad364e35" language="neutral" + versionScope="nonSxS" + xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + true + + true + 1 + Work - - - - ``` + + + true + + true + 1 + Work + + + + + ``` -8. Safely remove the Windows To Go drive. +8. Safely remove the Windows To Go drive. -9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace. +9. From a host computer, either on or off premises, start the computer and boot the Windows To Go workspace. - * If on premises using a host computer with a direct network connection, sign on using your domain credentials. + * If on premises using a host computer with a direct network connection, sign on using your domain credentials. - * If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. + * If off premises, join a wired or wireless network with internet access and then sign on again using your domain credentials. - >[!NOTE]   - >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. + >[!NOTE] + >Depending on your DirectAccess configuration you might be asked to insert your smart card to log on to the domain. You should now be able to access your organization’s network resources and work from your Windows To Go workspace as you would normally work from your standard desktop computer on premises. @@ -416,7 +422,7 @@ Enabling BitLocker on your Windows To Go drive will help ensure that your data i * A Windows To Go drive that can be successfully provisioned. -* A computer running Windows 8 configured as a Windows To Go host computer +* A computer running Windows 8 configured as a Windows To Go host computer * Review the following Group Policy settings for BitLocker Drive Encryption and modify the configuration as necessary: @@ -438,12 +444,12 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot - If BitLocker protection is enabled during provisioning, the BitLocker recovery keys will be stored under the computer account of the computer used for provisioning the drives. If backing up recovery keys to AD DS is not used, the recovery keys will need to be printed or saved to a file for each drive. The IT administrator must track which keys were assigned to which Windows To Go drive. -- **Warning**   +- **Warning** If BitLocker is enabled after distribution, the recovery key will be backed up to AD DS under the computer account of the workspace. If backing up recovery keys to AD DS is not used, they can be printed or saved to a file by the user. If the IT administrator wants a central record of recovery keys, a process by which the user provides the key to the IT department must be put in place. #### To enable BitLocker during provisioning -1. Start the host computer that is running Windows 8. +1. Start the host computer that is running Windows 8. 2. Insert your Windows To Go drive. @@ -451,7 +457,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot 4. Provision the Windows To Go drive using the following cmdlets: - >[!NOTE]   + >[!NOTE] >If you used the [manual method for creating a workspace](https://go.microsoft.com/fwlink/p/?LinkId=619174) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step. ``` syntax @@ -490,7 +496,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM): - >[!TIP]   + >[!TIP] >The index number must be set correctly to a valid Enterprise image in the .WIM file. ``` syntax @@ -522,15 +528,15 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot Enable-BitLocker W: -PasswordProtector $spwd ``` - >[!WARNING]   + >[!WARNING] >To have BitLocker only encrypt used space on the disk append the parameter `–UsedSpaceOnly` to the `Enable-BitLocker` cmdlet. As data is added to the drive BitLocker will encrypt additional space. Using this parameter will speed up the preparation process as a smaller percentage of the disk will require encryption. If you are in a time critical situation where you cannot wait for encryption to complete you can also safely remove the Windows To Go drive during the encryption process. The next time the drive is inserted in a computer it will request the BitLocker password. Once the password is supplied, the encryption process will continue. If you do this, make sure your users know that BitLocker encryption is still in process and that they will be able to use the workspace while the encryption completes in the background. 8. Copy the numerical recovery password and save it to a file in a safe location. The recovery password will be required if the password is lost or forgotten. - >[!WARNING]   + >[!WARNING] >If the **Choose how BitLocker-protected removable data drives can be recovered** Group Policy setting has been configured to back up recovery information to Active Directory Domain Services, the recovery information for the drive will be stored under the account of the host computer used to apply the recovery key. - If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker).  + If you want to have the recovery information stored under the account of the Windows To Go workspace you can turn BitLocker from within the Windows To Go workspace using the BitLocker Setup Wizard from the BitLocker Control Panel item as described in [To enable BitLocker after distribution](#enable-bitlocker). 9. Safely remove the Windows To Go drive. @@ -555,7 +561,7 @@ The Windows To Go drives are now ready to be distributed to users and are protec 4. Complete the steps in the **BitLocker Setup Wizard** selecting the password protection option. ->[!NOTE]   +>[!NOTE] >If you have not configured the Group Policy setting **\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives\\Require additional authentication at startup** to specify **Allow BitLocker without a compatible TPM** you will not be able to enable BitLocker from within the Windows To Go workspace. ### Advanced deployment sample script @@ -586,12 +592,12 @@ The sample script creates an unattend file that streamlines the deployment proce The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](https://go.microsoft.com/fwlink/p/?LinkId=619175). - >[!TIP]   - >To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing <cmdlet-name> with the name of the cmdlet you want to see the help for: - - >`Get-Help -Online` - - >This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. + > [!TIP] + > To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing <cmdlet-name> with the name of the cmdlet you want to see the help for: + > + > `Get-Help -Online` + > + > This command causes Windows PowerShell to open the online version of the help topic in your default Internet browser. #### Windows To Go multiple drive provisioning sample script @@ -994,9 +1000,9 @@ In the PowerShell provisioning script, after the image has been applied, you can [BitLocker overview](https://go.microsoft.com/fwlink/p/?LinkId=619173) -  - -  + + + diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index c44cab89c5..af5362ff55 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -21,7 +21,7 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -32,24 +32,24 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "ms.author": "greglin", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-development", - "folder_relative_path_in_docset": "./" - } - } - }, + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows", + "ms.topic": "article", + "ms.author": "greglin", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-development", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], "dest": "win-development", - "markdownEngineName": "dfm" + "markdownEngineName": "markdig" } } diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 0bead96cd8..f0a3add5e9 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -18,7 +18,7 @@ ms.topic: article # MBR2GPT.EXE **Applies to** -- Windows 10 +- Windows 10 ## Summary @@ -62,7 +62,7 @@ If any of these checks fails, the conversion will not proceed and an error will ## Syntax -
                                                                                          MBR2GPT /validate|convert [/disk:\] [/logs:\] [/map:\=\] [/allowFullOS] +
                                                                                          MBR2GPT /validate|convert [/disk:<diskNumber>] [/logs:<logDirectory>] [/map:<source>=<destination>] [/allowFullOS]
                                                                                          ### Options @@ -220,7 +220,6 @@ Offset in Bytes: 524288000 Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 D Windows NTFS Partition 58 GB Healthy - ``` ## Specifications @@ -270,7 +269,7 @@ For more information about partition types, see: - [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) -### Persisting drive letter assignments +### Persisting drive letter assignments The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. @@ -338,7 +337,6 @@ Where: - Allows the tool to be used from the full Windows environment. By default, this tool can only be used from the Windows Preinstallation Environment. - ``` ### Return codes diff --git a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md index 395ff7c74a..95a3a6925a 100644 --- a/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md +++ b/windows/deployment/planning/available-data-types-and-operators-in-compatibility-administrator.md @@ -19,12 +19,12 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 The Compatibility Administrator tool provides a way to query your custom-compatibility databases. @@ -136,7 +136,7 @@ The following table shows the attributes you can use for querying your customize -  + ## Available Operators @@ -200,11 +200,10 @@ The following table shows the operators that you can use for querying your custo

                                                                                          A special SQL operator used to check if the left-hand operand contains a substring specified by the right-hand operand.

                                                                                          Left-hand operand. MATCHFILE_NAME, MODE_NAME, FIX_NAME

                                                                                          -Note   -

                                                                                          Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.

                                                                                          +Note

                                                                                          Only the HAS operator can be applied to the MATCHFILE_NAME, MODE_NAME, and FIX_NAME attributes.

                                                                                          -  +

                                                                                          Right-hand operand. String

                                                                                          1

                                                                                          @@ -224,14 +223,14 @@ The following table shows the operators that you can use for querying your custo -  + ## Related topics [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) -  - -  + + + diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md index 39770e9b77..12e3ff8140 100644 --- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md @@ -25,6 +25,7 @@ The topics in this library have been updated for Windows 10, version 1703 (also - [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md) ## January 2017 + | New or changed topic | Description | |----------------------|-------------| | [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips | @@ -64,7 +65,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | New or changed topic | Description | |--------------------------------------------------------------------------------------------------------------------------------------------------|-------------| | [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) (multiple topics) | New | -  + ## November 2015 @@ -75,7 +76,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Windows Update for Business](../update/waas-manage-updates-wufb.md) (multiple topics) | New | | [Windows To Go: feature overview](windows-to-go-overview.md) (multiple topics) | Updated | -  + ## Related topics @@ -85,9 +86,9 @@ The topics in this library have been updated for Windows 10, version 1607 (also [Change history for Deploy Windows 10](../change-history-for-deploy-windows-10.md) -  - -  + + + diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md index ab8b2da1da..36cdd9af10 100644 --- a/windows/deployment/planning/compatibility-administrator-users-guide.md +++ b/windows/deployment/planning/compatibility-administrator-users-guide.md @@ -41,7 +41,7 @@ The following flowchart shows the steps for using the Compatibility Administrato **Important**   Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications. -  + ## In this section @@ -59,25 +59,25 @@ Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version o -

                                                                                          [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md)

                                                                                          +

                                                                                          Using the Compatibility Administrator Tool

                                                                                          This section provides information about using the Compatibility Administrator tool.

                                                                                          -

                                                                                          [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)

                                                                                          +

                                                                                          Managing Application-Compatibility Fixes and Custom Fix Databases

                                                                                          This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.

                                                                                          -

                                                                                          [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)

                                                                                          +

                                                                                          Using the Sdbinst.exe Command-Line Tool

                                                                                          You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.

                                                                                          -  + -  + -  + diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md index c680ffd8b7..82a99d5611 100644 --- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md +++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md @@ -19,12 +19,12 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches: @@ -101,10 +101,10 @@ If you decide to use the centralized compatibility-fix database deployment strat 5. The team that manages the centralized database opens Custom DB1 and uses the Compatibility Administrator to include the new compatibility fixes that were included in Custom DB2. - **Note**   + **Note** Custom DB1 contains a unique GUID that makes updating the database easier. For example, if you install a new version of the custom compatibility-fix database that uses the same GUID as the previous version, the computer will automatically uninstall the old version. -   + 6. The centralized management team then redeploys the new version of Custom DB1 to all of the end users in your organization. @@ -122,23 +122,25 @@ In order to meet the two requirements above, we recommend that you use one of th You can package your .sdb file and a custom deployment script into an .msi file, and then deploy the .msi file into your organization. - **Important**   + **Important** You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be: -   - ``` syntax - msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal) - ``` + +~~~ +``` syntax +msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal) +``` +~~~ - **Using a network share and a custom script** You can store your .sdb file on your network share and then call to a script that resides on your specified computers. -**Important**   +**Important** You must ensure that you call the script at a time when it will receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights. -  + ### Example Script for an Installation of the .sdb File based on an .msi File diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md index ea0d0c0d54..368687b611 100644 --- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md +++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -19,26 +19,26 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. -**Important**   +**Important** The Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator. You must use the 32-bit version for 32-bit applications and the 64-bit version to work for 64-bit applications. You will receive an error message if you try to use the wrong version. If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account. -  + ## Compatibility Fixes -The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order. +The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order. @@ -74,25 +74,24 @@ The following table lists the known compatibility fixes for all Windows operatin - + +

                                                                                          The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.

                                                                                          @@ -101,15 +100,14 @@ The following table lists the known compatibility fixes for all Windows operatin - @@ -122,11 +120,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -134,11 +131,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -146,11 +142,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -164,11 +159,10 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                          DLL_Name;Flag_Type;Hexidecimal_Value

                                                                                          Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64-bits long.

                                                                                          -Note   -

                                                                                          The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().

                                                                                          +Note

                                                                                          The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().

                                                                                          -  +
                                                                                          @@ -179,18 +173,16 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                          Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2

                                                                                          Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.

                                                                                          -Note   -

                                                                                          If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.

                                                                                          +Note

                                                                                          If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.

                                                                                          -  +
                                                                                          -Note   -

                                                                                          You can separate multiple entries with a forward slash (/).

                                                                                          +Note

                                                                                          You can separate multiple entries with a forward slash (/).

                                                                                          -  +
                                                                                          @@ -203,7 +195,7 @@ The following table lists the known compatibility fixes for all Windows operatin - + @@ -218,11 +210,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -241,7 +232,7 @@ The following table lists the known compatibility fixes for all Windows operatin - + @@ -256,28 +247,26 @@ The following table lists the known compatibility fixes for all Windows operatin +

                                                                                          The fix changes the PathIsUNC function to return a value of True for UNC paths in Windows.

                                                                                          @@ -285,62 +274,58 @@ The following table lists the known compatibility fixes for all Windows operatin - + +

                                                                                          The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.

                                                                                          @@ -357,11 +342,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -370,7 +354,7 @@ The following table lists the known compatibility fixes for all Windows operatin - + @@ -394,7 +378,7 @@ The following table lists the known compatibility fixes for all Windows operatin +

                                                                                          The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.

                                                                                          @@ -406,11 +390,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -422,11 +405,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -437,18 +419,16 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                          Exception1;Exception2

                                                                                          Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.

                                                                                          -Important   -

                                                                                          You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience additional compatibility issues if you choose to incorrectly ignore an exception.

                                                                                          +Important

                                                                                          You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience additional compatibility issues if you choose to incorrectly ignore an exception.

                                                                                          -  +
                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the IgnoreException Fix](https://go.microsoft.com/fwlink/p/?LinkId=690344).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the IgnoreException Fix.

                                                                                          -  +
                                                                                          @@ -466,11 +446,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -484,7 +463,7 @@ The following table lists the known compatibility fixes for all Windows operatin - + @@ -495,11 +474,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -507,11 +485,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -532,11 +509,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -556,11 +532,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -579,12 +554,12 @@ The following table lists the known compatibility fixes for all Windows operatin - + +

                                                                                          The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.

                                                                                          @@ -596,10 +571,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -607,11 +582,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -624,11 +598,10 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                        • SC_MANAGER_QUERY_LOCK_STATUS

                                                                                        • STANDARD_READ_RIGHTS

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](https://go.microsoft.com/fwlink/p/?LinkId=690350).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the RetryOpenSCManagerwithReadAccess Fix.

                                                                                          -  +
                                                                                          • @@ -637,11 +610,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -649,11 +621,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -661,11 +632,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -673,11 +643,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -687,20 +656,18 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -710,11 +677,10 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                          Client;Protocol;App

                                                                                          Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.

                                                                                          -Note   -

                                                                                          Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().

                                                                                          +Note

                                                                                          Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().

                                                                                          -  +
                                                                                          @@ -731,11 +697,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -756,11 +721,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -768,11 +732,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -799,11 +762,10 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                          MessageString1 MessageString2

                                                                                          Where MessageString1 and MessageString2 reflect the message strings that can pass.

                                                                                          -Note   -

                                                                                          Multiple message strings must be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](https://go.microsoft.com/fwlink/p/?LinkId=690365).

                                                                                          +Note

                                                                                          Multiple message strings must be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableCustomMsgs Fix.

                                                                                          -  +
                                                                                          @@ -814,11 +776,10 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                          1055 1056 1069

                                                                                          Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.

                                                                                          -Note   -

                                                                                          Multiple messages can be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](https://go.microsoft.com/fwlink/p/?LinkId=690367).

                                                                                          +Note

                                                                                          Multiple messages can be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableStandardMsgs Fix [act].

                                                                                          -  +
                                                                                          @@ -833,18 +794,17 @@ The following table lists the known compatibility fixes for all Windows operatin +

                                                                                          For more detailed information about this application fix, see Using the VirtualRegistry Fix.

                                                                                          @@ -853,17 +813,16 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                          The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.

                                                                                          HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.

                                                                                          You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.

                                                                                          -

                                                                                          For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](https://go.microsoft.com/fwlink/p/?LinkId=690370).

                                                                                          +

                                                                                          For more detailed information about this application fix, see Using the VirtualizeHKCRLite Fix.

                                                                                          @@ -887,13 +846,12 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -911,27 +869,25 @@ The following table lists the known compatibility fixes for all Windows operatin

                                                                                        • Type vbrun60.dll into the Module Name box, click Include, and then click Add.

                                                                                        • Save the custom database.

                                                                                          -Note   -

                                                                                          For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](https://go.microsoft.com/fwlink/p/?LinkId=690374).

                                                                                          +Note

                                                                                          For more information about the WinXPSP2VersionLie application fix, see Using the WinXPSP2VersionLie Fix.

                                                                                          -  +
                                                                                          • - @@ -939,11 +895,10 @@ The following table lists the known compatibility fixes for all Windows operatin @@ -953,12 +908,12 @@ The following table lists the known compatibility fixes for all Windows operatin - +

                                                                                          BIOSRead

                                                                                          This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.

                                                                                          -

                                                                                          The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \\Device\Physical memory information..

                                                                                          This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.

                                                                                          +

                                                                                          The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..

                                                                                          BlockRunasInteractiveUser

                                                                                          This problem occurs when InstallShield creates installers and uninstallers that fail to complete and that generate error messages or warnings.

                                                                                          The fix blocks InstallShield from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the BlockRunAsInteractiveUser Fix](https://go.microsoft.com/fwlink/p/?LinkId=690328).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the BlockRunAsInteractiveUser Fix.

                                                                                          -  +

                                                                                          ChangeFolderPathToXPStyle

                                                                                          This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.

                                                                                          -

                                                                                          The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.

                                                                                          ClearLastErrorStatusonIntializeCriticalSection

                                                                                          CopyHKCUSettingsFromOtherUsers

                                                                                          This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.

                                                                                          +

                                                                                          This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.

                                                                                          The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.

                                                                                          You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the CopyHKCUSettingsFromOtherUsers Fix](https://go.microsoft.com/fwlink/p/?LinkId=690329).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the CopyHKCUSettingsFromOtherUsers Fix.

                                                                                          -  +

                                                                                          The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.

                                                                                          The fix modifies the file path names to point to a new location on the hard disk.

                                                                                          -Note   -

                                                                                          For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](https://go.microsoft.com/fwlink/p/?LinkId=690330). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.

                                                                                          +Note

                                                                                          For more detailed information about the CorrectFilePaths application fix, see Using the CorrectFilePaths Fix. We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.

                                                                                          -  +

                                                                                          This problem occurs when an uninstalled application leaves behind files, directories, and links.

                                                                                          The fix corrects the file paths that are used by the uninstallation process of an application.

                                                                                          -Note   -

                                                                                          For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](https://go.microsoft.com/fwlink/p/?LinkId=690331). We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.

                                                                                          +Note

                                                                                          For more detailed information about this fix, see Using the CorrectFilePathsUninstall Fix. We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.

                                                                                          -  +

                                                                                          This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.

                                                                                          The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.

                                                                                          -Note   -

                                                                                          For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](https://go.microsoft.com/fwlink/p/?LinkId=690332).

                                                                                          +Note

                                                                                          For more detailed information about the CorrectShellExecuteHWND application fix, see Using the CorrectShellExecuteHWND Fix.

                                                                                          -  +

                                                                                          DetectorDWM8And16Bit

                                                                                          This fix offeres mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .

                                                                                          This fix offeres mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .

                                                                                          Disable8And16BitD3D

                                                                                          The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.

                                                                                          The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the DisableDWM Fix]( https://go.microsoft.com/fwlink/p/?LinkId=690334).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the DisableDWM Fix.

                                                                                          -  +

                                                                                          DWM8And16BitMitigation

                                                                                          The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.

                                                                                          The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.

                                                                                          DXGICompat

                                                                                          The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.

                                                                                          The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](https://go.microsoft.com/fwlink/p/?LinkId=690335).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the ElevateCreateProcess Fix.

                                                                                          -  +

                                                                                          EmulateOldPathIsUNC

                                                                                          The problem occurs when an application fails because of an incorrect UNC path.

                                                                                          -

                                                                                          The fix changes the PathIsUNC function to return a value of True for UNC paths in Windows. 

                                                                                          EmulateGetDiskFreeSpace

                                                                                          The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.

                                                                                          -

                                                                                          The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount.

                                                                                          +

                                                                                          The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](https://go.microsoft.com/fwlink/p/?LinkId=690336).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the EmulateGetDiskFreeSpace Fix.

                                                                                          -  +

                                                                                          The problem occurs when an application experiences search functionality issues.

                                                                                          The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.

                                                                                          -Note   -

                                                                                          For more detailed information about this e application fix, see [Using the EmulateSorting Fix](https://go.microsoft.com/fwlink/p/?LinkId=690337).

                                                                                          +Note

                                                                                          For more detailed information about this e application fix, see Using the EmulateSorting Fix.

                                                                                          -  +

                                                                                          EmulateSortingWindows61

                                                                                          The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.

                                                                                          The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.

                                                                                          EnableRestarts

                                                                                          The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.

                                                                                          The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the EnableRestarts Fix](https://go.microsoft.com/fwlink/p/?LinkId=690338).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the EnableRestarts Fix.

                                                                                          -  +

                                                                                          ExtraAddRefDesktopFolder

                                                                                          The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.

                                                                                          -

                                                                                          The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.

                                                                                          FailObsoleteShellAPIs

                                                                                          The problem occurs when an application fails because it generated deprecated API calls.

                                                                                          The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.

                                                                                          -Note   -

                                                                                          You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.

                                                                                          +Note

                                                                                          You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.

                                                                                          -  +

                                                                                          FailRemoveDirectory

                                                                                          The problem occurs when an application uninstallation process does not remove all of the application files and folders.

                                                                                          -

                                                                                          This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command-line.  Only a single path is supported.  The path can contain environment variables, but must be an exact path – no partial paths are supported.

                                                                                          +

                                                                                          This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command-line. Only a single path is supported. The path can contain environment variables, but must be an exact path – no partial paths are supported.

                                                                                          The fix can resolve an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.

                                                                                          FakeLunaTheme

                                                                                          The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.

                                                                                          -

                                                                                          The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna).

                                                                                          +

                                                                                          The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna).

                                                                                          -Note   -

                                                                                          For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](https://go.microsoft.com/fwlink/p/?LinkId=690339).

                                                                                          +Note

                                                                                          For more detailed information about the FakeLunaTheme application fix, see Using the FakeLunaTheme Fix.

                                                                                          -  +

                                                                                          The problem occurs when an application fails to function during an explicit administrator check.

                                                                                          The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the ForceAdminAccess Fix](https://go.microsoft.com/fwlink/p/?LinkId=690342).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the ForceAdminAccess Fix.

                                                                                          -  +

                                                                                          ForceLoadMirrorDrvMitigation

                                                                                          The fix loads the Windows 8 mirror driver mitigation for applications where the mitigation is not automatically applied.

                                                                                          The fix loads the Windows 8 mirror driver mitigation for applications where the mitigation is not automatically applied.

                                                                                          FreestyleBMX

                                                                                          HandleMarkedContentNotIndexed

                                                                                          The problem is indicated by an application that fails when it changes an attribute on a file or directory.

                                                                                          -

                                                                                          The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.

                                                                                          HeapClearAllocation

                                                                                          The problem occurs when an application fails to function when special key combinations are used.

                                                                                          The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the IgnoreAltTab Fix](https://go.microsoft.com/fwlink/p/?LinkId=690343).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the IgnoreAltTab Fix.

                                                                                          -  +

                                                                                          The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.

                                                                                          The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW and FindFirstFileA APIs to prevent them from returning directory junctions.

                                                                                          -Note   -

                                                                                          Symbolic links appear starting in Windows Vista.

                                                                                          +Note

                                                                                          Symbolic links appear starting in Windows Vista.

                                                                                          -  +

                                                                                          The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.

                                                                                          The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](https://go.microsoft.com/fwlink/p/?LinkId=690345).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the IgnoreMessageBox Fix.

                                                                                          -  +

                                                                                          InstallComponent

                                                                                          The fix prompts the user to install.Net 3.5 or .Net 2.0 because .Net is not included with Windows 8.

                                                                                          The fix prompts the user to install.Net 3.5 or .Net 2.0 because .Net is not included with Windows 8.

                                                                                          LoadLibraryRedirect

                                                                                          The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.

                                                                                          The fix intercepts the function call to create the object and replaces the word Global with Local.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the LocalMappedObject Fix](https://go.microsoft.com/fwlink/p/?LinkId=690346).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the LocalMappedObject Fix.

                                                                                          -  +

                                                                                          The problem is indicated when an application fails to uninstall because of access-related errors.

                                                                                          The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix]( https://go.microsoft.com/fwlink/p/?LinkId=690347)

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the MakeShortcutRunas Fix

                                                                                          -  +

                                                                                          The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.

                                                                                          The fix reduces the security privilege levels on a specified set of files and folders.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](https://go.microsoft.com/fwlink/p/?LinkId=690348).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the OpenDirectoryACL Fix.

                                                                                          -  +

                                                                                          The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.

                                                                                          The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.

                                                                                          -Note   -

                                                                                          This issue seems to occur most frequently with .NET applications.

                                                                                          +Note

                                                                                          This issue seems to occur most frequently with .NET applications.

                                                                                          -  +

                                                                                          RedirectCRTTempFile

                                                                                          The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.

                                                                                          The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.

                                                                                          RedirectHKCUKeys

                                                                                          The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.

                                                                                          -

                                                                                          The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.

                                                                                          RedirectMP3Codec

                                                                                          The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.

                                                                                          The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.

                                                                                            -

                                                                                          • Start Menu shortcuts: Appear in the \\ProgramData\Microsoft\Windows\Start Menu directory for all users.

                                                                                            • -

                                                                                          • Desktop or Quick Launch shortcuts:You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.

                                                                                            • +

                                                                                          • Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.

                                                                                            • +

                                                                                          • Desktop or Quick Launch shortcuts:You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.

                                                                                          -

                                                                                          This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.

                                                                                          +

                                                                                          This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.

                                                                                          You cannot apply this fix to an .exe file that includes a manifest and provides a runlevel.

                                                                                          The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.

                                                                                          The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the RelaunchElevated Fix](https://go.microsoft.com/fwlink/p/?LinkId=690349).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the RelaunchElevated Fix.

                                                                                          -  +

                                                                                          The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.

                                                                                          The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](https://go.microsoft.com/fwlink/p/?LinkId=690351).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the RetryOpenServiceWithReadAccess Fix.

                                                                                          -  +

                                                                                          The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.

                                                                                          The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the RunAsAdmin Fix](https://go.microsoft.com/fwlink/p/?LinkId=690353).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the RunAsAdmin Fix.

                                                                                          -  +

                                                                                          The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.

                                                                                          The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the RunAsHighest Fix](https://go.microsoft.com/fwlink/p/?LinkId=690355).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the RunAsHighest Fix.

                                                                                          -  +

                                                                                          The problem occurs when an application is not detected as requiring elevation.

                                                                                          The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the RunAsInvoker Fix](https://go.microsoft.com/fwlink/p/?LinkId=690356).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the RunAsInvoker Fix.

                                                                                          -  +

                                                                                          SessionShim

                                                                                          The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.

                                                                                          -

                                                                                          At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (\). Or, you can choose not to include any parameters, so that all of the objects are modified.

                                                                                          +

                                                                                          At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.

                                                                                          -Important   -

                                                                                          Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.

                                                                                          +Important

                                                                                          Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.

                                                                                          -  +
                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the SessionShim Fix](https://go.microsoft.com/fwlink/p/?LinkId=690358).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the SessionShim Fix.

                                                                                          -  +

                                                                                          The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.

                                                                                          The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.

                                                                                          -Note   -

                                                                                          For more information about this application fix, see [Using the ShimViaEAT Fix](https://go.microsoft.com/fwlink/p/?LinkId=690359).

                                                                                          +Note

                                                                                          For more information about this application fix, see Using the ShimViaEAT Fix.

                                                                                          -  +

                                                                                          The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.

                                                                                          The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the SpecificInstaller Fix]( https://go.microsoft.com/fwlink/p/?LinkId=690361).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the SpecificInstaller Fix.

                                                                                          -  +

                                                                                          The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.

                                                                                          The fix flags the application to exclude it from detection by the GenericInstaller function.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](https://go.microsoft.com/fwlink/p/?LinkId=690363).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the SpecificNonInstaller Fix.

                                                                                          -  +

                                                                                          VirtualRegistry

                                                                                          The problem is indicated when a Component failed to be located error message displays when an application is started.

                                                                                          The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.

                                                                                          -

                                                                                          For more detailed information about this application fix, see [Using the VirtualRegistry Fix](https://go.microsoft.com/fwlink/p/?LinkId=690368).

                                                                                          VirtualizeDeleteFile

                                                                                          The problem occurs when several error messages display and the application cannot delete files.

                                                                                          -

                                                                                          The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.

                                                                                          +

                                                                                          The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](https://go.microsoft.com/fwlink/p/?LinkId=690369).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the VirtualizeDeleteFile Fix.

                                                                                          -  +

                                                                                          VirtualizeRegisterTypeLib

                                                                                          The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](https://go.microsoft.com/fwlink/p/?LinkId=690371).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the VirtualizeRegisterTypelib Fix.

                                                                                          -  +

                                                                                          Wing32SystoSys32

                                                                                          The problem is indicated by an error message that states that the WinG library was not properly installed.

                                                                                          -

                                                                                          The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.

                                                                                          +

                                                                                          The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.

                                                                                          -Important   -

                                                                                          The application must have Administrator privileges for this fix to work.

                                                                                          +Important

                                                                                          The application must have Administrator privileges for this fix to work.

                                                                                          -  +

                                                                                          WRPDllRegister

                                                                                          The application fails when it tries to register a COM component that is released together with Windows Vista and later.

                                                                                          +

                                                                                          The application fails when it tries to register a COM component that is released together with Windows Vista and later.

                                                                                          The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.

                                                                                          You can control this fix further by typing the following command at the command prompt:

                                                                                          Component1.dll;Component2.dll

                                                                                          Where Component1.dll and Component2.dll reflect the components to be skipped.

                                                                                          -Note   -

                                                                                          For more detailed information about this application fix, see [Using the WRPDllRegister Fix](https://go.microsoft.com/fwlink/p/?LinkId=690375).

                                                                                          +Note

                                                                                          For more detailed information about this application fix, see Using the WRPDllRegister Fix.

                                                                                          -  +

                                                                                          The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.

                                                                                          The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.

                                                                                          -Note   -

                                                                                          For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](https://go.microsoft.com/fwlink/p/?LinkId=690376).

                                                                                          +Note

                                                                                          For more detailed information about WRPMitigation, see Using the WRPMitigation Fix.

                                                                                          -  +

                                                                                          XPAfxIsValidAddress

                                                                                          The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.

                                                                                          The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.
                                                                                          -  + ## Compatibility Modes @@ -981,7 +936,7 @@ The following table lists the known compatibility modes.

                                                                                          WinSrv03

                                                                                          -

                                                                                          Emulates the Windows Server 2003 operating system.

                                                                                          +

                                                                                          Emulates the Windows Server 2003 operating system.

                                                                                          • Win2k3RTMVersionLie

                                                                                          • VirtualRegistry

                                                                                            • @@ -999,7 +954,7 @@ The following table lists the known compatibility modes.

                                                                                            WinSrv03Sp1

                                                                                            -

                                                                                            Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.

                                                                                            +

                                                                                            Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.

                                                                                            • Win2K3SP1VersionLie

                                                                                            • VirtualRegistry

                                                                                              • diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md index 1542888932..e3aeb700b4 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md @@ -31,7 +31,7 @@ The Compatibility Administrator tool uses the term *fix* to describe the combina **Important**   Fixes apply to a single application only; therefore, you must create multiple fixes if you need to fix the same issue in multiple applications. -  + ## What is a Compatibility Fix? @@ -46,7 +46,7 @@ The Compatibility Administrator tool has preloaded fixes for many common applica **Important**   Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. -  + **To search for an existing application** @@ -76,9 +76,9 @@ If you are unable to find a preloaded compatibility fix for your application, yo ## Related topics [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -  + -  + diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md index 7d2586a8cc..ad677faf01 100644 --- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md @@ -19,12 +19,12 @@ ms.topic: article **Applies to** -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases. @@ -38,10 +38,10 @@ A compatibility mode is a group of compatibility fixes. A compatibility fix, pre The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database. -**Important**   +**Important** Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. -  + **To search for an existing application** @@ -54,10 +54,10 @@ Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version o If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database. -**Important**   +**Important** A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database. -  + **To create a new compatibility mode** @@ -67,23 +67,25 @@ A compatibility mode includes a set of compatibility fixes and must be deployed 3. Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **>**. - **Important**   + **Important** If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode. -   - If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields. -4. After you are done selecting the compatibility fixes to include, click **OK**. +~~~ +If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields. +~~~ - The compatibility mode is added to your custom database. +4. After you are done selecting the compatibility fixes to include, click **OK**. + + The compatibility mode is added to your custom database. ## Related topics [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -  - -  + + + diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md index 11ed5b2016..978794b523 100644 --- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md +++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md @@ -43,7 +43,7 @@ The Compatibility Administrator tool has preloaded fixes for many common applica **Important**   Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications. -  + **To search for an existing application** diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index ab02ada4c2..ecd53deb4e 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -29,7 +29,7 @@ From the start, Windows To Go was designed to minimize differences between the u **Note**   Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process. -  + The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go. @@ -65,7 +65,7 @@ When the Windows To Go workspace is going to be used first on an off-premises co **Tip**   Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076). -  + DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](https://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network. @@ -80,7 +80,7 @@ The simplest way to provision a Windows To Go drive is to use the Windows To Go **Tip**   When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments. -  + **Driver considerations** @@ -162,28 +162,28 @@ The following list of commonly used Wi-Fi network adapters that are not supporte

                                                                                              Marvell

                                                                                              Yukon 88E8001/8003/8010 PCI Gigabit Ethernet

                                                                                              pci\ven_11ab&dev_4320&subsys_811a1043

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619080)

                                                                                              -

                                                                                              [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619082)

                                                                                              +

                                                                                              32-bit driver

                                                                                              +

                                                                                              64-bit driver

                                                                                              Marvell

                                                                                              Libertas 802.11b/g Wireless

                                                                                              pci\ven_11ab&dev_1faa&subsys_6b001385&rev_03

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619128)

                                                                                              -

                                                                                              [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619129)

                                                                                              +

                                                                                              32-bit driver

                                                                                              +

                                                                                              64-bit driver

                                                                                              Qualcomm

                                                                                              Atheros AR6004 Wireless LAN Adapter

                                                                                              sd\vid_0271&pid_0401

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619086)

                                                                                              +

                                                                                              32-bit driver

                                                                                              64-bit driver not available

                                                                                              Qualcomm

                                                                                              Atheros AR5BWB222 Wireless Network Adapter

                                                                                              pci\ven_168c&dev_0034&subsys_20031a56

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619348)

                                                                                              +

                                                                                              32-bit driver

                                                                                              64-bit driver not available

                                                                                              @@ -196,41 +196,41 @@ The following list of commonly used Wi-Fi network adapters that are not supporte

                                                                                              Qualcomm

                                                                                              Atheros AR5005G Wireless Network Adapter

                                                                                              pci\ven_168c&dev_001a&subsys_04181468&rev_01

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619349)

                                                                                              -

                                                                                              [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619091)

                                                                                              +

                                                                                              32-bit driver

                                                                                              +

                                                                                              64-bit driver

                                                                                              Ralink

                                                                                              Wireless-G PCI Adapter

                                                                                              pci\ven_1814&dev_0301&subsys_00551737&rev_00

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619092)

                                                                                              -

                                                                                              [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619093)

                                                                                              +

                                                                                              32-bit driver

                                                                                              +

                                                                                              64-bit driver

                                                                                              Ralink

                                                                                              Turbo Wireless LAN Card

                                                                                              pci\ven_1814&dev_0301&subsys_25611814&rev_00

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619094)

                                                                                              -

                                                                                              [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619095)

                                                                                              +

                                                                                              32-bit driver

                                                                                              +

                                                                                              64-bit driver

                                                                                              Ralink

                                                                                              Wireless LAN Card V1

                                                                                              pci\ven_1814&dev_0302&subsys_3a711186&rev_00

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619097)

                                                                                              -

                                                                                              [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619098)

                                                                                              +

                                                                                              32-bit driver

                                                                                              +

                                                                                              64-bit driver

                                                                                              Ralink

                                                                                              D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)

                                                                                              pci\ven_1814&dev_0302&subsys_3c091186&rev_00

                                                                                              -

                                                                                              [32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619099)

                                                                                              -

                                                                                              [64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619100)

                                                                                              +

                                                                                              32-bit driver

                                                                                              +

                                                                                              64-bit driver

                                                                                              -  + IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=619079). @@ -253,7 +253,7 @@ The use of the Store on Windows To Go workspaces that are running Windows 8 can **Important**   For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port. -   + - **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace** @@ -268,7 +268,7 @@ The use of the Store on Windows To Go workspaces that are running Windows 8 can **Important**   Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started. -   + ## Supporting booting from USB @@ -278,7 +278,7 @@ The biggest hurdle for a user wanting to use Windows To Go is configuring their **Note**   Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options. -  + If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951). @@ -311,7 +311,7 @@ Windows To Go Startup Options is a setting available on Windows 10-based PCs th **Tip**   If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog. -   + 3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**. @@ -330,9 +330,9 @@ If you choose to not use the Windows To Go startup options or are using a PC run [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) -  + -  + diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md index 5868818c6e..97329b8201 100644 --- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md +++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md @@ -36,7 +36,7 @@ Customized compatibility databases can become quite complex as you add your fixe **Important**   Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications. -  + **To disable a compatibility fix within a database** @@ -49,7 +49,7 @@ Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version o **Important**   When you disable an entry, it will remain disabled even if you do not save the database file. -   + ## Enabling Compatibility Fixes diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md index d72145b877..cc28f2ebb0 100644 --- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md +++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md @@ -35,7 +35,7 @@ Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version o In addition, you must deploy your databases to your organization’s computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md). -  + ## Installing a Custom Database diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md index f68b7a8cf9..086ada5b3c 100644 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -44,21 +44,21 @@ This section provides information about managing your application-compatibility -

                                                                                              [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md)

                                                                                              +

                                                                                              Understanding and Using Compatibility Fixes

                                                                                              As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.

                                                                                              -

                                                                                              [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md)

                                                                                              +

                                                                                              Compatibility Fix Database Management Strategies and Deployment

                                                                                              After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:

                                                                                              -

                                                                                              [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)

                                                                                              +

                                                                                              Testing Your Application Mitigation Packages

                                                                                              This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.

                                                                                              -  + ## Related topics [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 3b2d43a3e3..c0111f5cee 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -61,7 +61,7 @@ The following scenarios are examples of situations in which Windows To Go worksp **Note**   If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace’s computer object is not potentially deleted from Active Directory Domain Services (AD DS). -  + ## Infrastructure considerations @@ -80,7 +80,7 @@ You should investigate other software manufacturer’s licensing requirements to **Note**   Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive. -  + See [Plan for Volume Activation](https://go.microsoft.com/fwlink/p/?LinkId=618923) for more information about these activation methods and how they can be used in your organization. @@ -121,9 +121,9 @@ If you want Windows To Go to be able to connect back to organizational resources [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) -  + -  + diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md index 85365d1d66..d9d1e66b3a 100644 --- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md @@ -36,7 +36,7 @@ The **Query Compatibility Databases** tool provides additional search options. F **Important**   You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. -  + **To search for previous fixes** @@ -69,9 +69,9 @@ You can export your search results to a text (.txt) file for later review or arc ## Related topics [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -  + -  + diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md index f6ccec9399..6b62b5378a 100644 --- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md +++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md @@ -33,7 +33,7 @@ For information about the Search feature, see [Searching for Fixed Applications **Important**   You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator. -  + ## Querying by Using the Program Properties Tab @@ -65,7 +65,7 @@ You can use the **Program Properties** tab of the Query tool to search for any c **Important**   If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear. -   + 6. Click **Find Now**. @@ -89,14 +89,14 @@ You can use the **Fix Properties** tab of the Query tool to search for any appli **Note**   You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters. -   + 5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**. **Important**   Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear. -   + 6. Click **Find Now**. @@ -120,7 +120,7 @@ You can use the **Fix Description** tab of the Query tool to add parameters that **Important**   You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria. -   + 5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list. @@ -173,9 +173,9 @@ You can export any of your search results into a tab-delimited text (.txt) file ## Related topics [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -  + -  + diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index e3becc39f5..669dea7590 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -43,7 +43,7 @@ You can enable BitLocker while using the Windows To Go Creator wizard as part of **Tip**   If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail) -  + If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode. @@ -76,9 +76,9 @@ Windows to Go is a core capability of Windows when it is deployed on the drive a [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) -  + -  + diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md index 1b87fc05a5..7a6dceac00 100644 --- a/windows/deployment/planning/sua-users-guide.md +++ b/windows/deployment/planning/sua-users-guide.md @@ -50,18 +50,18 @@ You can use SUA in either of the following ways: -

                                                                                              [Using the SUA Wizard](using-the-sua-wizard.md)

                                                                                              +

                                                                                              Using the SUA Wizard

                                                                                              The Standard User Analyzer (SUA) Wizard works much like the SUA tool to evaluate User Account Control (UAC) issues. However, the SUA Wizard does not offer detailed analysis, and it cannot disable virtualization or elevate your permissions.

                                                                                              -

                                                                                              [Using the SUA Tool](using-the-sua-tool.md)

                                                                                              +

                                                                                              Using the SUA Tool

                                                                                              By using the Standard User Analyzer (SUA) tool, you can test your applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.

                                                                                              -  + -  + diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md index ad8ce5dc4d..3c9115ff8a 100644 --- a/windows/deployment/planning/testing-your-application-mitigation-packages.md +++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md @@ -74,7 +74,7 @@ At this point, you probably cannot resolve any unresolved application compatibil **Note**   For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md). -   + - Run the application in a virtual environment. diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md index cf76b98809..4444a1eef2 100644 --- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md +++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md @@ -44,7 +44,7 @@ Specifically, the process modifies the address of the affected Windows function **Note**   For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API. -  + ## Design Implications of the Compatibility Fix Infrastructure @@ -60,7 +60,7 @@ There are important considerations to keep in mind when determining your applica **Note**   Some antivirus, firewall, and anti-spyware code runs in kernel mode. -   + ## Determining When to Use a Compatibility Fix diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md index 436060df07..8268db9a1c 100644 --- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md +++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md @@ -44,49 +44,49 @@ This section provides information about using the Compatibility Administrator to -

                                                                                              [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Available Data Types and Operators in Compatibility Administrator

                                                                                              The Compatibility Administrator tool provides a way to query your custom-compatibility databases.

                                                                                              -

                                                                                              [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Searching for Fixed Applications in Compatibility Administrator

                                                                                              With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.

                                                                                              -

                                                                                              [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator

                                                                                              You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.

                                                                                              -

                                                                                              [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Creating a Custom Compatibility Fix in Compatibility Administrator

                                                                                              The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.

                                                                                              -

                                                                                              [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Creating a Custom Compatibility Mode in Compatibility Administrator

                                                                                              Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.

                                                                                              -

                                                                                              [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Creating an AppHelp Message in Compatibility Administrator

                                                                                              The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.

                                                                                              -

                                                                                              [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Viewing the Events Screen in Compatibility Administrator

                                                                                              The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.

                                                                                              -

                                                                                              [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Enabling and Disabling Compatibility Fixes in Compatibility Administrator

                                                                                              You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.

                                                                                              -

                                                                                              [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)

                                                                                              +

                                                                                              Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator

                                                                                              The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.

                                                                                              -  + -  + -  + diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md index 040377af8a..b0cc6e3517 100644 --- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md +++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md @@ -31,7 +31,7 @@ The **Events** screen enables you to record and to view your activities in the C **Important**   The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list. -  + **To open the Events screen** @@ -49,9 +49,9 @@ If you open the **Events** screen and then perform the copy operation, you can s [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -  + -  + diff --git a/windows/deployment/planning/windows-10-1903-removed-features.md b/windows/deployment/planning/windows-10-1903-removed-features.md index 92ba071002..7bd3264aa0 100644 --- a/windows/deployment/planning/windows-10-1903-removed-features.md +++ b/windows/deployment/planning/windows-10-1903-removed-features.md @@ -21,10 +21,11 @@ Each version of Windows 10 adds new features and functionality; occasionally we The following features and functionalities are removed from the installed product image for Windows 10, version 1903, or are planned for removal in an upcoming release. Applications or code that depend on these features won't function in this release unless you use another method. -|Feature |Details| -|-----------|--------------------|--------- -|XDDM-based remote display driver|Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). -| Desktop messaging app doesn't offer messages sync| The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | + +| Feature | Details | +|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| XDDM-based remote display driver | Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | +| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | ## Features we’re no longer developing @@ -32,7 +33,7 @@ We're no longer actively developing these features and may remove them from a fu If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). -|Feature |Details| +|Feature |Details| |-----------|---------------------| | Taskbar settings roaming| Roaming of taskbar settings is no longer being developed and we plan to disable this capability in a future release| |Wi-Fi WEP and TKIP|In this release a warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 5134fe18c6..ad2f37a743 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -183,7 +183,7 @@ In the **Windows To Go Startup Options** dialog box select **Yes** and then clic **Note**   Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization. -  + If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually. @@ -198,7 +198,7 @@ For more detailed instructions, see the wiki article, [Tips for configuring your **Warning**   Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive. -  + ## Why isn’t my computer booting from USB? @@ -221,7 +221,7 @@ If the Windows To Go drive is removed, the computer will freeze and the user wil **Warning**   You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive. -  + ## Can I use BitLocker to protect my Windows To Go drive? @@ -279,7 +279,7 @@ Windows To Go Creator and the recommended deployment steps for Windows To Go set **Warning**   It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised. -  + ## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not? @@ -289,7 +289,7 @@ Windows To Go Creator and the recommended deployment steps for Windows To Go set **Warning**   It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. -  + ## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition? @@ -403,7 +403,7 @@ The host computer will now be able to be booted from a USB drive without trigger **Note**   The default BitLocker protection profile in Windows 8 or later does not monitor the boot order. -  + ## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it? @@ -415,7 +415,7 @@ Reformatting the drive erases the data on the drive, but doesn’t reconfigure t **Note**   If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them. -   + 2. Start the [diskpart](https://go.microsoft.com/fwlink/p/?LinkId=619070) command interpreter, by typing `diskpart` at the command prompt. @@ -452,9 +452,9 @@ There is no support in Windows for upgrading a Windows To Go drive. Deployed Win - [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md) -  + -  + diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index 175a6f0623..cb03e1e4d1 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -36,7 +36,7 @@ PCs that meet the Windows 7 or later [certification requirements](https://go.mi **Note**   Windows To Go is not supported on Windows RT. -  + ## Differences between Windows To Go and a typical installation of Windows @@ -72,7 +72,7 @@ These same tools can be used to provision Windows To Go drive, just as you would **Important**   Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported. -  + As you decide what to include in your Windows To Go image, be sure to consider the following questions: @@ -106,7 +106,7 @@ As of the date of publication, the following are the USB drives currently certif **Warning**   Using a USB drive that has not been certified is not supported -  + - IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://go.microsoft.com/fwlink/p/?LinkId=618714)) @@ -125,14 +125,14 @@ Using a USB drive that has not been certified is not supported **Important**   You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go please refer to [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720). -   + - Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720)) **Tip**   This device contains an embedded smart card. -   + - Super Talent Express RC4 for Windows To Go @@ -205,7 +205,7 @@ The following table details the characteristics that the host computer must have -  + **Checking for architectural compatibility between the host PC and the Windows To Go drive** @@ -248,7 +248,7 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your W -  + ## Additional resources @@ -274,9 +274,9 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your W - [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md) -  + -  + diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index a94b3a0bfc..96987d01b7 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -277,29 +277,29 @@ You can run these queries from the Azure Portal **Log Search** interface (availa ### Device reliability query examples -|Data|Query| -|-------------------|------------------------| -|Total devices| Type = DHOSReliability \| measure countdistinct(ComputerID) by Type| -|Number of devices that have crashed in the last three weeks| Type = DHOSReliability KernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type| -|Compare the percentage of your devices that have not crashed with the percentage of similar devices outside your organization ("similar" here means other commercial devices with the same mix of device models, operating system versions and update levels).| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by Type \| Display Table| -|As above, but sorted by device manufacturer| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by Manufacturer \| sort NumberDevices desc \| Display Table| -|As above, but sorted by model| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by ModelFamily\| sort NumberDevices desc \| Display Table| -|As above, but sorted by operating system version| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by OSVersion \| sort NumberDevices desc \| Display Table| -|Crash rate trending in my organization compared to the commercial average. Each interval shows percentage of devices that crashed at least once in the trailing two weeks| Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by TimeGenerated \| Display LineChart| -|Table of devices that have crashed the most in the last two weeks| Type = DHOSReliability KernelModeCrashCount > 0 \| Dedup ComputerID \| select Computer, KernelModeCrashCount \| sort TimeGenerated desc, KernelModeCrashCount desc \| Display Table| -|Detailed crash records, most recent first| Type = DHOSCrashData \| sort TimeGenerated desc, Computer asc \| display Table| -|Number of devices that crashed due to drivers| Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type| -|Table of drivers that have caused the most devices to crash| Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by DriverName \| Display Table| -|Trend of devices crashed by driver by day| * Type=DHOSCrashData DriverName!="ntkrnlmp.exe" DriverName IN {Type=DHOSCrashData \| measure count() by DriverName | top 5} \| measure countdistinct(ComputerID) as NumberDevices by DriverName interval 1day| -|Crashes for different versions of a given driver (replace netwtw04.sys with the driver you want from the previous list). This lets you get an idea of which *versions* of a given driver work best with your devices| Type = DHDriverReliability DriverName="netwtw04.sys" \| Dedup ComputerID \| sort TimeGenerated desc \| measure countdistinct(ComputerID) as InstallCount, sum(map(DriverKernelModeCrashCount,1,10000, 1)) as DevicesCrashed by DriverVersion \| Display Table| -|Top crashes by FailureID| Type =DHOSCrashData \| measure count() by KernelModeCrashFailureId \| Display Table| +| Data | Query | +|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Total devices | Type = DHOSReliability \| measure countdistinct(ComputerID) by Type | +| Number of devices that have crashed in the last three weeks | Type = DHOSReliability KernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type | +| Compare the percentage of your devices that have not crashed with the percentage of similar devices outside your organization ("similar" here means other commercial devices with the same mix of device models, operating system versions and update levels). | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by Type \| Display Table | +| As above, but sorted by device manufacturer | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by Manufacturer \| sort NumberDevices desc \| Display Table | +| As above, but sorted by model | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by ModelFamily\| sort NumberDevices desc \| Display Table | +| As above, but sorted by operating system version | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices, countdistinct(ComputerID) as NumberDevices by OSVersion \| sort NumberDevices desc \| Display Table | +| Crash rate trending in my organization compared to the commercial average. Each interval shows percentage of devices that crashed at least once in the trailing two weeks | Type=DHOSReliability \| measure avg(map(KernelModeCrashCount, 1, 10000, 0, 1)) as MyOrgPercentCrashFreeDevices, avg(KernelModeCrashFreePercentForIndustry) as CommercialAvgPercentCrashFreeDevices by TimeGenerated \| Display LineChart | +| Table of devices that have crashed the most in the last two weeks | Type = DHOSReliability KernelModeCrashCount > 0 \| Dedup ComputerID \| select Computer, KernelModeCrashCount \| sort TimeGenerated desc, KernelModeCrashCount desc \| Display Table | +| Detailed crash records, most recent first | Type = DHOSCrashData \| sort TimeGenerated desc, Computer asc \| display Table | +| Number of devices that crashed due to drivers | Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by Type | +| Table of drivers that have caused the most devices to crash | Type = DHDriverReliability DriverKernelModeCrashCount > 0 \| measure countdistinct(ComputerID) by DriverName \| Display Table | +| Trend of devices crashed by driver by day | \* Type=DHOSCrashData DriverName!="ntkrnlmp.exe" DriverName IN {Type=DHOSCrashData \| measure count() by DriverName | +| Crashes for different versions of a given driver (replace netwtw04.sys with the driver you want from the previous list). This lets you get an idea of which *versions* of a given driver work best with your devices | Type = DHDriverReliability DriverName="netwtw04.sys" \| Dedup ComputerID \| sort TimeGenerated desc \| measure countdistinct(ComputerID) as InstallCount, sum(map(DriverKernelModeCrashCount,1,10000, 1)) as DevicesCrashed by DriverVersion \| Display Table | +| Top crashes by FailureID | Type =DHOSCrashData \| measure count() by KernelModeCrashFailureId \| Display Table | ### Windows Information Protection (WIP) App Learning query examples -|Data|Query| -|-------------------|------------------------| -|Apps encountering policy boundaries on the most computers (click on an app in the results to see details including computer names)| Type=DHWipAppLearning \| measure countdistinct(ComputerID) as ComputerCount by AppName| -|Trend of App Learning activity for a given app. Useful for tracking activity before and after a rule change| Type=DHWipAppLearning AppName="MICROSOFT.SKYPEAPP" | measure countdistinct(ComputerID) as ComputerCount interval 1day| +| Data | Query | +|------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------| +| Apps encountering policy boundaries on the most computers (click on an app in the results to see details including computer names) | Type=DHWipAppLearning \| measure countdistinct(ComputerID) as ComputerCount by AppName | +| Trend of App Learning activity for a given app. Useful for tracking activity before and after a rule change | Type=DHWipAppLearning AppName="MICROSOFT.SKYPEAPP" | ### Exporting data and configuring alerts diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index b5c02d1482..40b6e95de7 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -112,26 +112,26 @@ The following sections provide the steps to manually deploy a feature update. ### Step 1: Specify search criteria for feature updates There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. -4. Save the search for future use. +4. Save the search for future use. ### Step 2: Download the content for the feature update(s) Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: +3. On the **Deployment Package** page, configure the following settings: **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. >[!NOTE] >The deployment package source location that you specify cannot be used by another software deployment package. @@ -143,33 +143,33 @@ Before you deploy the feature updates, you can download the content as a separat >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). >[!NOTE] >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: +5. On the **Distribution Settings** page, specify the following settings: - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. #### To monitor content status 1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. @@ -180,76 +180,76 @@ Before you deploy the feature updates, you can download the content as a separat ### Step 3: Deploy the feature update(s) After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: +4. On the General page, configure the following settings: - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: +5. On the Deployment Settings page, configure the following settings: - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. - >[!NOTE] - >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: +6. On the Scheduling page, configure the following settings: - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - >[!NOTE] - >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. >[!NOTE] >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: +7. On the User Experience page, configure the following settings: - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. >[!NOTE] >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: +9. On the Download Settings page, configure the following settings: - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 11. Click **Next** to deploy the feature update(s). diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 16cb6f8a2f..8102e070cd 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -90,64 +90,64 @@ The following sections provide the steps to manually deploy a feature update. ### Step 1: Specify search criteria for feature updates There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying a feature update is to identify the feature updates that you want to deploy. -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - In the **search** text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, **Required** is greater than or equal to 1, and **Language** equals English. -4. Save the search for future use. +4. Save the search for future use. ### Step 2: Download the content for the feature update(s) Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Download**. The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: +3. On the **Deployment Package** page, configure the following settings: **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - >[!NOTE] - >The deployment package source location that you specify cannot be used by another software deployment package. + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. - >[!IMPORTANT] - >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - >[!IMPORTANT] - >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). >[!NOTE] >The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: +5. On the **Distribution Settings** page, specify the following settings: - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - >[!NOTE] - >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click **Close**. #### To monitor content status 1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. @@ -158,76 +158,76 @@ Before you deploy the feature updates, you can download the content as a separat ### Step 3: Deploy the feature update(s) After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: +4. On the General page, configure the following settings: - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: +5. On the Deployment Settings page, configure the following settings: - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - >[!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. - >[!NOTE] - >A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured. + >[!NOTE] + >A software update group deployed as **Required** will be downloaded in background and honor BITS settings, if configured. - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when **Type of deployment** is set to **Required**. - >[!WARNING] - >Before you can use this option, computers and networks must be configured for Wake On LAN. + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: +6. On the Scheduling page, configure the following settings: - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - **Software available time**: Select **Specific time** to specify when the software updates will be available to clients: - - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded. + - **Specific time**: Select this setting to make the feature update in the deployment available to clients at a specific date and time. Specify a date and time that corresponds with the start of your fixed servicing window. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the feature update in the deployment is not available for installation until after the specified date and time are reached and the required content has been downloaded. - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - >[!NOTE] - >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window. + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. However, for the purposes of the fixed servicing window, set the installation deadline date and time to a future value, well beyond the fixed servicing window. - Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated. + Required deployments for software updates can benefit from functionality called advanced download. When the software available time is reached, clients will start downloading the content based on a randomized time. The feature update will not be displayed in Software Center for installation until the content is fully downloaded. This ensures that the feature update installation will start immediately when initiated. -7. On the User Experience page, configure the following settings: +7. On the User Experience page, configure the following settings: - **User notifications**: Specify **Display in Software Center and show all notifications**. - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. - >[!NOTE] - >Remember that the installation deadline date and time will be well into the future to allow plenty of time for the user-initiated install during a fixed servicing window. + >[!NOTE] + >Remember that the installation deadline date and time will be well into the future to allow plenty of time for the user-initiated install during a fixed servicing window. - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - >[!IMPORTANT] - >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - >[!NOTE] - >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. >[!NOTE] >You can review recent software updates alerts from the **Software Updates** node in the **Software Library** workspace. -9. On the Download Settings page, configure the following settings: +9. On the Download Settings page, configure the following settings: - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - >[!NOTE] - >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). 10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. 11. Click **Next** to deploy the feature update(s). diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 93a7ca24c9..a62a880de1 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -41,29 +41,29 @@ Update Compliance is offered as a solution which is linked to a new or existing > [!NOTE] > Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. -2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. +2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. ![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) -3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. +3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. ![Update Compliance solution creation](images/UC_01_marketplace_create.png) -4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. - - If you already have another Windows Analytics solution, you should use the same workspace. - - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - - For the resource group setting select **Create new** and use the same name you chose for your new workspace. - - For the location setting, choose the Azure region where you would prefer the data to be stored. - - For the pricing tier select **per GB**. +4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. + - If you already have another Windows Analytics solution, you should use the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **per GB**. ![Update Compliance workspace creation](images/UC_02_workspace_create.png) -5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. +5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. ![Update Compliance workspace selection](images/UC_03_workspace_select.png) -6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. +6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. ![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 4ecbed37c4..77c1d488c8 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -67,6 +67,7 @@ The following is a breakdown of the different sections available in Update Compl Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. + | Data Type | Refresh Rate | Data Latency | |--|--|--| |WaaSUpdateStatus | Once per day |4 hours | diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 74bb391287..848ed759c2 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -122,7 +122,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** | PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | | ExpireOn | The target expiration date and time for the file. | | Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | -  + `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: - Number of files downloaded  diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index c7eafd6795..e3d00db3ff 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -44,7 +44,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f - Admin has also put 3rd party drivers on WSUS - +
                                                                                              ContentMetadata sourcePayload sourceDeferred?
                                                                                              Updates to WindowsWindows UpdateWindows UpdateYes![diagram of content flow](images/wufb-config1a.png)
                                                                                              Updates to WindowsWindows UpdateWindows UpdateYesdiagram of content flow
                                                                                              Updates to Office and other productsWSUSWSUSNo
                                                                                              Third-party driversWSUSWSUSNo
                                                                                              @@ -59,7 +59,7 @@ For Windows 10, version 1607, devices can now be configured to receive updates f - + @@ -79,7 +79,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo
                                                                                              ContentMetadata sourcePayload sourceDeferred?
                                                                                              Updates to Windows (excluding drivers)Windows UpdateWindows UpdateYes![diagram of content flow](images/wufb-config2.png)
                                                                                              Updates to Windows (excluding drivers)Windows UpdateWindows UpdateYesdiagram of content flow
                                                                                              Updates to Office and other productsWSUSWSUSNo
                                                                                              DriversWSUSWSUSNo
                                                                                              - +
                                                                                              ContentMetadata sourcePayload sourceDeferred?
                                                                                              Updates to Windows (excluding drivers)Microsoft UpdateMicrosoft UpdateYes![diagram of content flow](images/wufb-config3a.png)
                                                                                              Updates to Windows (excluding drivers)Microsoft UpdateMicrosoft UpdateYesdiagram of content flow
                                                                                              Updates to Office and other productsMicrosoft UpdateMicrosoft UpdateNo
                                                                                              Drivers, third-party applicationsWSUSWSUSNo
                                                                                              diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index cafe85f131..d3d3256fba 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -71,41 +71,41 @@ When using WSUS to manage updates on Windows client devices, start by configurin **To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment** -1. Open GPMC. +1. Open GPMC. -2. Expand Forest\Domains\\*Your_Domain*. +2. Expand Forest\Domains\\*Your_Domain*. -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. +3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - ![Example of UI](images/waas-wsus-fig3.png) + ![Example of UI](images/waas-wsus-fig3.png) - >[!NOTE] - >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. + >[!NOTE] + >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU. -4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**. +4. In the **New GPO** dialog box, name the new GPO **WSUS – Auto Updates and Intranet Update Service Location**. -5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**. +5. Right-click the **WSUS – Auto Updates and Intranet Update Service Location** GPO, and then click **Edit**. -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. +6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update. -7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**. +7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**. - ![Example of UI](images/waas-wsus-fig4.png) + ![Example of UI](images/waas-wsus-fig4.png) -8. In the **Configure Automatic Updates** dialog box, select **Enable**. +8. In the **Configure Automatic Updates** dialog box, select **Enable**. -9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. +9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**. - ![Example of UI](images/waas-wsus-fig5.png) + ![Example of UI](images/waas-wsus-fig5.png) - >[!NOTE] - ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). + > [!NOTE] + > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx). -9. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**. +10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**. -9. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. +11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**. -12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type **http://Your_WSUS_Server_FQDN:PortNumber**, and then click **OK**. +12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**. >[!NOTE] >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance. diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index bd3be69edf..829b1efc16 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -30,9 +30,9 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
                                                                                            • Reducing Windows 10 Package Size Downloads for x64 Systems - September 26, 2018
                                                                                            • Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates - September 21, 2018
                                                                                            • Helping customers shift to a modern desktop - September 6, 2018
                                                                                              • -
                                                                                            • Windows Update for Business & Windows Analytics: a real-world experience - September 5, 2018
                                                                                              • -
                                                                                            • What's next for Windows 10 and Windows Server quality updates - August 16, 2018
                                                                                              • -
                                                                                            • Windows 10 monthly updates - August 1, 2018 (**video**)
                                                                                              • +
                                                                                            • Windows Update for Business & Windows Analytics: a real-world experience - September 5, 2018
                                                                                              • +
                                                                                            • What's next for Windows 10 and Windows Server quality updates - August 16, 2018
                                                                                              • +
                                                                                            • Windows 10 monthly updates - August 1, 2018 (video)
                                                                                            • Windows 10 update servicing cadence - August 1, 2018
                                                                                            • Windows 10 quality updates explained and the end of delta updates - July 11, 2018
                                                                                            • AI Powers Windows 10 April 2018 Update Rollout - June 14, 2018
                                                                                              • diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 0828c32b1a..82d2d4b3e1 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -126,12 +126,12 @@ When Microsoft officially releases a feature update for Windows 10, it is made a Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release. ->[!NOTE] -All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607, 1703, 1709 and 1803. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18 month lifecycle. - - ->[!NOTE] ->Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools. +> [!NOTE] +> All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607, 1703, 1709 and 1803. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18 month lifecycle. +> +> +> [!NOTE] +> Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools. ### Long-term Servicing Channel diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 0d1004e4b9..a99bba615f 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -15,9 +15,9 @@ ms.collection: M365-modern-desktop --- # Understanding the differences between servicing Windows 10-era and legacy Windows operating systems ->Applies to: Windows 10 - ->**February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.** +> Applies to: Windows 10 +> +> **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.** Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 8733b71222..e416f2e554 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -144,81 +144,3 @@ We recommend that you set up a ring to receive preview builds by joining the Win ------------------------- - -To manage updates with Windows Update for Business as described in this topic, you should prepare with these steps, if you haven't already: - -- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. -- Allow access to the Windows Update service. -- Download and install ADMX templates appropriate to your Windows 10 version. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) and [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/). - - - ## Set up Windows Update for Business - -In this example, one security group is used to manage updates. Typically we would recommend having at least three rings (early testers for pre-release builds, broad deployment for releases, critical devices for mature releases) to deploy. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) for more information. - -Follow these steps on a device running the Remote Server Administration Tools or on a domain controller: - -### Configure a ring -1. Start Group Policy Management Console (gpmc.msc). -2. Expand **Forest > Domains > **. -3. Right-click and select **Create a GPI in this domain and link it here**. -4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object. -5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**. -6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices. - - -## Offering - -You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time. - -### Manage which updates are offered - -Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. - -- Drivers (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates** -- Microsoft product updates (on/off): **Computer configuration > Administrative Templates > Windows Components > Windows Update > Get updates for other Microsoft Products** - -We recommend that you allow the driver policy to allow drivers to updated on devices (the default), but you can turn this setting off if you prefer to manage drivers manually. We also recommend that you leave the "Microsoft product updates" setting on. - -### Manage when updates are offered -You can defer or pause the installation of updates for a set period of time. - -#### Defer or pause an update - -A Windows Update for Business administrator can defer or pause updates and preview builds. You can defer features updates for up to 365 days. You can pause feature or quality updates for up to 35 days from a given start date that you specify. - -- Defer or pause a feature update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are Received** -- Defer or pause a quality update: **Computer configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are Received** - -#### Example - -In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days. - -![illustration of devices divided into three rings](images/waas-wufb-3-rings.png) - -When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates. - -##### Five days later -The devices in the fast ring are offered the quality update the next time they scan for updates. - -![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png) - -##### Ten days later -Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates. - -![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png) - -If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves. - -##### What if a problem occurs with the update? - -In this example, some problem is discovered during the deployment of the update to the "pilot" ring. - -![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png) - -At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box. - -![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png) - -Now all devices are paused from updating for 35 days. When the the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again. \ No newline at end of file diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 7c57aca0b9..81ac40df54 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -186,7 +186,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e 4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. -4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. 6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. @@ -198,7 +198,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e 8. Because the **Ring 4 Broad business users** deployment ring receives the CBB feature updates immediately, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. -8. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list. +9. In **Setting name**, type **Defer feature updates for 0 days**, and then select **Integer** from the **Data type** list. 10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. @@ -206,14 +206,14 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e ![Settings for this policy](images/waas-wufb-intune-cbb1a.png) -9. Click **Save Policy**. +12. Click **Save Policy**. -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. +13. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. -10. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. +14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**. You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates. @@ -228,7 +228,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r 4. Name the policy **Windows Update for Business - CBB2**. Then, in the **OMA-URI Settings** section, click **Add**. -4. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. +5. In **Setting name**, type **Enable Clients for CBB**, and then select **Integer** from the **Data type** list. 6. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel**. @@ -240,30 +240,30 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r 8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. -8. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list. +9. In **Setting name**, type **Defer quality updates for 7 days**, and then select **Integer** from the **Data type** list. 10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDays**. 11. In the **Value** box, type **7**, and then click **OK**. -8. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. +12. In the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. -8. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list. +13. In **Setting name**, type **Defer feature updates for 14 days**, and then select **Integer** from the **Data type** list. -10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. +14. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**. -11. In the **Value** box, type **14**, and then click **OK**. +15. In the **Value** box, type **14**, and then click **OK**. ![Settings for this policy](images/waas-wufb-intune-cbb2a.png) -9. Click **Save Policy**. +16. Click **Save Policy**. -9. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**. +17. In the **Deploy Policy: Windows Update for Business – CBB2** dialog box, click **Yes**. - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. + >[!NOTE] + >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. -10. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**. +18. In the **Manage Deployment: Windows Update for Business – CBB2** dialog box, select the **Ring 5 Broad Business Users #2** group, click **Add**, and then click **OK**. ## Related topics diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index e464d438af..7f51510eca 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -59,7 +59,7 @@ Even though devices can take 2-3 days after enrollment to show up due to latency >[!NOTE] > If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it. - + If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: 1. Download and extract the [Upgrade Readiness Deployment Script](https://www.microsoft.com/download/details.aspx?id=53327). Ensure that the **Pilot/Diagnostics** folder is included. @@ -113,7 +113,7 @@ If you know that devices are experiencing stop error crashes that do not seem to 5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this: [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) - + You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). ```powershell @@ -214,9 +214,9 @@ Starting with Windows 10, version 1803, the device name is no longer collected b ### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button. - + We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds: - + - Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds. - Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced. @@ -230,18 +230,18 @@ We have identified an incompatibility between AbnormalShutdownCount and the Limi If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: -1. Unsubscribe from the Upgrade Readiness solution in Azure Portal. In Azure Portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. +1. Unsubscribe from the Upgrade Readiness solution in Azure Portal. In Azure Portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. - ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) + ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) -2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: +2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the diagnostic data level to **Security**: - **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* + **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* - **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). + **Windows 10**: Follow the instructions in [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). -3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. -4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". +3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. +4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". ### Exporting large data sets @@ -251,7 +251,7 @@ Azure Log Analytics is optimized for advanced analytics of large data sets and c let snapshot = toscalar(UAApp | summarize max(TimeGenerated)); let pageSize = 100000; let pageNumber = 0; - + UAApp | where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count" | order by AppName, AppVendor, AppVersion desc @@ -260,11 +260,12 @@ UAApp | take pageSize ``` - + ## Other common questions ### What are the requirements and costs for Windows Analytics solutions? + | Windows Analytics solution| Windows license requirements | Windows version requirements | Minimum diagnostic data requirements | |----------------------|-----------------------------------|------------------------------|------------------------------| | Upgrade Readiness | No additional requirements | Windows 7 with Service Pack 1, Windows 8.1, Windows 10 | Basic level in most cases; Enhanced level to support Windows 10 app usage data and IE site discovery | @@ -283,7 +284,7 @@ Note that different Azure Log Analytics plans have different data retention peri ### Why do SCCM and Upgrade Readiness show different counts of devices that are ready to upgrade? System Center Configuration Manager (SCCM) considers a device ready to upgrade if *no installed app* has an upgrade decision of “not ready” (that is, they are all "ready" or "in progress"), while Upgrade Readiness considers a device ready to upgrade only if *all* installed apps are marked “ready”. -  + Currently, you can choose the criteria you wish to use: - To use the SCCM criteria, create the collection of devices ready to upgrade within the SCCM console (using the analytics connector). - To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index 134f4cef5d..cca22ab6ad 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -22,63 +22,63 @@ This section lists the error codes for Microsoft Windows Update. ## Automatic Update Errors -|Error code|Message|Description| -|-|-|-| -|0x80243FFF|WU_E_AUCLIENT_UNEXPECTED|There was a user interface error not covered by another WU_E_AUCLIENT_* error code.| -|0x8024A000|WU_E_AU_NOSERVICE|Automatic Updates was unable to service incoming requests. | -|0x8024A002|WU_E_AU_NONLEGACYSERVER|The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded.|  -|0x8024A003 |WU_E_AU_LEGACYCLIENTDISABLED| The old version of the Automatic Updates client was disabled.|  -|0x8024A004|WU_E_AU_PAUSED|Automatic Updates was unable to process incoming requests because it was paused.|  -|0x8024A005|WU_E_AU_NO_REGISTERED_SERVICE| No unmanaged service is registered with AU.|  -|0x8024AFFF|WU_E_AU_UNEXPECTED| An Automatic Updates error not covered by another WU_E_AU * code.|  +| Error code | Message | Description | +|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| +| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | +| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | +| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | +| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | +| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | +| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | +| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | ## Windows Update UI errors -|Error code|Message|Description| -|-|-|-| -|0x80243001|WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION|The results of download and installation could not be read from the registry due to an unrecognized data format version.|  -|0x80243002|WU_E_INSTALLATION_RESULTS_INVALID_DATA|The results of download and installation could not be read from the registry due to an invalid data format.|  -|0x80243003|WU_E_INSTALLATION_RESULTS_NOT_FOUND |The results of download and installation are not available; the operation may have failed to start.|  -|0x80243004| WU_E_TRAYICON_FAILURE| A failure occurred when trying to create an icon in the taskbar notification area.| -|0x80243FFD| WU_E_NON_UI_MODE| Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | -|0x80243FFE| WU_E_WUCLTUI_UNSUPPORTED_VERSION| Unsupported version of WU client UI exported functions.  | -|0x80243FFF| WU_E_AUCLIENT_UNEXPECTED| There was a user interface error not covered by another WU_E_AUCLIENT_* error code.  | +| Error code | Message | Description | +|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | +| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | +| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | +| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | +| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | +| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | +| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | ## Inventory errors -|Error code|Message|Description| -|-|-|-| -|0x80249001| WU_E_INVENTORY_PARSEFAILED| Parsing of the rule file failed. | -|0x80249002| WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED | Failed to get the requested inventory type from the server. | -|0x80249003| WU_E_INVENTORY_RESULT_UPLOAD_FAILED| Failed to upload inventory result to the server. | -|0x80249004| WU_E_INVENTORY_UNEXPECTED| There was an inventory error not covered by another error code.|  -|0x80249005| WU_E_INVENTORY_WMI_ERROR| A WMI error occurred when enumerating the instances for a particular class.  | +| Error code | Message | Description | +|------------|-------------------------------------------|-------------------------------------------------------------------------------| +| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | +| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | +| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | +| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | +| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | ## Expression evaluator errors -|Error code|Message|Description| -|-|-|-| -|0x8024E001 | WU_E_EE_UNKNOWN_EXPRESSION | An expression evaluator operation could not be completed because an expression was unrecognized.| -|0x8024E002| WU_E_EE_INVALID_EXPRESSION| An expression evaluator operation could not be completed because an expression was invalid.  | -|0x8024E003| WU_E_EE_MISSING_METADATA| An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. | -|0x8024E004| WU_E_EE_INVALID_VERSION| An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. | -| 0x8024E005| WU_E_EE_NOT_INITIALIZED| The expression evaluator could not be initialized.|  -| 0x8024E006| WU_E_EE_INVALID_ATTRIBUTEDATA | An expression evaluator operation could not be completed because there was an invalid attribute.| -| 0x8024E007| WU_E_EE_CLUSTER_ERROR | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. | -| 0x8024EFFF| WU_E_EE_UNEXPECTED| There was an expression evaluator error not covered by another WU_E_EE_* error code.  | +| Error code | Message | Description | +|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| +| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | +| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | +| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | +| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | +|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | +|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | +|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | +|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | ## Reporter errors -|Error code|Message|Description| -|-|-|-| -| 0x80247001| WU_E_OL_INVALID_SCANFILE | An operation could not be completed because the scan package was invalid.|  -|0x80247002| WU_E_OL_NEWCLIENT_REQUIRED| An operation could not be completed because the scan package requires a greater version of the Windows Update Agent.|  -| 0x80247FFF| WU_E_OL_UNEXPECTED| Search using the scan package failed. | -| 0x8024F001| WU_E_REPORTER_EVENTCACHECORRUPT| The event cache file was defective. | -| 0x8024F002 | WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED | The XML in the event namespace descriptor could not be parsed.|  -| 0x8024F003| WU_E_INVALID_EVENT| The XML in the event namespace descriptor could not be parsed.|  -| 0x8024F004| WU_E_SERVER_BUSY| The server rejected an event because the server was too busy.|  -| 0x8024FFFF| WU_E_REPORTER_UNEXPECTED| There was a reporter error not covered by another error code. | +| Error code | Message | Description | +|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| +|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | +| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | +|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | +|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | +|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | +|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | +|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | ## Redirector errors The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. @@ -93,152 +93,152 @@ The components that download the Wuredir.cab file and then parse the Wuredir.cab ## Protocol Talker errors The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. -|Error code|Message|Description| -|-|-|-| -| 0x80244000| WU_E_PT_SOAPCLIENT_BASE| WU_E_PT_SOAPCLIENT_* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library.| -|0x80244001| WU_E_PT_SOAPCLIENT_INITIALIZE| Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | -| 0x80244002| WU_E_PT_SOAPCLIENT_OUTOFMEMORY| Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory. | -| 0x80244003| WU_E_PT_SOAPCLIENT_GENERATE| Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request.|  -| 0x80244004| WU_E_PT_SOAPCLIENT_CONNECT| Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server. | -| 0x80244005| WU_E_PT_SOAPCLIENT_SEND| Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_* error codes.| -| 0x80244006| WU_E_PT_SOAPCLIENT_SERVER| Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error. | -| 0x80244007| WU_E_PT_SOAPCLIENT_SOAPFAULT| Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.| -| 0x80244008| WU_E_PT_SOAPCLIENT_PARSEFAULT| Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault.|  -| 0x80244009| WU_E_PT_SOAPCLIENT_READ| Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server.| -| 0x8024400A| WU_E_PT_SOAPCLIENT_PARSE| Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server. | - - + +| Error code | Message | Description | +|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| +|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | +| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | +|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | +|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | +|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | +|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | +|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | +|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | +|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | +|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | +|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | ## Other Protocol Talker errors The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. -|Error code|Message|Description| -|-|-|-| -| 0x8024400B| WU_E_PT_SOAP_VERSION| Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope.| -| 0x8024400C| WU_E_PT_SOAP_MUST_UNDERSTAND| Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | -| 0x8024400D| WU_E_PT_SOAP_CLIENT| Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending. | -| 0x8024400E| WU_E_PT_SOAP_SERVER| Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later. | -| 0x8024400F| WU_E_PT_WMI_ERROR| There was an unspecified Windows Management Instrumentation (WMI) error.|  -| 0x80244010| WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS| The number of round trips to the server exceeded the maximum limit. | -| 0x80244011| WU_E_PT_SUS_SERVER_NOT_SET| WUServer policy value is missing in the registry. | -| 0x80244012| WU_E_PT_DOUBLE_INITIALIZATION| Initialization failed because the object was already initialized. | -| 0x80244013| WU_E_PT_INVALID_COMPUTER_NAME| The computer name could not be determined. | -| 0x80244015| WU_E_PT_REFRESH_CACHE_REQUIRED| The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.|  -| 0x80244016| WU_E_PT_HTTP_STATUS_BAD_REQUEST| Same as HTTP status 400 - the server could not process the request due to invalid syntax. | -| 0x80244017| WU_E_PT_HTTP_STATUS_DENIED| Same as HTTP status 401 - the requested resource requires user authentication. | -| 0x80244018| WU_E_PT_HTTP_STATUS_FORBIDDEN| Same as HTTP status 403 - server understood the request but declined to fulfill it.| -| 0x80244019| WU_E_PT_HTTP_STATUS_NOT_FOUND| Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). | -| 0x8024401A| WU_E_PT_HTTP_STATUS_BAD_METHOD| Same as HTTP status 405 - the HTTP method is not allowed.  | -| 0x8024401B| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ| Same as HTTP status 407 - proxy authentication is required. | -| 0x8024401C| WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT| Same as HTTP status 408 - the server timed out waiting for the request. | -| 0x8024401D| WU_E_PT_HTTP_STATUS_CONFLICT| Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. | -| 0x8024401E| WU_E_PT_HTTP_STATUS_GONE| Same as HTTP status 410 - requested resource is no longer available at the server.| -| 0x8024401F| WU_E_PT_HTTP_STATUS_SERVER_ERROR| Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | -| 0x80244020| WU_E_PT_HTTP_STATUS_NOT_SUPPORTED| Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | -| 0x80244021| WU_E_PT_HTTP_STATUS_BAD_GATEWAY |Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request.| -| 0x80244022| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL| Same as HTTP status 503 - the service is temporarily overloaded.  | -| 0x80244023| WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT| Same as HTTP status 503 - the request was timed out waiting for a gateway. | -| 0x80244024| WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP| Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | -| 0x80244025| WU_E_PT_FILE_LOCATIONS_CHANGED| Operation failed due to a changed file location; refresh internal state and resend.|  -| 0x80244026| WU_E_PT_REGISTRATION_NOT_SUPPORTED| Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | -| 0x80244027| WU_E_PT_NO_AUTH_PLUGINS_REQUESTED| The server returned an empty authentication information list.  | -| 0x80244028| WU_E_PT_NO_AUTH_COOKIES_CREATED| Windows Update Agent was unable to create any valid authentication cookies. | -| 0x80244029| WU_E_PT_INVALID_CONFIG_PROP| A configuration property value was wrong. | -| 0x8024402A| WU_E_PT_CONFIG_PROP_MISSING| A configuration property value was missing. | -| 0x8024402B| WU_E_PT_HTTP_STATUS_NOT_MAPPED| The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_* error codes. | -| 0x8024402C| WU_E_PT_WINHTTP_NAME_NOT_RESOLVED| Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. | -| 0x8024402F| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS| External cab file processing completed with some errors.| -| 0x80244030| WU_E_PT_ECP_INIT_FAILED| The external cab processor initialization did not complete. | -| 0x80244031| WU_E_PT_ECP_INVALID_FILE_FORMAT| The format of a metadata file was invalid. | -| 0x80244032| WU_E_PT_ECP_INVALID_METADATA| External cab processor found invalid metadata. | -| 0x80244033| WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST| The file digest could not be extracted from an external cab file. | -| 0x80244034| WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE| An external cab file could not be decompressed. | -| 0x80244035| WU_E_PT_ECP_FILE_LOCATION_ERROR| External cab processor was unable to get file locations. | -| 0x80244FFF| WU_E_PT_UNEXPECTED| A communication error not covered by another WU_E_PT_* error code. | -| 0x8024502D| WU_E_PT_SAME_REDIR_ID| Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | -| 0x8024502E| WU_E_PT_NO_MANAGED_RECOVER| A redirector recovery action did not complete because the server is managed. | + +| Error code | Message | Description | +|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | +|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | +|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | +|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | +|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | +|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | +|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | +|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | +|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | +|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | +|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | +|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | +|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | +|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | +|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | +|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | +|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | +|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | +|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | +|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | +|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | +|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | +|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | +|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | +|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | +|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | +|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | +|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | +|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | +|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | +|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | +|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | +|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | +|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | +|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | +|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | +|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | +|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | +|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | +|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | +|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | +|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | +|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | ## Download Manager errors -|Error code|Message|Description| -|-|-|-| -| 0x80246001| WU_E_DM_URLNOTAVAILABLE| A download manager operation could not be completed because the requested file does not have a URL. | -| 0x80246002| WU_E_DM_INCORRECTFILEHASH| A download manager operation could not be completed because the file digest was not recognized. | -| 0x80246003| WU_E_DM_UNKNOWNALGORITHM| A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. | -| 0x80246004| WU_E_DM_NEEDDOWNLOADREQUEST| An operation could not be completed because a download request is required from the download handler. | -| 0x80246005| WU_E_DM_NONETWORK| A download manager operation could not be completed because the network connection was unavailable. | -| 0x80246006| WU_E_DM_WRONGBITSVERSION| A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible.|  -| 0x80246007| WU_E_DM_NOTDOWNLOADED| The update has not been downloaded. | -| 0x80246008| WU_E_DM_FAILTOCONNECTTOBITS| A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS).|  -| 0x80246009|WU_E_DM_BITSTRANSFERERROR| A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | -| 0x8024600A| WU_E_DM_DOWNLOADLOCATIONCHANGED| A download must be restarted because the location of the source of the download has changed.|  -| 0x8024600B| WU_E_DM_CONTENTCHANGED| A download must be restarted because the update content changed in a new revision.  | -| 0x80246FFF| WU_E_DM_UNEXPECTED| There was a download manager error not covered by another WU_E_DM_* error code.  | +| Error code | Message | Description | +|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | +|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | +|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | +|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | +|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | +|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | +|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | +|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | +|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | +|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | +|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | +|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | ## Update Handler errors -|Error code|Message|Description| -|-|-|-| -| 0x80242000| WU_E_UH_REMOTEUNAVAILABLE|9 A request for a remote update handler could not be completed because no remote process is available. | -| 0x80242001| WU_E_UH_LOCALONLY| A request for a remote update handler could not be completed because the handler is local only. | -| 0x80242002| WU_E_UH_UNKNOWNHANDLER| A request for an update handler could not be completed because the handler could not be recognized. | -| 0x80242003| WU_E_UH_REMOTEALREADYACTIVE| A remote update handler could not be created because one already exists.  | -| 0x80242004| WU_E_UH_DOESNOTSUPPORTACTION| A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall).|  -| 0x80242005| WU_E_UH_WRONGHANDLER| An operation did not complete because the wrong handler was specified.  | -| 0x80242006| WU_E_UH_INVALIDMETADATA| A handler operation could not be completed because the update contains invalid metadata. | -| 0x80242007| WU_E_UH_INSTALLERHUNG| An operation could not be completed because the installer exceeded the time limit. | -| 0x80242008| WU_E_UH_OPERATIONCANCELLED| An operation being done by the update handler was cancelled. | -| 0x80242009| WU_E_UH_BADHANDLERXML| An operation could not be completed because the handler-specific metadata is invalid.  | -| 0x8024200A| WU_E_UH_CANREQUIREINPUT| A request to the handler to install an update could not be completed because the update requires user input. | -| 0x8024200B| WU_E_UH_INSTALLERFAILURE| The installer failed to install (uninstall) one or more updates.  | -| 0x8024200C| WU_E_UH_FALLBACKTOSELFCONTAINED| The update handler should download self-contained content rather than delta-compressed content for the update. | -| 0x8024200D| WU_E_UH_NEEDANOTHERDOWNLOAD| The update handler did not install the update because it needs to be downloaded again.  | -| 0x8024200E| WU_E_UH_NOTIFYFAILURE| The update handler failed to send notification of the status of the install (uninstall) operation.  | -| 0x8024200F| WU_E_UH_INCONSISTENT_FILE_NAMES | The file names contained in the update metadata and in the update package are inconsistent.  | -| 0x80242010| WU_E_UH_FALLBACKERROR| The update handler failed to fall back to the self-contained content.  | -| 0x80242011| WU_E_UH_TOOMANYDOWNLOADREQUESTS| The update handler has exceeded the maximum number of download requests.  | -| 0x80242012| WU_E_UH_UNEXPECTEDCBSRESPONSE| The update handler has received an unexpected response from CBS.  | -| 0x80242013| WU_E_UH_BADCBSPACKAGEID| The update metadata contains an invalid CBS package identifier.  | -| 0x80242014| WU_E_UH_POSTREBOOTSTILLPENDING| The post-reboot operation for the update is still in progress.  | -| 0x80242015| WU_E_UH_POSTREBOOTRESULTUNKNOWN| The result of the post-reboot operation for the update could not be determined.  | -| 0x80242016| WU_E_UH_POSTREBOOTUNEXPECTEDSTATE| The state of the update after its post-reboot operation has completed is unexpected.  | -| 0x80242017| WU_E_UH_NEW_SERVICING_STACK_REQUIRED| The OS servicing stack must be updated before this update is downloaded or installed.  | -| 0x80242FFF| WU_E_UH_UNEXPECTED| An update handler error not covered by another WU_E_UH_* code.  | +| Error code | Message | Description | +|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | +|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | +|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | +|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | +|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | +|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | +|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | +|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | +|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | +|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | +| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | +|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | +|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | +|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | +|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | +|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | +|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | +|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | +|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | +|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | +|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | +|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | +|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | +|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | +|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | ## Data Store errors -|Error code|Message|Description | -|-|-|-| -| 0x80248000| WU_E_DS_SHUTDOWN| An operation failed because Windows Update Agent is shutting down.  | -| 0x80248001| WU_E_DS_INUSE| An operation failed because the data store was in use.|  -| 0x80248002| WU_E_DS_INVALID| The current and expected states of the data store do not match.|  -| 0x80248003| WU_E_DS_TABLEMISSING| The data store is missing a table.  | -| 0x80248004| WU_E_DS_TABLEINCORRECT| The data store contains a table with unexpected columns.  | -| 0x80248005| WU_E_DS_INVALIDTABLENAME| A table could not be opened because the table is not in the data store. | -| 0x80248006| WU_E_DS_BADVERSION| The current and expected versions of the data store do not match. | -| 0x80248007| WU_E_DS_NODATA| The information requested is not in the data store.  | -| 0x80248008| WU_E_DS_MISSINGDATA| The data store is missing required information or has a NULL in a table column that requires a non-null value.  | -| 0x80248009| WU_E_DS_MISSINGREF| The data store is missing required information or has a reference to missing license terms file localized property or linked row. | -| 0x8024800A| WU_E_DS_UNKNOWNHANDLER| The update was not processed because its update handler could not be recognized.  | -| 0x8024800B| WU_E_DS_CANTDELETE| The update was not deleted because it is still referenced by one or more services.  | -| 0x8024800C| WU_E_DS_LOCKTIMEOUTEXPIRED| The data store section could not be locked within the allotted time.  | -| 0x8024800D| WU_E_DS_NOCATEGORIES | The category was not added because it contains no parent categories and is not a top-level category itself.  | -| 0x8024800E| WU_E_DS_ROWEXISTS| The row was not added because an existing row has the same primary key.  | -| 0x8024800F| WU_E_DS_STOREFILELOCKED| The data store could not be initialized because it was locked by another process.  | -| 0x80248010| WU_E_DS_CANNOTREGISTER| The data store is not allowed to be registered with COM in the current process.  -| 0x80248011| WU_E_DS_UNABLETOSTART| Could not create a data store object in another process.  -| 0x80248013| WU_E_DS_DUPLICATEUPDATEID |The server sent the same update to the client with two different revision IDs.  -| 0x80248014 |WU_E_DS_UNKNOWNSERVICE| An operation did not complete because the service is not in the data store.  -| 0x80248015 |WU_E_DS_SERVICEEXPIRED |An operation did not complete because the registration of the service has expired.  -| 0x80248016 | WU_E_DS_DECLINENOTALLOWED | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  -| 0x80248017 | WU_E_DS_TABLESESSIONMISMATCH| A table was not closed because it is not associated with the session.  -| 0x80248018 | WU_E_DS_SESSIONLOCKMISMATCH| A table was not closed because it is not associated with the session.  -| 0x80248019 | WU_E_DS_NEEDWINDOWSSERVICE| A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  -| 0x8024801A | WU_E_DS_INVALIDOPERATION| A request was declined because the operation is not allowed.  -| 0x8024801B | WU_E_DS_SCHEMAMISMATCH| The schema of the current data store and the schema of a table in a backup XML document do not match.  -| 0x8024801C | WU_E_DS_RESETREQUIRED| The data store requires a session reset; release the session and retry with a new session.  -| 0x8024801D | WU_E_DS_IMPERSONATED| A data store operation did not complete because it was requested with an impersonated identity.  -| 0x80248FFF | WU_E_DS_UNEXPECTED| A data store error not covered by another WU_E_DS_* code.  +| Error code | Message | Description | +|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | +|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | +|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | +|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | +|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | +|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | +|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | +|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | +|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | +|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | +|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | +|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | +|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | +|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | +|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | +|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | +|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | +|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | +|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | +| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | +| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | +| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | +| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | +| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | +| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | +| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | +| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | +| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | ## Driver Util errors The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index fb909e187c..44bb1240ca 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -19,20 +19,22 @@ ms.topic: article The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. -|Error Code|Message|Description|Mitigation| -|-|-|-|-| -|0x8024402F|WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS|External cab file processing completed with some errors|One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
                                                                                              The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | -|0x80242006|WU_E_UH_INVALIDMETADATA|A handler operation could not be completed because the update contains invalid metadata.|Rename Software Redistribution Folder and attempt to download the updates again:
                                                                                              Rename the following folders to *.BAK:
                                                                                              - %systemroot%\system32\catroot2

                                                                                              To do this, type the following commands at a command prompt. Press ENTER after you type each command.
                                                                                              - Ren %systemroot%\SoftwareDistribution\DataStore *.bak
                                                                                              - Ren %systemroot%\SoftwareDistribution\Download *.bak
                                                                                              Ren %systemroot%\system32\catroot2 *.bak | -|0x80070BC9|ERROR_FAIL_REBOOT_REQUIRED|The requested operation failed. A system reboot is required to roll back changes made.|Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS.| -|0x80200053|BG_E_VALIDATION_FAILED|NA|Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

                                                                                              If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -|0x80072EE2|WININET_E_TIMEOUT|The operation timed out|This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
                                                                                              http://*.update.microsoft.com
                                                                                              https://*.update.microsoft.com
                                                                                              http://download.windowsupdate.com

                                                                                              Additionally , you can take a network trace and see what is timing out. | -|0x80072EFD
                                                                                              0x80072EFE 
                                                                                              0x80D02002|TIME OUT ERRORS|The operation timed out|Make sure there are no firewall rules or proxy to block Microsoft download URLs.
                                                                                              Take a network monitor trace to understand better. | -|0X8007000D|ERROR_INVALID_DATA|Indicates invalid data downloaded or corruption occurred.|Attempt to re-download the update and initiate installation. | -|0x8024A10A|USO_E_SERVICE_SHUTTING_DOWN|Indicates that the WU Service is shutting down.|This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | -|0x80240020|WU_E_NO_INTERACTIVE_USER|Operation did not complete because there is no logged-on interactive user.|Please login to the system to initiate the installation and allow the system to be rebooted. | -|0x80242014|WU_E_UH_POSTREBOOTSTILLPENDING|The post-reboot operation for the update is still in progress.|Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | -|0x80246017|WU_E_DM_UNAUTHORIZED_LOCAL_USER|The download failed because the local user was denied authorization to download the content.|Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| -|0x8024000B|WU_E_CALL_CANCELLED|Operation was cancelled.|This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete.| -|0x8024000E|WU_E_XML_INVALID|Windows Update Agent found invalid information in the update's XML data.|Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -|0x8024D009|WU_E_SETUP_SKIP_UPDATE|An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.|You may encounter this error when WSUS is not sending the Self-update to the clients.

                                                                                              Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue.| -|0x80244007|WU_E_PT_SOAPCLIENT_SOAPFAULT|SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.|This issue occurs because Windows cannot renew the cookies for Windows Update.

                                                                                              Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue.| + +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
                                                                                              The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
                                                                                              Rename the following folders to \*.BAK:
                                                                                              - %systemroot%\system32\catroot2

                                                                                              To do this, type the following commands at a command prompt. Press ENTER after you type each command.
                                                                                              - Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
                                                                                              - Ren %systemroot%\SoftwareDistribution\Download \*.bak
                                                                                              Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

                                                                                              If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
                                                                                              http://.update.microsoft.com
                                                                                              https://                                                                                              .update.microsoft.com


                                                                                              Additionally , you can take a network trace and see what is timing out. | +| 0x80072EFD
                                                                                              0x80072EFE 
                                                                                              0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
                                                                                              Take a network monitor trace to understand better. | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

                                                                                              Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

                                                                                              Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index 3d7d0ccb35..87b016f3a5 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -37,15 +37,15 @@ To understand the changes to the Windows Update architecture that UUP introduces - **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. Update types- - - OS Feature updates - - OS Security updates - - Device drivers - - Defender definition updates + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates - >[!NOTE] - > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. - > - >Store apps aren't installed by USO, today they are separate. + >[!NOTE] + > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. + > + >Store apps aren't installed by USO, today they are separate. - **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. - **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 7eba140500..3c86a313b1 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -121,6 +121,6 @@ The following resources provide additional information about using Windows Updat net start wuauserv ``` 10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: - ``` - bitsadmin.exe /reset /allusers - ``` + ``` + bitsadmin.exe /reset /allusers + ``` diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index e79efdb0cd..a631ad47fa 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -22,6 +22,7 @@ Windows Update for Business allows users to control when devices should receive The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. ## Policy overview + |Policy name| Description | |-|-| |Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | @@ -31,9 +32,10 @@ The following policies let you configure when you want a device to see a feature ## Suggested configuration for a non-wave deployment If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: + |Policy| Location|Suggested configuration | |-|-|-| -|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
                                                                                              **Defer receiving it for this many days**: 0
                                                                                              **Pause Quality Updates**: Blank
                                                                                              *Note: use this functionality to prevent the device from receiving a quality update until the time passes| +|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
                                                                                              **Defer receiving it for this many days**: 0
                                                                                              **Pause Quality Updates**: Blank
                                                                                              *Note: use this functionality to prevent the device from receiving a quality update until the time passes| |Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
                                                                                              **Select Windows Readiness Level**: SAC
                                                                                              **Defer receiving for this many days**: 0-365
                                                                                              **Pause Feature Updates**: Blank
                                                                                              *Note: use this functionality to prevent the device from receiving a feature update until the time passes| |Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 06d495edfa..1454e87f15 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -84,9 +84,9 @@ See the following example:
                                                                                              1. Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process. -
                                                                                              2. Based on the [extend code](upgrade-error-codes.md#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate. +
                                                                                              3. Based on the extend code portion of the error code, determine the type and location of a log files to investigate.
                                                                                              4. Open the log file in a text editor, such as notepad. -
                                                                                              5. Using the [result code](upgrade-error-codes.md#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. +
                                                                                              6. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
                                                                                              7. To find the last occurrence of the result code:
                                                                                                1. Scroll to the bottom of the file and click after the last character. diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md index f645527a25..6808396a25 100644 --- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md +++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md @@ -38,7 +38,7 @@ The Upgrade Readiness workflow steps you through the discovery and rationalizati - [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) - [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) -##**Related topics** +## **Related topics** [Upgrade Readiness architecture](upgrade-readiness-architecture.md)
                                                                                                  [Upgrade Readiness requirements](upgrade-readiness-requirements.md)
                                                                                                  diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index 9b737c18ca..a2633ed3d5 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -32,18 +32,18 @@ The Microsoft Virtual Agent provided by [Microsoft Support](https://support.micr ## List of fixes
                                                                                                    -
                                                                                                  1. Remove nonessential external hardware, such as docks and USB devices. [More information](#remove-external-hardware).
                                                                                                    2. -
                                                                                                  2. Check the system drive for errors and attempt repairs. [More information](#repair-the-system-drive).
                                                                                                    3. -
                                                                                                  3. Run the Windows Update troubleshooter. [More information](#windows-update-troubleshooter).
                                                                                                    4. -
                                                                                                  4. Attempt to restore and repair system files. [More information](#repair-system-files).
                                                                                                    5. -
                                                                                                  5. Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. [More information](#update-windows).
                                                                                                    6. +
                                                                                                  6. Remove nonessential external hardware, such as docks and USB devices. More information.
                                                                                                    7. +
                                                                                                  7. Check the system drive for errors and attempt repairs. More information.
                                                                                                    8. +
                                                                                                  8. Run the Windows Update troubleshooter. More information.
                                                                                                    9. +
                                                                                                  9. Attempt to restore and repair system files. More information.
                                                                                                    10. +
                                                                                                  10. Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
                                                                                                  11. Temporarily uninstall non-Microsoft antivirus software. - [More information](#uninstall-non-microsoft-antivirus-software).
                                                                                                    12. + More information. -
                                                                                                  12. Uninstall all nonessential software. [More information](#uninstall-non-essential-software).
                                                                                                    13. -
                                                                                                  13. Update firmware and drivers. [More information](#update-firmware-and-drivers)
                                                                                                    14. -
                                                                                                  14. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. [More information](#ensure-that-download-and-install-updates-is-selected).
                                                                                                    15. -
                                                                                                  15. Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. [More information](#verify-disk-space).
                                                                                                    16. +
                                                                                                  16. Uninstall all nonessential software. More information.
                                                                                                    17. +
                                                                                                  17. Update firmware and drivers. More information
                                                                                                    18. +
                                                                                                  18. Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. More information.
                                                                                                    19. +
                                                                                                  19. Verify at least 16 GB of free space is available to upgrade a 32-bit OS, or 20 GB for a 64-bit OS. More information.
                                                                                                  ## Step by step instructions diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index bf1210bc39..0168eee901 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -85,7 +85,7 @@ The device install log is particularly helpful if rollback occurs during the sys Mitigation Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
                                                                                                  Contact your hardware vendor to obtain updated device drivers. -
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. @@ -114,7 +114,7 @@ The device install log is particularly helpful if rollback occurs during the sys Ensure that all that drivers are updated.
                                                                                                  Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers. -
                                                                                                  For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/library/ee851579.aspx). +
                                                                                                  For more information, see Understanding Failures and Log Files.
                                                                                                  Update or uninstall the problem drivers. @@ -140,7 +140,7 @@ Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
                                                                                                  Contact your hardware vendor to obtain updated device drivers. -
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. @@ -195,7 +195,7 @@ Disconnect all peripheral devices that are connected to the system, except for t
                                                                                                  Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
                                                                                                  Review the rollback log and determine the stop code. -
                                                                                                  The rollback log is located in the **C:\$Windows.~BT\Sources\Panther** folder. An example analysis is shown below. This example is not representative of all cases: +
                                                                                                  The rollback log is located in the C:$Windows.~BT\Sources\Panther folder. An example analysis is shown below. This example is not representative of all cases:
                                                                                                  Info SP Crash 0x0000007E detected
                                                                                                  Info SP Module name :
                                                                                                  Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005 @@ -498,13 +498,13 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m 0xC1800118 WSUS has downloaded content that it cannot use due to a missing decryption key. -See [Steps to resolve error 0xC1800118](https://blogs.technet.microsoft.com/wsus/2016/09/21/resolving-error-0xc1800118/) for information. +See Steps to resolve error 0xC1800118 for information. 0xC1900200 Setup.exe has detected that the machine does not meet the minimum system requirements. -Ensure the system you are trying to upgrade meets the minimum system requirements.
                                                                                                  See [Windows 10 specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) for information. +Ensure the system you are trying to upgrade meets the minimum system requirements.
                                                                                                  See Windows 10 specifications for information. @@ -512,28 +512,28 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m 0x80090011 A device driver error occurred during user data migration. Contact your hardware vendor and get all the device drivers updated. It is recommended to have an active internet connection during upgrade process. -
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 0xC7700112 Failure to complete writing data to the system drive, possibly due to write access failure on the hard disk. This issue is resolved in the latest version of Upgrade Assistant. -
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. +
                                                                                                  Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. 0x80190001 An unexpected error was encountered while attempting to download files required for upgrade. -To resolve this issue, download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10). +To resolve this issue, download and run the media creation tool. See Download windows 10. 0x80246007 The update was not downloaded successfully. Attempt other methods of upgrading the operating system.
                                                                                                  -Download and run the media creation tool. See [Download windows 10](https://www.microsoft.com/en-us/software-download/windows10). +Download and run the media creation tool. See Download windows 10.
                                                                                                  Attempt to upgrade using .ISO or USB.
                                                                                                  -**Note**: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). +Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center. @@ -550,7 +550,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0x80070020 The existing process cannot access the file because it is being used by another process. -Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135). +Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see How to perform a clean boot in Windows. 0x80070522 @@ -561,12 +561,12 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0xC1900107 A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade. -Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10). +Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see Disk cleanup in Windows 10. 0xC1900209 The user has chosen to cancel because the system does not pass the compatibility scan to install the update. Setup.exe will report this error when it can upgrade the machine with user data but cannot migrate installed applications. -Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See [Windows 10 Pre-Upgrade Validation using SETUP.EXE](https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/) for more information. +Incompatible software is blocking the upgrade process. Uninstall the application and try the upgrade again. See Windows 10 Pre-Upgrade Validation using SETUP.EXE for more information.
                                                                                                  You can also download the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526740) and install Application Compatibility Tools. @@ -576,7 +576,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0x8007002 This error is specific to upgrades using System Center Configuration Manager 2012 R2 SP1 CU3 (5.00.8238.1403) -Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760) +Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
                                                                                                  The error 80072efe means that the connection with the server was terminated abnormally. @@ -586,7 +586,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0x80240FFF -Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. +Occurs when update synchronization fails. It can occur when you are using Windows Server Update Services on its own or when it is integrated with System Center Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
                                                                                                    @@ -629,49 +629,49 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0x80070003- 0x20007 This is a failure during SafeOS phase driver installation. -[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver. +Verify device drivers on the computer, and analyze log files to determine the problem driver. 0x8007025D - 0x2000C -This error occurs if the ISO file's metadata is corrupt."Re-download the ISO/Media and re-attempt the upgrade. +This error occurs if the ISO file's metadata is corrupt."Re-download the ISO/Media and re-attempt the upgrade. Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/en-us/software-download/windows10). 0x80070490 - 0x20007An incompatible device driver is present. -[Verify device drivers](https://msdn.microsoft.com/windows/hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver. +Verify device drivers on the computer, and analyze log files to determine the problem driver. 0xC1900101 - 0x2000c An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption. -Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide. -
                                                                                                    Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display. +Run checkdisk to repair the file system. For more information, see the quick fixes section in this guide. +
                                                                                                    Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display. 0xC1900200 - 0x20008 The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10. -See [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) and verify the computer meets minimum requirements. +See Windows 10 Specifications and verify the computer meets minimum requirements.
                                                                                                    Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/). 0x80070004 - 0x3000D This is a problem with data migration during the first boot phase. There are multiple possible causes. -[Analyze log files](log-files.md#analyze-log-files) to determine the issue. +Analyze log files to determine the issue. 0xC1900101 - 0x4001E Installation failed in the SECOND_BOOT phase with an error during PRE_OOBE operation. -This is a generic error that occurs during the OOBE phase of setup. See the [0xC1900101](#0xc1900101) section of this guide and review general troubleshooting procedures described in that section. +This is a generic error that occurs during the OOBE phase of setup. See the 0xC1900101 section of this guide and review general troubleshooting procedures described in that section. 0x80070005 - 0x4000D The installation failed in the SECOND_BOOT phase with an error in during MIGRATE_DATA operation. This error indicates that access was denied while attempting to migrate data. -[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access denied. +Analyze log files to determine the data point that is reporting access denied. 0x80070004 - 0x50012 Windows Setup failed to open a file. -[Analyze log files](log-files.md#analyze-log-files) to determine the data point that is reporting access problems. +Analyze log files to determine the data point that is reporting access problems. 0xC190020e
                                                                                                    0x80070070 - 0x50011
                                                                                                    0x80070070 - 0x50012
                                                                                                    0x80070070 - 0x60000 These errors indicate the computer does not have enough free space available to install the upgrade. -To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade. +To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to free up drive space before proceeding with the upgrade.
                                                                                                    Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby. diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index b95836a0e9..84ce07f8df 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -56,10 +56,10 @@ This blade reports the number of devices that have installed a firmware update t The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. -> [!NOTE] +> [!NOTE] > Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. The data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. - ->IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. +> +> IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. In order to use site discovery, a separate opt-in is required; see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md index a18694469e..ae046f6abf 100644 --- a/windows/deployment/upgrade/upgrade-readiness-architecture.md +++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md @@ -28,7 +28,7 @@ For more information about what diagnostic data Microsoft collects and how that [Manage connections from Windows operating system components to Microsoft services](/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
                                                                                                    [Windows 7, Windows 8, and Windows 8.1 appraiser diagnostic data events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
                                                                                                    -##**Related topics** +## **Related topics** [Upgrade Readiness requirements](upgrade-readiness-requirements.md)
                                                                                                    [Upgrade Readiness release notes](upgrade-readiness-requirements.md#important-information-about-this-release)
                                                                                                    diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 989ede243f..d5b3c8d42a 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -48,8 +48,8 @@ In order to enable this scenario, you need: - Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. - Set ClientProxy=User in bat. ->[!IMPORTANT] -> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection] +> [!IMPORTANT] +> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[] diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index ffd383665e..8bb240a99d 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -155,29 +155,29 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi ->[!NOTE] ->**Additional steps to follow if you receive exit code 33** - ->Check the exit code for any of these messages: -> ->- CompatTelRunner.exe exited with last error code: 0x800703F1 ->- CompatTelRunner.exe exited with last error code: 0x80070005 ->- CompatTelRunner.exe exited with last error code: 0x80080005 +> [!NOTE] +> **Additional steps to follow if you receive exit code 33** +> +> Check the exit code for any of these messages: +> +> - CompatTelRunner.exe exited with last error code: 0x800703F1 +> - CompatTelRunner.exe exited with last error code: 0x80070005 +> - CompatTelRunner.exe exited with last error code: 0x80080005 >  -> ->If the exit code includes any of those messages, then run these commands from an elevated command prompt: -> ->1. Net stop diagtrack ->2. Net stop pcasvc ->3. Net stop dps ->4. Del %windir%\appcompat\programs\amcache.hve ->5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f ->6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f ->7. Net start diagtrack ->8. Net start pcasvc ->9. Net start dps -> ->Then run the Enterprise Config script (RunConfig.bat) again.  -> ->If the script still fails, then send mail to **uasupport@microsoft.com** including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. +> +> If the exit code includes any of those messages, then run these commands from an elevated command prompt: +> +> 1. Net stop diagtrack +> 2. Net stop pcasvc +> 3. Net stop dps +> 4. Del %windir%\appcompat\programs\amcache.hve +> 5. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v AmiHivePermissionsCorrect /f +> 6. reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags" /v LogFlags /t REG_DWORD /d 4 /f +> 7. Net start diagtrack +> 8. Net start pcasvc +> 9. Net start dps +> +> Then run the Enterprise Config script (RunConfig.bat) again. +> +> If the script still fails, then send mail to uasupport@microsoft.com including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 7ad151a2f2..7a049836e4 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -29,12 +29,14 @@ The blades in the **Step 2: Resolve issues** section are: Upgrade decisions include: -| Upgrade decision | When to use it | Guidance | -|--------------------|-------------------|-------------| -| Not reviewed | All drivers are marked as Not reviewed by default.

                                                                                                    Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
                                                                                                    | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

                                                                                                    | -| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

                                                                                                    Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

                                                                                                    | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
                                                                                                    | -| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

                                                                                                    In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
                                                                                                    | -| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

                                                                                                    Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
                                                                                                    | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

                                                                                                    | + +| Upgrade decision | When to use it | Guidance | +|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Not reviewed | All drivers are marked as Not reviewed by default.

                                                                                                    Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
                                                                                                    | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

                                                                                                    | +| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

                                                                                                    Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

                                                                                                    | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
                                                                                                    | +| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

                                                                                                    In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
                                                                                                    | +| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

                                                                                                    Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
                                                                                                    | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

                                                                                                    | + As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/). ## Review applications with known issues @@ -94,20 +96,20 @@ If you query with RollupLevel="NamePublisher", each version of the application c ![Name publisher rollup](../images/upgrade-analytics-namepub-rollup.png) ->[!TIP] ->Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer. - ->To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed. - ->Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. +> [!TIP] +> Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer. +> +> To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed. +> +> Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) | Ready for Windows Status | Query rollup level | What this means | Guidance | |-------------------|--------------------------|-----------------|----------| |Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. | -| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | -| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | +| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | +| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | | Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A | | Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.| |Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.| @@ -147,11 +149,11 @@ Applications and drivers that are meet certain criteria to be considered low ris The first row reports the number of your apps that have an official statement of support on Windows 10 from the software vendor, so you can be confident that they will work on your target operating system. -The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well. +The second row (**Apps that are "Highly adopted"**) shows apps that have a ReadyForWindows status of "Highly adopted". This means that they have been installed on at least 100,000 commercial Windows 10 devices, and that Microsoft has not detected significant issues with the app in diagnostic data. Since these apps are prevalent in the ecosystem at large, you can be confident that they will work in your environment as well. -Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**.  This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app. +Each row of the blade uses a different criterion to filter your apps or drivers. You can view a list of applications that meet the criterion by clicking into a row of the blade. For example, if you click the row that says "Apps that are 'Highly adopted'", the result is a list of apps that have a ReadyForWindows status of "Highly adopted". From here, you can bulk-select the results, select **Ready to upgrade**, and then click **Save**. This will mark all apps meeting the "Highly adopted" criterion as "Ready to upgrade"--no further validation is required. Any applications that you have marked as *Mission critical* or *Business critical* are filtered out, as well as any app that has an issue known to Microsoft. This allows you to work with apps in bulk without having to worry about missing a critical app. -You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**.  Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance. +You can customize the criteria further by using the Log Search query language. For example, if a ReadyForWindows status of "Adopted" is not sufficient by itself for you to be confident in an app's compatibility, you can add additional filters. To do this, click the row labeled **Apps that are 'Adopted'**. Then, modify the resulting query to fit your company's risk tolerance. If, for example, you prefer that an app must be "Adopted" and have fewer than 1,000 installations, then add *TotalInstalls < 1000* to the end of the Log Search query. Similarly, you can append additional criteria by using other attributes such as monthly active users or app importance. >[!NOTE] >Apps that you have designated as *Mission critical* or *Business critical* are automatically **excluded** from the counts on this blade. If an app is critical, you should always validate it manually it prior to upgrading. @@ -175,7 +177,7 @@ Each item in the proposed action plan represents either an application or a driv >Since “Low install count” apps are automatically marked “Ready to upgrade”, you will not see any of these apps in the proposed action plan. Each item in the plan has the following attributes: - + | Attribute | Description | Example value | |-----------------------|------------------------------------------|----------------| | ItemRank | The location of this item in the context of the proposed action plan. For example, the item with ItemRank 7 is the 7th item in the Plan. It is crucial that the Plan is viewed in order by increasing ItemRank. Sorting the Plan in any other way invalidates the insights that the Plan provides. | 7 | @@ -195,7 +197,7 @@ See the following example action plan items (click the image for a full-size vie ![Proposed action plan](../images/UR-lift-report.jpg)
                                                                                                    -In this example, the 3rd item is an application: **Microsoft Bing Sports**, a modern app, version **4.20.951.0**, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make **1014** computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace. +In this example, the 3rd item is an application: Microsoft Bing Sports, a modern app, version 4.20.951.0, published by Microsoft. By validating this app and making its UpgradeDecision “Ready to upgrade”, you can potentially make 1014 computers “Ready to upgrade” – but only after you have already validated items 1 and 2 in the list. By marking items 1, 2, and 3 “Ready to upgrade”, 14779 of your computers will become upgrade-ready. This represents 10.96% of the machines in this workspace. #### Using the proposed action plan diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 84986509fe..e52a6199cf 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -118,7 +118,7 @@ With System Center Configuration Manager Current Branch, new built-in functional **Note**   For more details about Configuration Manager Current Branch, see the [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620205). An [evaluation version is currently available](https://go.microsoft.com/fwlink/p/?LinkId=620206) for you to try. The instructions below are specific to the Technical Preview 2 release and may change after the next version of Configuration Manager is released. -  + ### Create the OS upgrade package @@ -206,9 +206,9 @@ After the task sequence completes, the computer will be fully upgraded to Window [Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109) -  + -  + diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 203176d4fb..4628fe593e 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -38,13 +38,13 @@ MDT adds support for Windows 10 deployment, including a new in-place upgrade ta The steps to create the deployment share for production are the same as when you created the deployment share to create the custom reference image: -1. On MDT01, log on as Administrator in the CONTOSO domain with a password of **P@ssw0rd**. -2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. -3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**. -4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**. -5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**. -6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. -7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. +1. On MDT01, log on as Administrator in the CONTOSO domain with a password of P@ssw0rd. +2. Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. +3. On the **Path** page, in the **Deployment share path** text box, type **E:\\MDTProduction**, and then click **Next**. +4. On the **Share** page, in the **Share name** text box, type **MDTProduction$**, and then click **Next**. +5. On the **Descriptive Name** page, in the **Deployment share** description text box, type **MDT Production**, and then click **Next**. +6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. +7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ## Add Windows 10 Enterprise x64 (full source) @@ -84,16 +84,16 @@ Figure 3. The task sequence to upgrade to Windows 10. To initiate the in-place upgrade, perform the following steps on PC0003 (currently running Windows 7 SP1). -1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** -2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. +1. Start the MDT deployment wizard by running the following command: **\\\\MDT01\\MDTProduction$\\Scripts\\LiteTouch.vbs** +2. Select the **Windows 10 Enterprise x64 RTM Upgrade** task sequence, and then click **Next**. - ![figure 4](../images/upgrademdt-fig4-selecttask.png) + ![figure 4](../images/upgrademdt-fig4-selecttask.png) - Figure 4. Upgrade task sequence. + Figure 4. Upgrade task sequence. -3. On the **Credentials** tab, specify the **MDT\_BA** account, **P@ssw0rd** password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.) -4. On the **Ready** tab, click **Begin** to start the task sequence. -When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. +3. On the **Credentials** tab, specify the **MDT\_BA** account, P@ssw0rd password, and **CONTOSO** for the domain. (Some or all of these values can be specified in Bootstrap.ini so they are automatically populated.) +4. On the **Ready** tab, click **Begin** to start the task sequence. + When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers. ![figure 5](../images/upgrademdt-fig5-winupgrade.png) @@ -106,4 +106,4 @@ After the task sequence completes, the computer will be fully upgraded to Window [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) -  + diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 98abd1bec1..e727489a71 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -237,9 +237,9 @@ You can move directly from Enterprise to any valid destination edition. In this ->**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. - ->**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. +> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. +> +> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 0a8f2c78cf..437295f796 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -23,15 +23,15 @@ ms.topic: article This topic provides a summary of available upgrade paths to Windows 10. You can upgrade to Windows 10 from Windows 7 or a later operating system. This includes upgrading from one release of Windows 10 to later release of Windows 10. Migrating from one edition of Windows 10 to a different edition of the same release is also supported. For more information about migrating to a different edition of Windows 10, see [Windows 10 edition upgrade](windows-10-edition-upgrades.md). ->**Windows 10 version upgrade**: You can directly upgrade a supported version of Windows 10 to a newer version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. - ->**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. - ->In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). - ->**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. - ->**Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). +> **Windows 10 version upgrade**: You can directly upgrade a supported version of Windows 10 to a newer version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. +> +> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. +> +> In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). +> +> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. +> +> **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). ✔ = Full upgrade is supported including personal data, settings, and applications.
                                                                                                    D = Edition downgrade; personal data is maintained, applications and settings are removed. diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md index a80a20d38d..6cdbb764fc 100644 --- a/windows/deployment/usmt/migrate-application-settings.md +++ b/windows/deployment/usmt/migrate-application-settings.md @@ -77,7 +77,7 @@ Next, you should go through the user interface and make a list of all of the ava **Note**   Most applications store their settings under the user profile. That is, the settings stored in the file system are under the %**UserProfile**% directory, and the settings stored in the registry are under the **HKEY\_CURRENT\_USER** hive. For these applications you can filter the output of the file and registry monitoring tools to show activity only under these locations. This will considerably reduce the amount of output that you will need to examine. -   + 4. Start the monitoring tool(s), change a setting, and look for registry and file system writes that occurred when you changed the setting. Make sure the changes you make actually take effect. For example, if you are changing a setting in Microsoft Word by selecting a check box in the **Options** dialog box, the change typically will not take effect until you close the dialog box by clicking **OK**. @@ -86,7 +86,7 @@ Next, you should go through the user interface and make a list of all of the ava **Note**   Changing an application setting invariably leads to writing to registry keys. If possible, filter the output of the file and registry monitor tool to display only writes to files and registry keys/values. -   + ## Step 3: Identify how to apply the gathered settings. @@ -119,12 +119,12 @@ After you have completed steps 1 through 3, you will need to create a custom mig **Note**   We recommend that you create a separate .xml file instead of adding your script to the **MigApp.xml** file. This is because the **MigApp.xml** file is a very large file and it will be difficult to read and edit. In addition, if you reinstall USMT for some reason, the **MigApp.xml** file will be overwritten by the default version of the file and you will lose your customized version. -  + **Important**   Some applications store information in the user profile that should not be migrated (for example, application installation paths, the computer name, and so on). You should make sure to exclude these files and registry keys from the migration. -  + Your script should do the following: @@ -162,9 +162,9 @@ To speed up the time it takes to collect and migrate the data, you can migrate o [Log Files](usmt-log-files.md) -  + -  + diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md index f12b1f169e..c0a4e086b3 100644 --- a/windows/deployment/usmt/migration-store-types-overview.md +++ b/windows/deployment/usmt/migration-store-types-overview.md @@ -60,7 +60,7 @@ If there is not enough local disk space, or if you are moving the user state to **Important**   If possible, have users store their data within their %UserProfile%\\My Documents and %UserProfile%\\Application Data folders. This will reduce the chance of USMT missing critical user data that is located in a directory that USMT is not configured to check. -  + ### The /localonly Command-Line Option @@ -71,9 +71,9 @@ You should use this option to exclude the data from removable drives and network [Plan Your Migration](usmt-plan-your-migration.md) -  + -  + diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md index 29d08a89bc..8ae2bd96b0 100644 --- a/windows/deployment/usmt/offline-migration-reference.md +++ b/windows/deployment/usmt/offline-migration-reference.md @@ -92,12 +92,12 @@ The following table defines the supported combination of online and offline oper -  + **Note**   It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](https://go.microsoft.com/fwlink/p/?LinkId=190314). -  + ## User-Group Membership and Profile Control @@ -159,7 +159,7 @@ An offline migration can either be enabled by using a configuration file on the -  + You can use only one of the **/offline**,**/offlineWinDir** , or **/OfflineWinOld** command-line options at a time; USMT does not support using more than one together. @@ -197,7 +197,7 @@ The following system environment variables are necessary in the scenarios outlin -  + ## Offline.xml Elements @@ -258,9 +258,9 @@ The following XML example illustrates some of the elements discussed earlier in [Plan Your Migration](usmt-plan-your-migration.md) -  + -  + diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index 04105cb634..69edbd4515 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -55,7 +55,7 @@ The Config.xml file is the configuration file created by the `/genconfig` option **Note**   When modifying the XML elements in the Config.xml file, you should edit an element and set the **migrate** property to **no**, rather than deleting the element from the file. If you delete the element instead of setting the property, the component may still be migrated by rules in other XML files. -  + ## Overview of the MigApp.xml file @@ -65,7 +65,7 @@ The MigApp.xml file installed with USMT includes instructions to migrate the set **Important**   The MigApps.xml file will only detect and migrate .pst files that are linked to Microsoft Office Outlook. See the [Sample migration rules for customized versions of XML files](#bkmk-samples) section of this document for more information about migrating .pst files that are not linked to Outlook. -  + ## Overview of the MigDocs.xml file @@ -182,7 +182,7 @@ You can make a copy of the MigUser.xml file and modify it to include or exclude **Note**   Each file name extension you include in the rules within the MigUser.xml file increases the amount of time needed for the ScanState tool to gather the files for the migration. If you are migrating more than three hundred file types, you may experience a slow migration. For more information about other ways to organize the migration of your data, see the [Using multiple XML files](#bkmk-multiple) section of this document. -  + ## Using multiple XML files @@ -204,7 +204,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t

                                                                                                    Config.xml file

                                                                                                    Operating-system components such as desktop wallpaper and background theme.

                                                                                                    -

                                                                                                    You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [Config.xml File](usmt-configxml-file.md).

                                                                                                    +

                                                                                                    You can also overload config.xml to include some application and document settings by generating the config.xml file with the other default XML files. For more information, see Customize USMT XML Files and Config.xml File.

                                                                                                    MigApps.xml file

                                                                                                    @@ -221,7 +221,7 @@ You can use multiple XML files with the ScanState and LoadState tools. Each of t -  + For example, you can use all of the XML migration file types for a single migration, as in the following example: @@ -234,7 +234,7 @@ Scanstate /config:c:\myFolder\config.xml /i:migapps.xml /i:migdocs.xml / **Important**   You should not use the MigUser.xml and MigDocs.xml files together in the same command. Using both XML files can result in duplication of some migrated files. This occurs when conflicting target-location instructions are given in each XML file. The target file will be stored once during the migration, but will be applied by each XML file to a different location on the destination computer. -  + If your data set is unknown or if many files are stored outside of the standard user-profile folders, the MigDocs.xml is a better choice than the MigUser.xml file, because the MigDocs.xml file will gather a broader scope of data. The MigDocs.xml file migrates folders of data based on location. The MigUser.xml file migrates only the files with the specified file name extensions. @@ -248,7 +248,7 @@ You can use the **/genmigxml** command-line option to determine which files will **Note**   If you reinstall USMT, the default migration XML files will be overwritten and any customizations you make directly to these files will be lost. Consider creating separate XML files for your custom migration rules and saving them in a secure location. -  + To generate the XML migration rules file for a source computer: @@ -292,7 +292,7 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr

                                                                                                    ScanProgramFiles

                                                                                                    The ScanProgramFiles argument is valid only when the GenerateDocPatterns function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications.

                                                                                                    For example, when set to TRUE, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The GenerateDocPatterns function generates this inclusion pattern for .doc files:

                                                                                                    -
                                                                                                    <pattern type="File">C:\Program Files\Microsoft Office\*[*.doc]</pattern>
                                                                                                    +
                                                                                                    <pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern>

                                                                                                    If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions.

                                                                                                    False

                                                                                                    @@ -309,7 +309,7 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr -  + **Usage:** @@ -321,9 +321,9 @@ To create include data patterns for only the system drive: ``` syntax -      -         -      + + + ``` @@ -331,9 +331,9 @@ To create an include rule to gather files for registered extensions from the %PR ``` syntax -      -         -      + + + ``` @@ -341,9 +341,9 @@ To create exclude data patterns: ``` syntax -      -         -      + + + ``` @@ -402,14 +402,14 @@ The user context includes rules for data in the User Profiles directory. When ca **Note**   Rules contained in a component that is assigned the user context will be run for each user profile on the computer. Files that are scanned multiple times by the MigDocs.xml files will only be copied to the migration store once; however, a large number of rules in the user context can slow down the migration. Use the system context when it is applicable. -  + ### Sample migration rules for customized versions of XML files **Note**   For best practices and requirements for customized XML files in USMT, see [Customize USMT XML Files](usmt-customize-xml-files.md) and [General Conventions](usmt-general-conventions.md). -  + ### Exclude rules usage examples @@ -423,16 +423,16 @@ In the examples below, the source computer has a .txt file called "new text docu

                                                                                                    Rule 1

                                                                                                    -
                                                                                                    <pattern type="File">d:\new folder\[new text document.txt]</pattern>
                                                                                                    +
                                                                                                    <pattern type="File">d:\new folder[new text document.txt]</pattern>

                                                                                                    Rule 2

                                                                                                    -
                                                                                                    <pattern type="File">d:\new folder\*[*]</pattern>
                                                                                                    +
                                                                                                    <pattern type="File">d:\new folder[]</pattern>
                                                                                                    -  + To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following: @@ -442,10 +442,10 @@ To exclude Rule 1, there needs to be an exact match of the file name. However, f ``` syntax -      -        D:\Newfolder\[new text document.txt] -         D:\New folder\*[*.txt] -      + + D:\Newfolder\[new text document.txt] + D:\New folder\*[*.txt] + ``` @@ -455,9 +455,9 @@ If you do not know the file name or location of the file, but you do know the fi ``` syntax -      -         -      + + + ``` @@ -467,16 +467,16 @@ If you want the <UnconditionalExclude> element to apply to both the system ``` syntax -   MigDocExcludes -    -      -        -          -                 -          -        -      -    + MigDocExcludes + + + + + + + + + ``` @@ -492,9 +492,9 @@ This rule will include .pst files that are located in the default location, but ``` syntax -      -        %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst] -      + + %CSIDL_LOCAL_APPDATA%\Microsoft\Outlook\*[*.pst] + ``` @@ -504,9 +504,9 @@ For locations outside the user profile, such as the Program Files folder, you ca ``` syntax -      -        %CSIDL_PROGRAM_FILES%\*[*.pst] -      + + %CSIDL_PROGRAM_FILES%\*[*.pst] + ``` @@ -515,7 +515,7 @@ For more examples of include rules that you can use in custom migration XML file **Note**   For more information about the order of precedence for XML migration rules, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). -  + ## Next steps @@ -531,9 +531,9 @@ You can use an XML schema (MigXML.xsd) file to validate the syntax of your custo [Include Files and Settings](usmt-include-files-and-settings.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md index 7742a94e4e..71c900fa77 100644 --- a/windows/deployment/usmt/usmt-best-practices.md +++ b/windows/deployment/usmt/usmt-best-practices.md @@ -65,7 +65,7 @@ As the authorized administrator, it is your responsibility to protect the privac **Important**   If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. -   + - **Encrypt the store** @@ -124,7 +124,7 @@ As the authorized administrator, it is your responsibility to protect the privac **Note**   The number of times a rule is processed does not affect the number of times a file is migrated. The USMT migration engine ensures that each file migrates only once. -   + - **We recommend that you create a separate .xml file instead of adding your .xml code to one of the existing migration .xml files** @@ -139,7 +139,7 @@ As the authorized administrator, it is your responsibility to protect the privac **Note**   The question mark is not valid as a wildcard character in USMT .xml files. -   + ## Related topics @@ -148,9 +148,9 @@ As the authorized administrator, it is your responsibility to protect the privac [Plan Your Migration](usmt-plan-your-migration.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md index 530fbcb627..30f49c1574 100644 --- a/windows/deployment/usmt/usmt-choose-migration-store-type.md +++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md @@ -28,25 +28,25 @@ One of the main considerations for planning your migration is to determine which -

                                                                                                    [Migration Store Types Overview](migration-store-types-overview.md)

                                                                                                    +

                                                                                                    Migration Store Types Overview

                                                                                                    Choose the migration store type that works best for your needs and migration scenario.

                                                                                                    -

                                                                                                    [Estimate Migration Store Size](usmt-estimate-migration-store-size.md)

                                                                                                    -

                                                                                                    Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

                                                                                                    +

                                                                                                    Estimate Migration Store Size

                                                                                                    +

                                                                                                    Estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure.

                                                                                                    -

                                                                                                    [Hard-Link Migration Store](usmt-hard-link-migration-store.md)

                                                                                                    +

                                                                                                    Hard-Link Migration Store

                                                                                                    Learn about hard-link migration stores and the scenarios in which they are used.

                                                                                                    -

                                                                                                    [Migration Store Encryption](usmt-migration-store-encryption.md)

                                                                                                    +

                                                                                                    Migration Store Encryption

                                                                                                    Learn about the using migration store encryption to protect user data integrity during a migration.

                                                                                                    -  + ## Related topics @@ -55,9 +55,9 @@ One of the main considerations for planning your migration is to determine which [User State Migration Tool (USMT) How-to topics](usmt-how-to.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md index 50d621f9cf..c4e0977727 100644 --- a/windows/deployment/usmt/usmt-command-line-syntax.md +++ b/windows/deployment/usmt/usmt-command-line-syntax.md @@ -28,25 +28,25 @@ The User State Migration Tool (USMT) 10.0 migrates user files and settings duri -

                                                                                                    [ScanState Syntax](usmt-scanstate-syntax.md)

                                                                                                    +

                                                                                                    ScanState Syntax

                                                                                                    Lists the command-line options for using the ScanState tool.

                                                                                                    -

                                                                                                    [LoadState Syntax](usmt-loadstate-syntax.md)

                                                                                                    +

                                                                                                    LoadState Syntax

                                                                                                    Lists the command-line options for using the LoadState tool.

                                                                                                    -

                                                                                                    [UsmtUtils Syntax](usmt-utilities.md)

                                                                                                    +

                                                                                                    UsmtUtils Syntax

                                                                                                    Lists the command-line options for using the UsmtUtils tool.

                                                                                                    -  + -  + -  + diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md index 5baf60a464..6944af7cea 100644 --- a/windows/deployment/usmt/usmt-common-issues.md +++ b/windows/deployment/usmt/usmt-common-issues.md @@ -40,31 +40,31 @@ The following sections discuss common issues that you might see when you run the When you encounter a problem or error message during migration, you can use the following general guidelines to help determine the source of the problem: -- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. +- Examine the ScanState, LoadState, and UsmtUtils logs to obtain the exact USMT error messages and Windows® application programming interface (API) error messages. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). For more information about Windows API error messages, type **nethelpmsg** on the command line. - In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v***:5* option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. + In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration; however, reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a verbosity level higher than 5 if you want the log files output to go to a debugger. - **Note**   - Running the ScanState and LoadState tools with the **/v***:5* option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. + **Note** + Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, the extra detail can help you determine where migration errors occurred. -   + -- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). +- Use the **/Verify** option in the UsmtUtils tool to determine whether any files in a compressed migration store are corrupted. For more information, see [Verify the Condition of a Compressed Migration Store](verify-the-condition-of-a-compressed-migration-store.md). -- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). +- Use the **/Extract** option in the UsmtUtils tool to extract files from a compressed migration store. For more information, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md). -- Create a progress log using the **/Progress** option to monitor your migration. +- Create a progress log using the **/Progress** option to monitor your migration. -- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. +- For the source and destination computers, obtain operating system information, and versions of applications such as Internet Explorer and any other relevant programs. Then verify the exact steps that are needed to reproduce the problem. This information might help you to understand what is wrong and to reproduce the issue in your testing environment. -- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. +- Log off after you run the LoadState tool. Some settings—for example, fonts, desktop backgrounds, and screen-saver settings—will not take effect until the next time the end user logs on. -- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. +- Close all applications before running ScanState or LoadState tools. If some applications are running during the ScanState or LoadState process, USMT might not migrate some data. For example, if Microsoft Outlook® is open, USMT might not migrate PST files. - **Note**   - USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. + **Note** + USMT will fail if it cannot migrate a file or setting unless you specify the **/c** option. When you specify the **/c** option, USMT ignores errors. However, it logs an error when it encounters a file that is in use that did not migrate. -   + ## User Account Problems @@ -330,9 +330,9 @@ You should also reboot the machine. [UsmtUtils Syntax](usmt-utilities.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md index 37959599a3..bde6f9635e 100644 --- a/windows/deployment/usmt/usmt-configxml-file.md +++ b/windows/deployment/usmt/usmt-configxml-file.md @@ -30,7 +30,7 @@ For more information about using the Config.xml file with other migration files, **Note**   To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. -  + ## In This Topic @@ -110,7 +110,7 @@ Additionally, the order in the **<ErrorControl>** section implies priority **Important**   The configurable **<ErrorControl>** rules support only the environment variables for the operating system that is running and the currently logged-on user. As a workaround, you can specify a path using the (\*) wildcard character. -  + ### <fatal> @@ -146,7 +146,7 @@ Syntax: ``*<pattern>*`` -  + You use the **<fatal>** element to specify that errors matching a specific pattern should cause USMT to halt the migration. @@ -200,14 +200,14 @@ Syntax: ``*<pattern>*`` -  + You use the **<nonFatal>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration. ## <registryError> -The **<registryError>**element is not required. +The <registryError>element is not required. - **Number of occurrences**: Once for each component @@ -239,7 +239,7 @@ Syntax: `` -  + You use the **<registryError>** element to specify that errors matching a specific pattern should not cause USMT to halt the migration. @@ -263,7 +263,7 @@ The **<HardLinkStoreControl>** sample code below specifies that hard links **Important**   The **<ErrorControl>** section can be configured to conditionally ignore file access errors, based on the file’s location. -  + ``` syntax @@ -358,7 +358,7 @@ This element describes the source and destination groups for a local group membe -  + The valid and required children of **<changeGroup>** are **<include>** and **<exclude>**. Although both can be children at the same time, only one is required. @@ -579,9 +579,9 @@ Refer to the following sample Config.xml file for additional details about items [USMT XML Reference](usmt-xml-reference.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md index 681266cd33..ed6b77296b 100644 --- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md +++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md @@ -174,40 +174,40 @@ These examples explain how USMT deals with <include> and <exclude> r
                                                                                                      -

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\* [*]</pattern>

                                                                                                      • -

                                                                                                    • Exclude rule: <pattern type="File">C:\* [*.txt]</pattern>

                                                                                                      • +

                                                                                                    • Include rule: <pattern type="File">C:\Dir1* []</pattern>

                                                                                                      • +

                                                                                                    • Exclude rule: <pattern type="File">C:* [.txt]</pattern>

                                                                                                    Migrates all files and subfolders in Dir1 (including all .txt files in C:).

                                                                                                    The <exclude> rule does not affect the migration because the <include> rule is more specific.

                                                                                                      -

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\* [*]</pattern>

                                                                                                      • -

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\Dir2\* [*.txt]</pattern>

                                                                                                      • +

                                                                                                    • Include rule: <pattern type="File">C:\Dir1* []</pattern>

                                                                                                      • +

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>

                                                                                                    Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1\Dir2 and its subfolders.

                                                                                                    Both rules are processed as intended.

                                                                                                      -

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\* [*]</pattern>

                                                                                                      • -

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\ * [*.txt]</pattern>

                                                                                                      • +

                                                                                                    • Include rule: <pattern type="File">C:\Dir1* []</pattern>

                                                                                                      • +

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\ * [.txt]</pattern>

                                                                                                    Migrates all files and subfolders in C:\Dir1, except the .txt files in C:\Dir1 and its subfolders.

                                                                                                    Both rules are processed as intended.

                                                                                                      -

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\Dir2\* [*.txt]</pattern>

                                                                                                      • -

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\Dir2\* [*.txt]</pattern>

                                                                                                      • +

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>

                                                                                                      • +

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>

                                                                                                    Nothing will be migrated.

                                                                                                    The rules are equally specific, so the <exclude> rule takes precedence over the <include> rule.

                                                                                                      -

                                                                                                    • Include rule: C:\Dir1\* [*.txt]

                                                                                                      • -

                                                                                                    • Exclude rule: C:\Dir1\Dir2\* [*]

                                                                                                      • +

                                                                                                    • Include rule: C:\Dir1* [.txt]

                                                                                                      • +

                                                                                                    • Exclude rule: C:\Dir1\Dir2* []

                                                                                                    Migrates the .txt files in Dir1 and the .txt files from subfolders other than Dir2.

                                                                                                    No files are migrated from Dir2 or its subfolders.

                                                                                                    @@ -215,8 +215,8 @@ These examples explain how USMT deals with <include> and <exclude> r
                                                                                                      -

                                                                                                    • Include rule: C:\Dir1\Dir2\* [*]

                                                                                                      • -

                                                                                                    • Exclude rule: C:\Dir1\* [*.txt]

                                                                                                      • +

                                                                                                    • Include rule: C:\Dir1\Dir2* []

                                                                                                      • +

                                                                                                    • Exclude rule: C:\Dir1* [.txt]

                                                                                                    Migrates all files and subfolders of Dir2, except the .txt files from Dir1 and any subfolders of Dir1 (including Dir2).

                                                                                                    Both rules are processed as intended.

                                                                                                    @@ -224,7 +224,7 @@ These examples explain how USMT deals with <include> and <exclude> r -  + @@ -243,13 +243,13 @@ These examples explain how USMT deals with <include> and <exclude> r @@ -257,11 +257,11 @@ These examples explain how USMT deals with <include> and <exclude> r @@ -269,11 +269,11 @@ These examples explain how USMT deals with <include> and <exclude> r @@ -281,7 +281,7 @@ These examples explain how USMT deals with <include> and <exclude> r

                                                                                                    Component 1:

                                                                                                      -

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\* [*]</pattern>

                                                                                                      • -

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\Dir2\* [*.txt]</pattern>

                                                                                                      • +

                                                                                                    • Include rule: <pattern type="File">C:\Dir1* []</pattern>

                                                                                                      • +

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>

                                                                                                    Component 2:

                                                                                                      -

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\Dir2\* [*.txt]</pattern>

                                                                                                      • -

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1\* [*]</pattern>

                                                                                                      • +

                                                                                                    • Include rule: <pattern type="File">C:\Dir1\Dir2* [.txt]</pattern>

                                                                                                      • +

                                                                                                    • Exclude rule: <pattern type="File">C:\Dir1* []</pattern>

                                                                                                    Migrates all files and subfolders of C:\Dir1\ (including C:\Dir1\Dir2).

                                                                                                    Rules that are in different components do not affect each other, except for the <unconditionalExclude> rule. Therefore, in this example, although some .txt files were excluded when Component 1 was processed, they were included when Component 2 was processed.

                                                                                                    Component 1:

                                                                                                      -

                                                                                                    • Include rule: C:\Dir1\Dir2\* [*]

                                                                                                      • +

                                                                                                    • Include rule: C:\Dir1\Dir2* []

                                                                                                    Component 2:

                                                                                                      -

                                                                                                    • Exclude rule: C:\Dir1\* [*.txt]

                                                                                                      • +

                                                                                                    • Exclude rule: C:\Dir1* [.txt]

                                                                                                    Migrates all files and subfolders from Dir2 except the .txt files in C:\Dir1 and its subfolders.

                                                                                                    Both rules are processed as intended.

                                                                                                    Component 1:

                                                                                                      -

                                                                                                    • Exclude rule: C:\Dir1\Dir2\* [*]

                                                                                                      • +

                                                                                                    • Exclude rule: C:\Dir1\Dir2* []

                                                                                                    Component 2:

                                                                                                      -

                                                                                                    • Include rule: C:\Dir1\* [*.txt]

                                                                                                      • +

                                                                                                    • Include rule: C:\Dir1* [.txt]

                                                                                                    Migrates all .txt files in Dir1 and any subfolders.

                                                                                                    Component 1 does not contain an <include> rule, so the <exclude> rule is not processed.
                                                                                                    -  + ### Including and excluding registry objects @@ -301,7 +301,7 @@ These examples explain how USMT deals with <include> and <exclude> r
                                                                                                      -

                                                                                                    • Include rule: HKLM\Software\Microsoft\Command Processor\* [*]

                                                                                                      • +

                                                                                                    • Include rule: HKLM\Software\Microsoft\Command Processor* []

                                                                                                    • Exclude Rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]

                                                                                                    Migrates all keys in HKLM\Software\Microsoft\Command Processor except DefaultColor.

                                                                                                    @@ -310,7 +310,7 @@ These examples explain how USMT deals with <include> and <exclude> r

                                                                                                    • Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]

                                                                                                      • -

                                                                                                    • Exclude Rule: HKLM\Software\Microsoft\Command Processor\* [*]

                                                                                                      • +

                                                                                                    • Exclude Rule: HKLM\Software\Microsoft\Command Processor* []

                                                                                                    Migrates only DefaultColor in HKLM\Software\Microsoft\Command Processor.

                                                                                                    DefaultColor is migrated because the <include> rule is more specific than the <exclude> rule.

                                                                                                    @@ -326,7 +326,7 @@ These examples explain how USMT deals with <include> and <exclude> r -  + @@ -346,11 +346,11 @@ These examples explain how USMT deals with <include> and <exclude> r @@ -359,7 +359,7 @@ These examples explain how USMT deals with <include> and <exclude> r

                                                                                                    Component 1:

                                                                                                    • Include rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]

                                                                                                      • -

                                                                                                    • Exclude rule: HKLM\Software\Microsoft\Command Processor\* [*]

                                                                                                      • +

                                                                                                    • Exclude rule: HKLM\Software\Microsoft\Command Processor* []

                                                                                                    Component 2:

                                                                                                      -

                                                                                                    • Include rule: HKLM\Software\Microsoft\Command Processor\* [*]

                                                                                                      • +

                                                                                                    • Include rule: HKLM\Software\Microsoft\Command Processor* []

                                                                                                    • Exclude rule: HKLM\Software\Microsoft\Command Processor [DefaultColor]

                                                                                                    Migrates all the keys/values under HKLM\Software\Microsoft\Command Processor.
                                                                                                    -  + ## File collisions @@ -415,7 +415,7 @@ For this example, the following table describes the resulting behavior if you ad 
                                                                                                    <merge script="MigXmlHelper.DestinationPriority()"> 
    <objectSet> 
-      <pattern type="File">c:\data\* [*]</pattern> 
+      <pattern type="File">c:\data* []</pattern> 
    </objectSet> 
 </merge>

                                                                                                    During ScanState, all the files will be added to the store.

                                                                                                    @@ -424,7 +424,7 @@ For this example, the following table describes the resulting behavior if you ad 
                                                                                                    <merge script="MigXmlHelper.SourcePriority()"> 
    <objectSet> 
-      <pattern type="File">c:\data\* [*]</pattern> 
+      <pattern type="File">c:\data* []</pattern> 
    </objectSet> 
 </merge>

                                                                                                    During ScanState, all the files will be added to the store.

                                                                                                    @@ -447,16 +447,16 @@ For this example, the following table describes the resulting behavior if you ad -  + ## Related topics [USMT XML Reference](usmt-xml-reference.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md index ce2d82a554..c937f9a6ab 100644 --- a/windows/deployment/usmt/usmt-custom-xml-examples.md +++ b/windows/deployment/usmt/usmt-custom-xml-examples.md @@ -19,7 +19,7 @@ ms.topic: article **Note**   Because the tables in this topic are wide, you may need to adjust the width of its window. -  + ## In This Topic: @@ -127,13 +127,13 @@ The following is a custom .xml file named CustomFile.xml that migrates My Videos

                                                                                                    Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering.

                                                                                                    -
                                                                                                    <pattern type="File">%CSIDL_MYVIDEO%\* [*]</pattern>
                                                                                                    +
                                                                                                    <pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern>

                                                                                                    Migrates My Videos for all users.

                                                                                                    -  + ``` syntax @@ -176,25 +176,25 @@ This table describes the behavior in the following example .xml file. -
                                                                                                    <pattern type="File">%ProgramFiles%\USMTTestFolder\* [USMTTestFile.txt]</pattern>
                                                                                                    +
                                                                                                    <pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern>

                                                                                                    Migrates all instances of the file Usmttestfile.txt from all sub-directories under %ProgramFiles%\USMTTestFolder.

                                                                                                    -
                                                                                                    <pattern type="File">%ProgramFiles%\USMTDIRTestFolder\* [*]</pattern>
                                                                                                    +
                                                                                                    <pattern type="File">%ProgramFiles%\USMTDIRTestFolder* []</pattern>

                                                                                                    Migrates the whole directory under %ProgramFiles%\USMTDIRTestFolder.

                                                                                                    -
                                                                                                    <pattern type="Registry">HKCU\Software\USMTTESTKEY\* [MyKey]</pattern>
                                                                                                    +
                                                                                                    <pattern type="Registry">HKCU\Software\USMTTESTKEY* [MyKey]</pattern>

                                                                                                    Migrates all instances of MyKey under HKCU\Software\USMTTESTKEY.

                                                                                                    -
                                                                                                    <pattern type="Registry">HKLM\Software\USMTTESTKEY\* [*]</pattern>
                                                                                                    +
                                                                                                    <pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern>

                                                                                                    Migrates the entire registry hive under HKLM\Software\USMTTESTKEY.

                                                                                                    -  + ``` syntax @@ -308,9 +308,9 @@ The behavior for this custom .xml file is described within the <`displayName` [Customize USMT XML Files](usmt-customize-xml-files.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index 83f959010e..113321c67a 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -56,7 +56,7 @@ This section describes the migration .xml files that are included with USMT. Eac **Note**   You can use the asterisk (\*) wildcard character in each of these files. However, you cannot use a question mark (?) as a wildcard character. -  + - **The MigApp.xml file.** Specify this file with both the **ScanState** and **LoadState** commands to migrate application settings. @@ -67,7 +67,7 @@ You can use the asterisk (\*) wildcard character in each of these files. However **Note**   Do not use the MigUser.xml and MigDocs.xml files together. For more information, see the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) and [USMT Best Practices](usmt-best-practices.md) topics. -   + ## Custom .xml Files @@ -96,7 +96,7 @@ In addition, note the following functionality with the Config.xml file: **Note**   To exclude a component from the Config.xml file, set the **migrate** value to **"no"**. Deleting the XML tag for the component from the Config.xml file will not exclude the component from your migration. -  + ### Examples @@ -128,9 +128,9 @@ To exclude a component from the Config.xml file, set the **migrate** value to ** [USMT Resources](usmt-resources.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index f485606b22..5d036e690f 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -32,34 +32,34 @@ To reduce complexity and increase standardization, your organization should cons -

                                                                                                    [Identify Users](usmt-identify-users.md)

                                                                                                    +

                                                                                                    Identify Users

                                                                                                    Use command-line options to specify which users to migrate and how they should be migrated.

                                                                                                    -

                                                                                                    [Identify Applications Settings](usmt-identify-application-settings.md)

                                                                                                    +

                                                                                                    Identify Applications Settings

                                                                                                    Determine which applications you want to migrate and prepare a list of application settings to be migrated.

                                                                                                    -

                                                                                                    [Identify Operating System Settings](usmt-identify-operating-system-settings.md)

                                                                                                    +

                                                                                                    Identify Operating System Settings

                                                                                                    Use migration to create a new standard environment on each of the destination computers.

                                                                                                    -

                                                                                                    [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md)

                                                                                                    +

                                                                                                    Identify File Types, Files, and Folders

                                                                                                    Determine and locate the standard, company-specified, and non-standard locations of the file types, files, folders, and settings that you want to migrate.

                                                                                                    -  + ## Related topics [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 974a80a504..48949d7a00 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -86,7 +86,7 @@ The ScanState tool also allows you to estimate disk space requirements based on **Note**   To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, the **/p** option, without specifying *<path to a file>* is still available in USMT. -  + The space requirements report provides two elements, <**storeSize**> and <**temporarySpace**>. The <**temporarySpace**> value shows the disk space, in bytes, that USMT uses to operate during the migration—this does not include the minimum 250 MB needed to support USMT. The <**storeSize**> value shows the disk space, in bytes, required to host the migration store contents on both the source and destination computers. The following example shows a report generated using **/p:***<path to a file>*. @@ -114,7 +114,7 @@ The amount of space that is required in the store will vary, depending on the lo **Note**   You can create a space-estimate file (Usmtsize.txt), by using the legacy **/p** command-line option to estimate the size of the store. -  + When trying to determine how much disk space you will need, consider the following issues: @@ -129,9 +129,9 @@ When trying to determine how much disk space you will need, consider the followi [Common Migration Scenarios](usmt-common-migration-scenarios.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-exclude-files-and-settings.md b/windows/deployment/usmt/usmt-exclude-files-and-settings.md index 591d2ec1d5..0cdacd74e9 100644 --- a/windows/deployment/usmt/usmt-exclude-files-and-settings.md +++ b/windows/deployment/usmt/usmt-exclude-files-and-settings.md @@ -269,9 +269,9 @@ To exclude a component from the Config.xml file, set the **migrate** value to ** - [Customize USMT XML Files](usmt-customize-xml-files.md) - [USMT XML Reference](usmt-xml-reference.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 9e42f9708d..6b9330d5ec 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -61,44 +61,44 @@ Before you modify the .xml files, become familiar with the following guidelines: You can use the XML helper functions in the [XML Elements Library](usmt-xml-elements-library.md) to change migration behavior. Before you use these functions in an .xml file, note the following: -- **All of the parameters are strings** +- **All of the parameters are strings** -- **You can leave NULL parameters blank** +- **You can leave NULL parameters blank** - As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: + As with parameters with a default value convention, if you have a NULL parameter at the end of a list, you can leave it out. For example, the following function: - ``` syntax - SomeFunction("My String argument",NULL,NULL) - ``` + ``` syntax + SomeFunction("My String argument",NULL,NULL) + ``` - is equivalent to: + is equivalent to: - ``` syntax - SomeFunction("My String argument") - ``` + ``` syntax + SomeFunction("My String argument") + ``` -- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** +- **The encoded location used in all the helper functions is an unambiguous string representation for the name of an object** - It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. + It is composed of the node part, optionally followed by the leaf enclosed in square brackets. This makes a clear distinction between nodes and leaves. - For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. + For example, specify the file C:\\Windows\\Notepad.exe: **c:\\Windows\[Notepad.exe\]**. Similarly, specify the directory C:\\Windows\\System32 like this: **c:\\Windows\\System32**; note the absence of the \[\] characters. - The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. + The registry is represented in a similar way. The default value of a registry key is represented as an empty \[\] construct. For example, the default value for the HKLM\\SOFTWARE\\MyKey registry key is **HKLM\\SOFTWARE\\MyKey\[\]**. -- **You specify a location pattern in a way that is similar to how you specify an actual location** +- **You specify a location pattern in a way that is similar to how you specify an actual location** - The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. + The exception is that both the node and leaf part accept patterns. However, a pattern from the node does not extend to the leaf. - For example, the pattern **c:\\Windows\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. + For example, the pattern **c:\\Windows\\\\*** will match the \\Windows directory and all subdirectories, but it will not match any of the files in those directories. To match the files as well, you must specify **c:\\Windows\\\*\[\*\]**. ## Related topics [USMT XML Reference](usmt-xml-reference.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 44451775bc..100e1e1f04 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -70,7 +70,7 @@ When you create a hard link, you give an existing file an additional path. For i **Note**   A hard link can only be created for a file on the same volume. If you copy a hard-link migration store to another drive or external device, the files, and not the links, are copied, as in a non-compressed migration-store scenario. -  + For more information about hard links, please see [Hard Links and Junctions](https://go.microsoft.com/fwlink/p/?LinkId=132934) @@ -81,7 +81,7 @@ As a best practice, we recommend that you delete the hard-link migration store a **Important**   Using the **/c** option will force the Loadstate tool to continue applying files when non-fatal errors occur. If you use the **/c** option, you should verify that no errors are reported in the logs before deleting the hard-link migration store in order to avoid data loss. -  + Keeping the hard-link migration store can result in additional disk space being consumed or problems with some applications for the following reasons: @@ -94,7 +94,7 @@ Keeping the hard-link migration store can result in additional disk space being **Important**   The read-only file attribute on migrated files is lost when the hard-link migration store is deleted. This is due to a limitation in NTFS file system hard links. -  + ## Hard-Link Migration Scenario @@ -106,7 +106,7 @@ For example, a company has decided to deploy Windows 10 on all of their compute **Note**   As a best practice, we recommend that you do not create your hard-link migration store until just before you perform the migration in order to migrate the latest versions of your files. You should not use your software applications on the computer after creating the migration store until you have finished migrating your files with Loadstate. -   + 2. On each computer, an administrator installs the company's standard operating environment (SOE), which includes Windows 7 and other applications the company currently uses. @@ -162,7 +162,7 @@ Files that are locked by an application are treated the same in hard-link migrat **Important**   There are some scenarios in which modifying the **<HardLinkStoreControl>** section in the Config.xml file makes it more difficult to delete a hard-link migration store. In these scenarios, you must use USMTutils.exe to schedule the migration store for deletion on the next restart. -  + ## XML Elements in the Config.xml File @@ -200,12 +200,12 @@ A new section in the Config.xml file allows optional configuration of some of th -  + **Important**   You must use the **/nocompress** option with the **/HardLink** option. -  + The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. @@ -225,9 +225,9 @@ The following XML sample specifies that files locked by an application under the [Plan Your Migration](usmt-plan-your-migration.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-how-it-works.md b/windows/deployment/usmt/usmt-how-it-works.md index 4f8fed6d46..84bf06500d 100644 --- a/windows/deployment/usmt/usmt-how-it-works.md +++ b/windows/deployment/usmt/usmt-how-it-works.md @@ -25,7 +25,7 @@ USMT includes two tools that migrate settings and data: ScanState and LoadState. **Note**   For more information about how USMT processes the rules and the XML files, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). -   + ## The ScanState Process @@ -57,7 +57,7 @@ When you run the ScanState tool on the source computer, it goes through the foll **Note**   From this point on, ScanState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. ScanState processes all components in the same way. -   + 2. Each component that is selected in the previous step is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile that is being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents, assuming that the user profiles are stored in the C:\\Users directory. @@ -72,7 +72,7 @@ When you run the ScanState tool on the source computer, it goes through the foll **Note**   ScanState ignores some subsections such as <destinationCleanup> and <locationModify>. These sections are evaluated only on the destination computer. -   + 5. In the "Collecting" phase, ScanState creates a master list of the migration units by combining the lists that were created for each selected user profile. @@ -81,68 +81,68 @@ When you run the ScanState tool on the source computer, it goes through the foll **Note**   ScanState does not modify the source computer in any way. -   + ## The LoadState Process The LoadState process is very similar to the ScanState process. The ScanState tool collects migration units such as file, registry key, or registry values from the source computer and saves them to the store. Similarly, the LoadState tool collects migration units from the store and applies them to the destination computer. -1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. +1. ScanState parses and validates the command-line parameters, creates the ScanState.log file, and then begins logging. -2. LoadState collects information about the migration components that need to be migrated. +2. LoadState collects information about the migration components that need to be migrated. - LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. + LoadState obtains information for the application-settings components and user-data components from the migration .xml files that are specified by the LoadState command. - In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. + In Windows 7, and Windows 8, the manifest files control how the operating-system settings are migrated. You cannot modify these files. If you want to exclude certain operating-system settings, you must create and modify a Config.xml file. -3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. +3. LoadState determines which user profiles should be migrated. By default, all user profiles present on the source computer are migrated. However, you can include and exclude users using the User Options. The system profile, the "All users" profile in a source computer running Windows XP, or the Public profile in a source computer running Windows Vista, Windows 7, and Windows 8, is always migrated and you cannot exclude these profiles from the migration. - - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the**/lac** command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. + - If you are migrating local user accounts and if the accounts do not already exist on the destination computer, you must use the/lac command-line option. If you do not specify the **/lac** option, any local user accounts that are not already present on the destination computer, are not migrated. - - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. + - The **/md** and **/mu** options are processed to rename the user profile on the destination computer, if they have been included when the LoadState command was specified. - - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). + - For each user profile selected from the store, LoadState creates a corresponding user profile on the destination computer. The destination computer does not need to be connected to the domain for domain user profiles to be created. If USMT cannot determine a domain, it attempts to apply the settings to a local account. For more information, see [Identify Users](usmt-identify-users.md). -4. In the "Scanning" phase, LoadState does the following for each user profile: +4. In the "Scanning" phase, LoadState does the following for each user profile: - 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. + 1. For each component, LoadState checks the type of the component. If the current user profile is the system profile and the component type is “System” or “UserAndSystem”, the component is selected for this user. Otherwise, the component is ignored. Alternatively, if the current user profile is not the system profile and the component type is “User” or “UserAndSystem”, the component is selected for this user. Otherwise, this component is ignored. - **Note**   - From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. + **Note** + From this point on, LoadState does not distinguish between components that migrate operating-system settings, those that migrate application settings, and those that migrate users’ files. LoadState evaluates all components in the same way. -   + - 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). + 2. Each component that is selected is processed further. Any profile-specific variables (such as CSIDL\_PERSONAL) are evaluated in the context of the current profile. For example, if the profile being processed belongs to “User1”, then CSIDL\_PERSONAL would expand to C:\\Users\\User1\\Documents (assuming that the user profiles are stored in the C:\\Users directory). - **Note**   - LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. + **Note** + LoadState ignores the <detects> section specified in a component. At this point, all specified components are considered to be detected and are selected for migration. -   + - 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. + 3. For each selected component, LoadState evaluates the <rules> sections. For each <rules> section, if the current user profile is the system profile and the context of the <rules> section is “System” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. Alternatively, if the current user profile is not the system profile and the context of the <rules> section is “User” or “UserAndSystem”, the rule is processed further. Otherwise, this rule is ignored. - 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). + 4. LoadState creates a master list of migration units by processing the various subsections under the <rules> section. Each migration unit that is in an <include> subsection is migrated as long, as there is not a more specific rule for it in an <exclude> subsection in the same <rules> section. For more information about precedence, see [Conflicts and Precedence](usmt-conflicts-and-precedence.md). - 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. + 5. LoadState evaluates the destination computer-specific subsections; for example, the <destinationCleanup> and <locationModify> subsections. - 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. + 6. If the destination computer is running Windows 7 or Windows 8 then the migunits that were collected by ScanState using downlevel manifest files are processed by LoadState using the corresponding Component Manifest for Windows 7. The downlevel manifest files are not used during LoadState. - **Important**   - It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. + **Important** + It is important to specify the .xml files with the LoadState command if you want LoadState to use them. Otherwise, any destination-specific rules, such as <locationModify>, in these .xml files are ignored, even if the same .xml files were provided when the ScanState command ran. -   + -5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. +5. In the "Apply" phase, LoadState writes the migration units that were collected to the various locations on the destination computer. If there are conflicts and there is not a <merge> rule for the object, the default behavior for the registry is for the source to overwrite the destination. The default behavior for files is for the source to be renamed incrementally, for example, OriginalFileName(1).OriginalExtension. Some settings, such as fonts, wallpaper, and screen-saver settings, do not take effect until the next time the user logs on. For this reason, you should log off when the LoadState command actions have completed. ## Related topics [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-identify-operating-system-settings.md b/windows/deployment/usmt/usmt-identify-operating-system-settings.md index a739d384de..cce810e31f 100644 --- a/windows/deployment/usmt/usmt-identify-operating-system-settings.md +++ b/windows/deployment/usmt/usmt-identify-operating-system-settings.md @@ -43,16 +43,16 @@ For more information about how to change the operating-system settings that are For information about the operating-system settings that USMT migrates, see [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) -  + ## Related topics [Determine What to Migrate](usmt-determine-what-to-migrate.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md index f5a445a670..4f0534cf76 100644 --- a/windows/deployment/usmt/usmt-identify-users.md +++ b/windows/deployment/usmt/usmt-identify-users.md @@ -32,16 +32,16 @@ It is important to carefully consider how you plan to migrate users. By default, Before migrating local accounts, note the following: -- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the**/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. +- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the/lac option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated. -- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. +- [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer. -- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. +- [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools. - **Note**   - If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. + **Note** + If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password. -   + ## Migrating Domain Accounts @@ -58,7 +58,7 @@ USMT provides several options to migrate multiple users on a single computer. Th **Important**   The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations. -   + - [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool. @@ -69,7 +69,7 @@ USMT provides several options to migrate multiple users on a single computer. Th **Note**   By default, if a user name is not specified in any of the command-line options, the user will be migrated. -   + ## Related topics @@ -80,9 +80,9 @@ USMT provides several options to migrate multiple users on a single computer. Th [LoadState Syntax](usmt-loadstate-syntax.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index bf5eb3dad4..63c3b443b8 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -61,7 +61,7 @@ The **LoadState** command's syntax is: loadstate *StorePath* \[/i:\[*Path*\\\]*FileName*\] \[/v:*VerbosityLevel*\] \[/nocompress\] \[/decrypt /key:*KeyString*|/keyfile:\[Path\\\]*FileName*\] \[/l:\[*Path*\\\]*FileName*\] \[/progress:\[*Path*\\\]*FileName*\] \[/r:*TimesToRetry*\] \[/w:*SecondsToWait*\] \[/c\] \[/all\] \[/ui:\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/ue:\[\[*DomainName*|*ComputerName*\\\]*UserName*\] \[/uel:*NumberOfDays*|*YYYY/MM/DD*|0\] \[/md:*OldDomain*:*NewDomain*\] \[/mu:*OldDomain*\\*OldUserName*:\[*NewDomain*\\\]*NewUserName*\] \[/lac:\[*Password*\]\] \[/lae\] \[/config:\[*Path*\\\]*FileName*\] \[/?|help\] -For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line: +For example, to decrypt the store and migrate the files and settings to a computer running Windows 7 type the following on the command line: `loadstate \\server\share\migration\mystore /i:migapp.xml /i:migdocs.xml /v:13 /decrypt /key:"mykey"` @@ -91,28 +91,27 @@ USMT provides the following options that you can use to specify how and where th

                                                                                                    or

                                                                                                    /decrypt /key:"Key String"

                                                                                                    or

                                                                                                    -

                                                                                                    /decrypt /keyfile:[Path\]FileName

                                                                                                    +

                                                                                                    /decrypt /keyfile:[Path</em>]FileName

                                                                                                    Decrypts the store with the specified key. With this option, you will need to specify the encryption key in one of the following ways:

                                                                                                    • /key:KeyString specifies the encryption key. If there is a space in KeyString, you must surround the argument with quotation marks.

                                                                                                    • /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key

                                                                                                    -

                                                                                                    KeyString cannot exceed 256 characters.

                                                                                                    +

                                                                                                    KeyString cannot exceed 256 characters.

                                                                                                    The /key and /keyfile options cannot be used on the same command line.

                                                                                                    The /decrypt and /nocompress options cannot be used on the same command line.

                                                                                                    -Important   -

                                                                                                    Use caution with this option, because anyone who has access to the LoadState command-line script will also have access to the encryption key.

                                                                                                    +Important

                                                                                                    Use caution with this option, because anyone who has access to the LoadState command-line script will also have access to the encryption key.

                                                                                                    -  +

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /decrypt /key:mykey

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /decrypt /key:mykey

                                                                                                    /decrypt:"encryption strength"

                                                                                                    -

                                                                                                    The /decrypt option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md).

                                                                                                    +

                                                                                                    The /decrypt option accepts a command-line parameter to define the encryption strength specified for the migration store encryption. For more information about supported encryption algorithms, see Migration Store Encryption.

                                                                                                    /hardlink

                                                                                                    @@ -122,12 +121,12 @@ USMT provides the following options that you can use to specify how and where th

                                                                                                    /nocompress

                                                                                                    Specifies that the store is not compressed. You should only use this option in testing environments. We recommend that you use a compressed store during your actual migration. This option cannot be used with the /decrypt option.

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /nocompress

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /nocompress

                                                                                                    -  + ## Migration Rule Options @@ -147,16 +146,16 @@ USMT provides the following options to specify what files you want to migrate. -

                                                                                                    /i:[Path\]FileName

                                                                                                    +

                                                                                                    /i:[Path]FileName

                                                                                                    (include)

                                                                                                    Specifies an .xml file that contains rules that define what state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigSys.xml, MigDocs.xml and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

                                                                                                    -

                                                                                                    For more information about which files to specify, see the "XML files" section of the [Frequently Asked Questions](usmt-faq.md) topic.

                                                                                                    +

                                                                                                    For more information about which files to specify, see the "XML files" section of the Frequently Asked Questions topic.

                                                                                                    -

                                                                                                    /config:[Path\]FileName

                                                                                                    +

                                                                                                    /config:[Path]FileName

                                                                                                    Specifies the Config.xml file that the LoadState command should use. You cannot specify this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then the FileName must be located in the current directory.

                                                                                                    This example migrates the files and settings based on the rules in the Config.xml, MigDocs.xml, and MigApp.xml files:

                                                                                                    -

                                                                                                    loadstate \\server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log

                                                                                                    +

                                                                                                    loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:5 /l:loadstate.log

                                                                                                    /auto:"path to script files"

                                                                                                    @@ -165,7 +164,7 @@ USMT provides the following options to specify what files you want to migrate. -  + ## Monitoring Options @@ -185,7 +184,7 @@ USMT provides several command-line options that you can use to analyze problems -

                                                                                                    /l:[Path\]FileName

                                                                                                    +

                                                                                                    /l:[Path]FileName

                                                                                                    Specifies the location and name of the LoadState log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can specify the /v option to adjust the amount of output.

                                                                                                    If you run the LoadState command from a shared network resource, you must specify this option or USMT will fail with the error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:load.log option.

                                                                                                    @@ -240,15 +239,15 @@ USMT provides several command-line options that you can use to analyze problems -

                                                                                                     

                                                                                                    +

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate \\server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml

                                                                                                    +

                                                                                                    loadstate \server\share\migration\mystore /v:5 /i:migdocs.xml /i:migapp.xml

                                                                                                    -

                                                                                                    /progress:[Path\]FileName

                                                                                                    +

                                                                                                    /progress:[Path</em>]FileName

                                                                                                    Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /progress:prog.log /l:scanlog.log

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

                                                                                                    /c

                                                                                                    @@ -257,13 +256,13 @@ USMT provides several command-line options that you can use to analyze problems

                                                                                                    /r:<TimesToRetry>

                                                                                                    (Retry)

                                                                                                    -

                                                                                                    Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

                                                                                                    +

                                                                                                    Specifies the number of times to retry when an error occurs while migrating the user state from a server. The default is three times. This option is useful in environments where network connectivity is not reliable.

                                                                                                    While restoring the user state, the /r option will not recover data that is lost due to a network-hardware failure, such as a faulty or disconnected network cable, or when a virtual private network (VPN) connection fails. The retry option is intended for large, busy networks where connectivity is satisfactory, but communication latency is a problem.

                                                                                                    /w:<SecondsBeforeRetry>

                                                                                                    (Wait)

                                                                                                    -

                                                                                                    Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

                                                                                                    +

                                                                                                    Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

                                                                                                    /? or /help

                                                                                                    @@ -272,7 +271,7 @@ USMT provides several command-line options that you can use to analyze problems -  + ## User Options @@ -297,24 +296,23 @@ By default, all users are migrated. The only way to specify which users to inclu

                                                                                                    USMT migrates all user accounts on the computer, unless you specifically exclude an account with the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to use the /all option, you cannot also use the /ui, /ue or /uel options.

                                                                                                    -

                                                                                                    /ui:DomainName\UserName

                                                                                                    +

                                                                                                    /ui:DomainName<em>UserName

                                                                                                    or

                                                                                                    -

                                                                                                    /ui:"DomainName\User Name"

                                                                                                    +

                                                                                                    /ui:"DomainName<em>User Name"

                                                                                                    or

                                                                                                    -

                                                                                                    /ui:ComputerName\LocalUserName

                                                                                                    +

                                                                                                    /ui:ComputerName<em>LocalUserName

                                                                                                    (User include)

                                                                                                    -

                                                                                                    Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue option. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.

                                                                                                    +

                                                                                                    Migrates the specified user. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue option. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotations marks.

                                                                                                    For example:

                                                                                                    • To include only User2 from the Corporate domain, type:

                                                                                                      -

                                                                                                      /ue:*\* /ui:corporate\user2

                                                                                                      • +

                                                                                                      /ue:* /ui:corporate\user2

                                                                                                    -Note   -

                                                                                                    If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

                                                                                                    +Note

                                                                                                    If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

                                                                                                    -  +

                                                                                                    For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

                                                                                                    @@ -325,34 +323,33 @@ By default, all users are migrated. The only way to specify which users to inclu

                                                                                                    or

                                                                                                    /uel:0

                                                                                                    (User exclude based on last logon)

                                                                                                    -

                                                                                                    Migrates only the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

                                                                                                    +

                                                                                                    Migrates only the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose user account was modified, within the last 30 days from the date when the ScanState command is run. You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

                                                                                                    -Note   -

                                                                                                    The /uel option is not valid in offline migrations.

                                                                                                    +Note

                                                                                                    The /uel option is not valid in offline migrations.

                                                                                                    -  +

                                                                                                    Examples:

                                                                                                    • /uel:0 migrates accounts that were logged on to the source computer when the ScanState command was run.

                                                                                                      • -

                                                                                                    • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

                                                                                                      • -

                                                                                                    • /uel:1 migrates users whose accounts have been modified within the last 24 hours.

                                                                                                      • +

                                                                                                    • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

                                                                                                      • +

                                                                                                    • /uel:1 migrates users whose accounts have been modified within the last 24 hours.

                                                                                                    • /uel:2002/1/15 migrates users who have logged on or whose accounts have been modified since January 15, 2002.

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /uel:0

                                                                                                    -

                                                                                                    /ue:DomainName\UserName

                                                                                                    +

                                                                                                    /ue:DomainName<em>UserName

                                                                                                    or

                                                                                                    -

                                                                                                    /ue:"DomainName\User Name"

                                                                                                    +

                                                                                                    /ue:"DomainName<em>User Name"

                                                                                                    or

                                                                                                    -

                                                                                                    /ue:ComputerName\LocalUserName

                                                                                                    +

                                                                                                    /ue:ComputerName<em>LocalUserName

                                                                                                    (User exclude)

                                                                                                    -

                                                                                                    Excludes the specified users from the migration. You can specify multiple /ue options but you cannot use the /ue option with the /all option. DomainName and UserName can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

                                                                                                    +

                                                                                                    Excludes the specified users from the migration. You can specify multiple /ue options but you cannot use the /ue option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /ue:contoso\user1

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /ue:contoso\user1

                                                                                                    For more examples, see the descriptions of the /uel, /ue, and /ui options in this table.

                                                                                                    @@ -360,27 +357,26 @@ By default, all users are migrated. The only way to specify which users to inclu

                                                                                                    or

                                                                                                    /md:LocalComputerName:NewDomain

                                                                                                    (move domain)

                                                                                                    -

                                                                                                    Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. OldDomain may contain the asterisk (*) wildcard character.

                                                                                                    +

                                                                                                    Specifies a new domain for the user. Use this option to change the domain for users on a computer or to migrate a local user to a domain account. OldDomain may contain the asterisk () wildcard character.

                                                                                                    You can specify this option more than once. You may want to specify multiple /md options if you are consolidating users across multiple domains to a single domain. For example, you could specify the following to consolidate the users from the Corporate and FarNorth domains into the Fabrikam domain: /md:corporate:fabrikam and /md:farnorth:fabrikam.

                                                                                                    If there are conflicts between two /md commands, the first rule that you specify is applied. For example, if you specify the /md:corporate:fabrikam and /md:corporate:farnorth commands, then Corporate users would be mapped to the Fabrikam domain.

                                                                                                    -Note   -

                                                                                                    If you specify an OldDomain that did not exist on the source computer, the LoadState command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to NewDomain but will remain in their original domain. For example, if you misspell "contoso" and you specify "/md:contso:fabrikam", the users will remain in contoso on the destination computer.

                                                                                                    +Note

                                                                                                    If you specify an OldDomain that did not exist on the source computer, the LoadState command will appear to complete successfully, without an error or warning. However, in this case, users will not be moved to NewDomain but will remain in their original domain. For example, if you misspell "contoso" and you specify "/md:contso:fabrikam", the users will remain in contoso on the destination computer.

                                                                                                    -  +

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

                                                                                                    /progress:prog.log /l:load.log /md:contoso:fabrikam

                                                                                                    -

                                                                                                    /mu:OldDomain\OldUserName:[NewDomain\]NewUserName

                                                                                                    +

                                                                                                    /mu:OldDomain<em>OldUserName:[NewDomain]NewUserName

                                                                                                    or

                                                                                                    -

                                                                                                    /mu:OldLocalUserName:NewDomain\NewUserName

                                                                                                    +

                                                                                                    /mu:OldLocalUserName:NewDomain<em>NewUserName

                                                                                                    Specifies a new user name for the specified user. If the store contains more than one user, you can specify multiple /mu options. You cannot use wildcard characters with this option.

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

                                                                                                    /progress:prog.log /l:load.log /mu:contoso\user1:fabrikam\user1

                                                                                                    @@ -390,30 +386,29 @@ By default, all users are migrated. The only way to specify which users to inclu

                                                                                                    If the /lac option is not specified, any local user accounts that do not already exist on the destination computer will not be migrated.

                                                                                                    Password is the password for the newly created account. An empty password is used by default.

                                                                                                    -Caution   -

                                                                                                    Use the Password variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the LoadState command.

                                                                                                    +Caution

                                                                                                    Use the Password variable with caution because it is provided in plain text and can be obtained by anyone with access to the computer that is running the LoadState command.

                                                                                                    Also, if the computer has multiple users, all migrated users will have the same password.

                                                                                                    -  +

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore

                                                                                                    -

                                                                                                    For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md).

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

                                                                                                    +

                                                                                                    For instructions, see Migrate User Accounts.

                                                                                                    /lae

                                                                                                    (local account enable)

                                                                                                    Enables the account that was created with the /lac option. You must specify the /lac option with this option.

                                                                                                    For example:

                                                                                                    -

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore

                                                                                                    +

                                                                                                    loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore

                                                                                                    /progress:prog.log /l:load.log /lac:password /lae

                                                                                                    -

                                                                                                    For instructions, see [Migrate User Accounts](usmt-migrate-user-accounts.md).

                                                                                                    +

                                                                                                    For instructions, see Migrate User Accounts.

                                                                                                    -  + ### Examples for the /ui and /ue options @@ -445,20 +440,20 @@ The following examples apply to both the **/ui** and **/ue** options. You can re

                                                                                                    Exclude all domain users.

                                                                                                    -

                                                                                                    /ue:Domain\*

                                                                                                    +

                                                                                                    /ue:Domain

                                                                                                    Exclude all local users.

                                                                                                    -

                                                                                                    /ue:%computername%\*

                                                                                                    +

                                                                                                    /ue:%computername%

                                                                                                    Exclude users in all domains named User1, User2, and so on.

                                                                                                    -

                                                                                                    /ue:*\user*

                                                                                                    +

                                                                                                    /ue:\user

                                                                                                    -  + ### Using the Options Together @@ -466,7 +461,7 @@ You can use the **/uel**, **/ue** and **/ui** options together to migrate only t **The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option. -**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. +**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. @@ -482,28 +477,28 @@ You can use the **/uel**, **/ue** and **/ui** options together to migrate only t - + - + - +

                                                                                                    Include only User2 from the Fabrikam domain and exclude all other users.

                                                                                                    /ue:*\* /ui:fabrikam\user2

                                                                                                    /ue:* /ui:fabrikam\user2

                                                                                                    Include only the local user named User1 and exclude all other users.

                                                                                                    /ue:*\* /ui:user1

                                                                                                    /ue:* /ui:user1

                                                                                                    Include only the domain users from Contoso, except Contoso\User1.

                                                                                                    This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:

                                                                                                      -

                                                                                                    • Using the ScanState command-line tool, type: /ue:*\* /ui:contoso\*

                                                                                                      • +

                                                                                                    • Using the ScanState command-line tool, type: /ue:* /ui:contoso

                                                                                                    • Using the LoadState command-line tool, type: /ue:contoso\user1

                                                                                                    Include only local (non-domain) users.

                                                                                                    /ue:*\* /ui:%computername%\*

                                                                                                    /ue: /ui:%computername%*
                                                                                                    -  + ## Incompatible Command-Line Options @@ -692,21 +687,21 @@ The following table indicates which command-line options are not compatible with -  -**Note**   + +**Note** You must specify either the **/key** or **/keyfile** option with the **/encrypt** option. -  + ## Related topics [XML Elements Library](usmt-xml-elements-library.md) -  - -  + + + diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index adafc9516d..34f4626318 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -48,22 +48,22 @@ The following table describes each command-line option related to logs, and it p -

                                                                                                    /l[Path\]FileName

                                                                                                    +

                                                                                                    /l[Path]FileName

                                                                                                    Scanstate.log or LoadState.log

                                                                                                    Specifies the path and file name of the ScanState.log or LoadState log.

                                                                                                    -

                                                                                                    /progress[Path\]FileName

                                                                                                    +

                                                                                                    /progress[Path]FileName

                                                                                                    Specifies the path and file name of the Progress log.

                                                                                                    Provides information about the status of the migration, by percentage complete.

                                                                                                    /v[VerbosityLevel]

                                                                                                    Not applicable

                                                                                                    -

                                                                                                    See the "Monitoring Options" section in [ScanState Syntax](usmt-scanstate-syntax.md).

                                                                                                    +

                                                                                                    See the "Monitoring Options" section in ScanState Syntax.

                                                                                                    -

                                                                                                    /listfiles[Path\]FileName

                                                                                                    +

                                                                                                    /listfiles[Path]FileName

                                                                                                    Specifies the path and file name of the Listfiles log.

                                                                                                    Provides a list of the files that were migrated.

                                                                                                    @@ -75,12 +75,12 @@ The following table describes each command-line option related to logs, and it p -  + **Note**   You cannot store any of the log files in *StorePath*. If you do, the log will be overwritten when USMT is run. -  + ## ScanState and LoadState Logs @@ -221,7 +221,7 @@ The remaining fields are key/value pairs as indicated in the following table. -  + ## List Files Log @@ -483,9 +483,9 @@ Your revised migration XML script excludes the files from migrating, as confirme [LoadState Syntax](usmt-loadstate-syntax.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md index a6939d130e..0e3db8dd0c 100644 --- a/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md +++ b/windows/deployment/usmt/usmt-migrate-efs-files-and-certificates.md @@ -26,7 +26,7 @@ Encrypting File System (EFS) certificates will be migrated automatically. Howeve **Note**   The **/efs** options are not used with the LoadState command. -  + Before using the ScanState tool for a migration that includes encrypted files and EFS certificates, you must ensure that all files in an encrypted folder are encrypted as well or remove the encryption attribute from folders that contain unencrypted files. If the encryption attribute has been removed from a file but not from the parent folder, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. @@ -45,9 +45,9 @@ Where *<Path>* is the full path of the topmost parent directory where the [Identify File Types, Files, and Folders](usmt-identify-file-types-files-and-folders.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-migrate-user-accounts.md b/windows/deployment/usmt/usmt-migrate-user-accounts.md index 5436006345..0842197047 100644 --- a/windows/deployment/usmt/usmt-migrate-user-accounts.md +++ b/windows/deployment/usmt/usmt-migrate-user-accounts.md @@ -49,7 +49,7 @@ Links to detailed explanations of commands are available in the Related Topics s **Note**   You do not have to specify the **/lae** option, which enables the account that was created with the **/lac** option. Instead, you can create a disabled local account by specifying only the **/lac** option, and then a local administrator needs to enable the account on the destination computer. -   + ## To migrate two domain accounts (User1 and User2) Links to detailed explanations of commands are available in the Related Topics section. @@ -86,9 +86,9 @@ Links to detailed explanations of commands are available in the Related Topics s [LoadState Syntax](usmt-loadstate-syntax.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-migration-store-encryption.md b/windows/deployment/usmt/usmt-migration-store-encryption.md index e22130b8cc..007c4b258a 100644 --- a/windows/deployment/usmt/usmt-migration-store-encryption.md +++ b/windows/deployment/usmt/usmt-migration-store-encryption.md @@ -54,21 +54,21 @@ The following table describes the command-line encryption options in USMT. -  + **Important**   Some encryption algorithms may not be available on your systems. You can verify which algorithms are available by running the UsmtUtils command with the **/ec** option. For more information see [UsmtUtils Syntax](usmt-utilities.md) -  + ## Related topics [Plan Your Migration](usmt-plan-your-migration.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-plan-your-migration.md b/windows/deployment/usmt/usmt-plan-your-migration.md index a885351240..6b8319c12a 100644 --- a/windows/deployment/usmt/usmt-plan-your-migration.md +++ b/windows/deployment/usmt/usmt-plan-your-migration.md @@ -32,38 +32,38 @@ One of the most important requirements for migrating settings and data is restor -

                                                                                                    [Common Migration Scenarios](usmt-common-migration-scenarios.md)

                                                                                                    +

                                                                                                    Common Migration Scenarios

                                                                                                    Determine whether you will perform a refresh migration or a replace migration.

                                                                                                    -

                                                                                                    [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)

                                                                                                    +

                                                                                                    What Does USMT Migrate?

                                                                                                    Learn which applications, user data, and operating system components USMT migrates.

                                                                                                    -

                                                                                                    [Choose a Migration Store Type](usmt-choose-migration-store-type.md)

                                                                                                    +

                                                                                                    Choose a Migration Store Type

                                                                                                    Choose an uncompressed, compressed, or hard-link migration store.

                                                                                                    -

                                                                                                    [Determine What to Migrate](usmt-determine-what-to-migrate.md)

                                                                                                    +

                                                                                                    Determine What to Migrate

                                                                                                    Identify user accounts, application settings, operating system settings, and files that you want to migrate inside your organization.

                                                                                                    -

                                                                                                    [Test Your Migration](usmt-test-your-migration.md)

                                                                                                    +

                                                                                                    Test Your Migration

                                                                                                    Test your migration before you deploy Windows to all users.

                                                                                                    -  + ## Related topics [USMT XML Reference](usmt-xml-reference.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-reference.md b/windows/deployment/usmt/usmt-reference.md index 7f9e2a6566..2ab5b4c6c7 100644 --- a/windows/deployment/usmt/usmt-reference.md +++ b/windows/deployment/usmt/usmt-reference.md @@ -26,37 +26,37 @@ ms.topic: article -

                                                                                                    [USMT Requirements](usmt-requirements.md)

                                                                                                    +

                                                                                                    USMT Requirements

                                                                                                    Describes operating system, hardware, and software requirements, and user prerequisites.

                                                                                                    -

                                                                                                    [USMT Best Practices](usmt-best-practices.md)

                                                                                                    +

                                                                                                    USMT Best Practices

                                                                                                    Discusses general and security-related best practices when using USMT.

                                                                                                    -

                                                                                                    [How USMT Works](usmt-how-it-works.md)

                                                                                                    +

                                                                                                    How USMT Works

                                                                                                    Learn about the processes behind the ScanState and LoadState tools.

                                                                                                    -

                                                                                                    [Plan Your Migration](usmt-plan-your-migration.md)

                                                                                                    +

                                                                                                    Plan Your Migration

                                                                                                    Choose what to migrate and the best migration scenario for your enterprise.

                                                                                                    -

                                                                                                    [User State Migration Tool (USMT) Command-line Syntax](usmt-command-line-syntax.md)

                                                                                                    +

                                                                                                    User State Migration Tool (USMT) Command-line Syntax

                                                                                                    Explore command-line options for the ScanState, LoadState, and UsmtUtils tools.

                                                                                                    -

                                                                                                    [USMT XML Reference](usmt-xml-reference.md)

                                                                                                    +

                                                                                                    USMT XML Reference

                                                                                                    Learn about customizing a migration with XML files.

                                                                                                    -

                                                                                                    [Offline Migration Reference](offline-migration-reference.md)

                                                                                                    +

                                                                                                    Offline Migration Reference

                                                                                                    Find requirements, best practices, and other considerations for performing a migration offline.

                                                                                                    -  + ## Related topics @@ -67,9 +67,9 @@ ms.topic: article [User State Migration Tool (USMT) Troubleshooting](usmt-troubleshooting.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md index 2fb541d8c7..20590672c3 100644 --- a/windows/deployment/usmt/usmt-requirements.md +++ b/windows/deployment/usmt/usmt-requirements.md @@ -82,7 +82,7 @@ The following table lists the operating systems supported in USMT. -  + **Note**   You can migrate a 32-bit operating system to a 64-bit operating system. However, you cannot migrate a 64-bit operating system to a 32-bit operating system. @@ -151,9 +151,9 @@ This documentation assumes that IT professionals using USMT understand command-l [Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
                                                                                                    [User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
                                                                                                    -  + -  + diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md index 12e9e3cd2e..18d223385b 100644 --- a/windows/deployment/usmt/usmt-return-codes.md +++ b/windows/deployment/usmt/usmt-return-codes.md @@ -46,7 +46,7 @@ Non-fatal Errors Fatal Errors -As a best practice, we recommend that you set verbosity level to 5, **/v***:5*, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. +As a best practice, we recommend that you set verbosity level to 5, **/v**:5, on the **ScanState**, **LoadState**, and **USMTUtils** command lines so that the most detailed reporting is available in the respective USMT logs. You can use a higher verbosity level if you want the log files output to go to a debugger. ## USMT Error Messages @@ -130,7 +130,7 @@ The following table lists each return code by numeric value, along with the asso

                                                                                                    -

                                                                                                    /encrypt can't be used with /nocompress

                                                                                                    +

                                                                                                    /encrypt can't be used with /nocompress

                                                                                                    Review ScanState log or LoadState log for details about command-line errors.

                                                                                                    @@ -144,14 +144,14 @@ The following table lists each return code by numeric value, along with the asso

                                                                                                    -

                                                                                                    /genconfig can't be used with most other options

                                                                                                    +

                                                                                                    /genconfig can't be used with most other options

                                                                                                    Review ScanState log or LoadState log for details about command-line errors.

                                                                                                    -

                                                                                                    /genmigxml can't be used with most other options

                                                                                                    +

                                                                                                    /genmigxml can't be used with most other options

                                                                                                    Review ScanState log or LoadState log for details about command-line errors.

                                                                                                    @@ -438,7 +438,7 @@ The following table lists each return code by numeric value, along with the asso

                                                                                                    27

                                                                                                    USMT_INVALID_STORE_LOCATION

                                                                                                    -

                                                                                                    A store path can't be used because an existing store exists; specify /o to overwrite

                                                                                                    +

                                                                                                    A store path can't be used because an existing store exists; specify /o to overwrite

                                                                                                    Specify /o to overwrite an existing intermediate or migration store.

                                                                                                    Setup and Initialization

                                                                                                    @@ -599,7 +599,7 @@ The following table lists each return code by numeric value, along with the asso

                                                                                                    -

                                                                                                    A store path can't be used because it contains data that could not be overwritten

                                                                                                    +

                                                                                                    A store path can't be used because it contains data that could not be overwritten

                                                                                                    A migration store could not be deleted. If you are using a hardlink migration store you might have a locked file in it. You should manually delete the store, or use USMTUtils /rd command to delete the store.

                                                                                                    @@ -676,7 +676,7 @@ The following table lists each return code by numeric value, along with the asso

                                                                                                    41

                                                                                                    USMT_PREFLIGHT_FILE_CREATION_FAILED

                                                                                                    -

                                                                                                    Can't overwrite existing file

                                                                                                    +

                                                                                                    Can't overwrite existing file

                                                                                                    The Progress log could not be created. Verify that the location is valid and that you have write access.

                                                                                                    Setup and Initialization

                                                                                                    @@ -691,7 +691,7 @@ The following table lists each return code by numeric value, along with the asso

                                                                                                    42

                                                                                                    USMT_ERROR_CORRUPTED_STORE

                                                                                                    The store contains one or more corrupted files

                                                                                                    -

                                                                                                    Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see [Extract Files from a Compressed USMT Migration Store](usmt-extract-files-from-a-compressed-migration-store.md).

                                                                                                    +

                                                                                                    Review UsmtUtils log for details about the corrupted files. For information on how to extract the files that are not corrupted, see Extract Files from a Compressed USMT Migration Store.

                                                                                                    @@ -767,7 +767,7 @@ The following table lists each return code by numeric value, along with the asso -  + ## Related topics @@ -776,9 +776,9 @@ The following table lists each return code by numeric value, along with the asso [Log Files](usmt-log-files.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index d3a057931f..77c1c1b5d6 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -16,7 +16,7 @@ ms.topic: article # ScanState Syntax -The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. +The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store. ## In This Topic @@ -122,32 +122,31 @@ To create an encrypted store using the Config.xml file and the default migration

                                                                                                  1. /key:KeyString specifies the encryption key. If there is a space in KeyString, you will need to surround KeyString with quotation marks.

                                                                                                  2. /keyfile:FilePathAndName specifies a text (.txt) file that contains the encryption key.

                                                                                            -

                                                                                            We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

                                                                                            +

                                                                                            We recommend that KeyString be at least eight characters long, but it cannot exceed 256 characters. The /key and /keyfile options cannot be used on the same command line. The /encrypt and /nocompress options cannot be used on the same command line.

                                                                                            -Important   -

                                                                                            You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

                                                                                            +Important

                                                                                            You should use caution with this option, because anyone who has access to the ScanState command-line script will also have access to the encryption key.

                                                                                            -  +

                                                                                            The following example shows the ScanState command and the /key option:

                                                                                            -

                                                                                            scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /encrypt /key:mykey

                                                                                            +

                                                                                            scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /encrypt /key:mykey

                                                                                            /encrypt:<EncryptionStrength>

                                                                                            -

                                                                                            The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md).

                                                                                            +

                                                                                            The /encrypt option accepts a command-line parameter to define the encryption strength to be used for encryption of the migration store. For more information about supported encryption algorithms, see Migration Store Encryption.

                                                                                            /nocompress

                                                                                            Disables compression of data and saves the files to a hidden folder named "File" at StorePath\USMT. Compression is enabled by default. Combining the /nocompress option with the /hardlink option generates a hard-link migration store. You can use the uncompressed store to view what USMT stored, troubleshoot a problem, or run an antivirus utility against the files. You should use this option only in testing environments, because we recommend that you use a compressed store during your actual migration, unless you are combining the /nocompress option with the /hardlink option.

                                                                                            The /nocompress and /encrypt options cannot be used together in one statement on the command line. However, if you do choose to migrate an uncompressed store, the LoadState command will migrate each file directly from the store to the correct location on the destination computer without a temporary location.

                                                                                            For example:

                                                                                            -

                                                                                            scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /nocompress

                                                                                            +

                                                                                            scanstate /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /nocompress

                                                                                            -  + ## Run the ScanState Command on an Offline Windows System @@ -202,7 +201,7 @@ There are several benefits to running the **ScanState** command on an offline Wi -  + ## Migration Rule Options @@ -222,12 +221,12 @@ USMT provides the following options to specify what files you want to migrate. -

                                                                                            /i:[Path\]FileName

                                                                                            +

                                                                                            /i:[Path]FileName

                                                                                            (include)

                                                                                            -

                                                                                            Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the [Frequently Asked Questions](usmt-faq.md) topic.

                                                                                            +

                                                                                            Specifies an .xml file that contains rules that define what user, application or system state to migrate. You can specify this option multiple times to include all of your .xml files (MigApp.xml, MigDocs.xml, and any custom .xml files that you create). Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory. For more information about which files to specify, see the "XML Files" section of the Frequently Asked Questions topic.

                                                                                            -

                                                                                            /genconfig:[Path\]FileName

                                                                                            +

                                                                                            /genconfig:[Path]FileName

                                                                                            (Generate Config.xml)

                                                                                            Generates the optional Config.xml file, but does not create a migration store. To ensure that this file contains every component, application and setting that can be migrated, you should create this file on a source computer that contains all the components, applications and settings that will be present on the destination computers. In addition, you should specify the other migration .xml files, using the /i option, when you specify this option.

                                                                                            After you create this file, you will need to make use of it with the ScanState command using the /config option.

                                                                                            @@ -239,12 +238,12 @@ USMT provides the following options to specify what files you want to migrate.
                                                                                          -

                                                                                          /config:[Path\]FileName

                                                                                          +

                                                                                          /config:[Path</em>]FileName

                                                                                          Specifies the Config.xml file that the ScanState command should use to create the store. You cannot use this option more than once on the command line. Path can be either a relative or full path. If you do not specify the Path variable, then FileName must be located in the current directory.

                                                                                          The following example creates a store using the Config.xml file, MigDocs.xml, and MigApp.xml files:

                                                                                          -

                                                                                          scanstate \\server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

                                                                                          +

                                                                                          scanstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scan.log

                                                                                          The following example migrates the files and settings to the destination computer using the Config.xml, MigDocs.xml, and MigApp.xml files:

                                                                                          -

                                                                                          loadstate \\server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

                                                                                          +

                                                                                          loadstate \server\share\migration\mystore /config:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:load.log

                                                                                          /auto:path to script files

                                                                                          @@ -256,24 +255,24 @@ USMT provides the following options to specify what files you want to migrate.

                                                                                          /targetwindows8

                                                                                          -

                                                                                          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

                                                                                          +

                                                                                          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 8 or Windows 8.1 instead of Windows 10. You should use this command line option in the following scenarios:

                                                                                            -

                                                                                          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

                                                                                            • +

                                                                                          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows8 option optimizes the Config.xml file so that it only contains components that relate to Windows 8 or Windows 8.1.

                                                                                          • To create a migration store. Using the /targetwindows8 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows8 command-line option, some settings can be lost during the migration.

                                                                                          /targetwindows7

                                                                                          -

                                                                                          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

                                                                                          +

                                                                                          Optimizes Scanstate.exe when using USMT 10.0 to migrate a user state to Windows 7 instead of Windows 10. You should use this command line option in the following scenarios:

                                                                                            -

                                                                                          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

                                                                                            • +

                                                                                          • To create a Config.xml file by using the /genconfig option. Using the /targetwindows7 option optimizes the Config.xml file so that it only contains components that relate to Windows 7.

                                                                                          • To create a migration store. Using the /targetwindows7 option ensures that the ScanState tool gathers the correct set of operating system settings. Without the /targetwindows7 command-line option, some settings can be lost during the migration.

                                                                                          /localonly

                                                                                          Migrates only files that are stored on the local computer, regardless of the rules in the .xml files that you specify on the command line. You should use this option when you want to exclude the data from removable drives on the source computer, such as USB flash drives (UFDs), some external hard drives, and so on, and when there are network drives mapped on the source computer. If the /localonly option is not specified, then the ScanState command will copy files from these removable or network drives into the store.

                                                                                          -

                                                                                          Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see [Exclude Files and Settings](usmt-exclude-files-and-settings.md).

                                                                                          +

                                                                                          Anything that is not considered a fixed drive by the OS will be excluded by /localonly. In some cases large external hard drives are considered fixed drives. These drives can be explicitly excluded from migration by using a custom.xml file. For more information about how to exclude all files on a specific drive, see Exclude Files and Settings.

                                                                                          The /localonly command-line option includes or excludes data in the migration as identified in the following table:

                                                                                          @@ -301,22 +300,22 @@ USMT provides the following options to specify what files you want to migrate.
                                                                                          -

                                                                                           

                                                                                          +

                                                                                          -  + ## Monitoring Options USMT provides several options that you can use to analyze problems that occur during migration. -**Note**   +**Note** The ScanState log is created by default, but you can specify the name and location of the log with the **/l** option. -  + @@ -335,7 +334,7 @@ The ScanState log is created by default, but you can specify the name and locati - + @@ -391,16 +390,16 @@ The ScanState log is created by default, but you can specify the name and locati

                                                                                          You can use the /listfiles command-line option with the ScanState command to generate a text file that lists all of the files included in the migration.

                                                                                          /l:[Path\]FileName

                                                                                          /l:[Path]FileName

                                                                                          Specifies the location and name of the ScanState log.

                                                                                          You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then the log will be created in the current directory. You can use the /v option to adjust the amount of output.

                                                                                          If you run the ScanState or LoadState commands from a shared network resource, you must specify this option or USMT will fail with the following error: "USMT was unable to create the log file(s)". To fix this issue, use the /l:scan.log command.
                                                                                          -

                                                                                           

                                                                                          +

                                                                                          For example:

                                                                                          -

                                                                                          scanstate \\server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

                                                                                          +

                                                                                          scanstate \server\share\migration\mystore /v:13 /i:migdocs.xml /i:migapp.xml

                                                                                          -

                                                                                          /progress:[Path\]FileName

                                                                                          +

                                                                                          /progress:[Path</em>]FileName

                                                                                          Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

                                                                                          For example:

                                                                                          -

                                                                                          scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /progress:prog.log /l:scanlog.log

                                                                                          +

                                                                                          scanstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

                                                                                          /c

                                                                                          @@ -416,14 +415,14 @@ The ScanState log is created by default, but you can specify the name and locati

                                                                                          /w:<SecondsBeforeRetry>

                                                                                          (Wait)

                                                                                          -

                                                                                          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

                                                                                          +

                                                                                          Specifies the time to wait, in seconds, before retrying a network file operation. The default is 1 second.

                                                                                          /p:<pathToFile>

                                                                                          When the ScanState command runs, it will create an .xml file in the path specified. This .xml file includes improved space estimations for the migration store. The following example shows how to create this .xml file:

                                                                                          Scanstate.exe C:\MigrationLocation [additional parameters]

                                                                                          /p:"C:\MigrationStoreSize.xml"

                                                                                          -

                                                                                          For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md).

                                                                                          +

                                                                                          For more information, see Estimate Migration Store Size.

                                                                                          To preserve the functionality of existing applications or scripts that require the previous behavior of USMT, you can use the /p option, without specifying "pathtoafile", in USMT. If you specify only the /p option, the storage space estimations are created in the same manner as with USMT3.x releases.

                                                                                          @@ -433,7 +432,7 @@ The ScanState log is created by default, but you can specify the name and locati -  + ## User Options @@ -462,21 +461,20 @@ By default, all users are migrated. The only way to specify which users to inclu

                                                                                          or

                                                                                          /ui:<ComputerName>\<LocalUserName>

                                                                                          (User include)

                                                                                          -

                                                                                          Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

                                                                                          +

                                                                                          Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.

                                                                                          -Note   -

                                                                                          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

                                                                                          +Note

                                                                                          If a user is specified for inclusion with the /ui option, and also is specified to be excluded with either the /ue or /uel options, the user will be included in the migration.

                                                                                          -  +

                                                                                          For example:

                                                                                            To include only User2 from the Fabrikam domain, type:

                                                                                            /ue:*\* /ui:fabrikam\user2

                                                                                            -

                                                                                            To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

                                                                                            +

                                                                                            To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30 days, type:

                                                                                            /uel:30 /ui:fabrikam\*

                                                                                            -

                                                                                            In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

                                                                                            +

                                                                                            In this example, a user account from the Contoso domain that was last modified 2 months ago will not be migrated.

                                                                                          For more examples, see the descriptions of the /ue and /ui options in this table.

                                                                                          @@ -487,19 +485,18 @@ By default, all users are migrated. The only way to specify which users to inclu

                                                                                          or

                                                                                          /uel:0

                                                                                          (User exclude based on last logon)

                                                                                          -

                                                                                          Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

                                                                                          +

                                                                                          Migrates the users that logged onto the source computer within the specified time period, based on the Last Modified date of the Ntuser.dat file on the source computer. The /uel option acts as an include rule. For example, the /uel:30 option migrates users who logged on, or whose account was modified, within the last 30 days from the date when the ScanState command is run.

                                                                                          You can specify a number of days or you can specify a date. You cannot use this option with the /all option. USMT retrieves the last logon information from the local computer, so the computer does not need to be connected to the network when you run this option. In addition, if a domain user has logged onto another computer, that logon instance is not considered by USMT.

                                                                                          -Note   -

                                                                                          The /uel option is not valid in offline migrations.

                                                                                          +Note

                                                                                          The /uel option is not valid in offline migrations.

                                                                                          -  +

                                                                                          • /uel:0 migrates any users who are currently logged on.

                                                                                            • -

                                                                                          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

                                                                                            • -

                                                                                          • /uel:1 migrates users whose account has been modified within the last 24 hours.

                                                                                            • +

                                                                                          • /uel:90 migrates users who have logged on, or whose accounts have been otherwise modified, within the last 90 days.

                                                                                            • +

                                                                                          • /uel:1 migrates users whose account has been modified within the last 24 hours.

                                                                                          • /uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.

                                                                                          For example:

                                                                                          @@ -511,14 +508,14 @@ By default, all users are migrated. The only way to specify which users to inclu

                                                                                          /ue:<ComputerName>\<LocalUserName>

                                                                                          (User exclude)

                                                                                          -

                                                                                          Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

                                                                                          +

                                                                                          Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk () wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.

                                                                                          For example:

                                                                                          scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1

                                                                                          -  + ## How to Use /ui and /ue @@ -564,7 +561,7 @@ The following examples apply to both the /**ui** and /**ue** options. You can re -  + ## Using the Options Together @@ -573,7 +570,7 @@ You can use the /**uel**, /**ue** and /**ui** options together to migrate only t The /**ui** option has precedence over the /**ue** and /**uel** options. If a user is specified to be included using the /**ui** option, and also specified to be excluded using either the /**ue** or /**uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the /**ui** option takes precedence over the /**ue** option. -The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. +The /**uel** option takes precedence over the /**ue** option. If a user has logged on within the specified time period set by the /**uel** option, that user’s profile will be migrated even if they are excluded by using the /**ue** option. For example, if you specify `/ue:fixed\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days. @@ -610,7 +607,7 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg
                                                                                          -  + ## Encrypted File Options @@ -619,15 +616,15 @@ You can use the following options to migrate encrypted files. In all cases, by d For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md). -**Note**   -EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files +**Note** +EFS certificates will be migrated automatically when migrating to Windows 7, Windows 8 or Windows 10. Therefore, you should specify the /**efs:copyraw** option with the **ScanState** command to migrate the encrypted files -  -**Caution**   + +**Caution** Take caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. -  + @@ -661,19 +658,18 @@ Take caution when migrating encrypted files. If you migrate an encrypted file wi

                                                                                          /efs:copyraw

                                                                                          Causes the ScanState command to copy the files in the encrypted format. The files will be inaccessible on the destination computer until the EFS certificates are migrated. EFS certificates will be automatically migrated; however, by default USMT fails if an encrypted file is found, unless you specify an /efs option. Therefore you should specify the /efs:copyraw option with the ScanState command to migrate the encrypted file. Then, when you run the LoadState command, the encrypted file and the EFS certificate will be automatically migrated.

                                                                                          For example:

                                                                                          -

                                                                                          ScanState /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /efs:copyraw

                                                                                          +

                                                                                          ScanState /i:migdocs.xml /i:migapp.xml \server\share\migration\mystore /efs:copyraw

                                                                                          -Important   -

                                                                                          All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-files-and-certificates.md).

                                                                                          +Important

                                                                                          All files must be encrypted if the parent folder is encrypted. If the encryption attribute on a file inside an encrypted folder has been removed, the file will be encrypted during the migration using the credentials of the account used to run the LoadState tool. For more information, see Migrate EFS Files and Certificates.

                                                                                          -  +
                                                                                          -  + ## Incompatible Command-Line Options @@ -855,21 +851,21 @@ The following table indicates which command-line options are not compatible with -  -**Note**   + +**Note** You must specify either the /**key** or /**keyfile** option with the /**encrypt** option. -  + ## Related topics [XML Elements Library](usmt-xml-elements-library.md) -  - -  + + + diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md index 32ee1b0962..bbe67d5535 100644 --- a/windows/deployment/usmt/usmt-test-your-migration.md +++ b/windows/deployment/usmt/usmt-test-your-migration.md @@ -22,19 +22,19 @@ After you have thoroughly tested the entire migration process on a single comput If your test migration encounters any errors, examine the ScanState and LoadState logs to obtain the exact User State Migration Tool (USMT) 10.0 return code and associated error messages or Windows application programming interface (API) error message. For more information about USMT return codes and error messages, see [Return Codes](usmt-return-codes.md). You can also obtain more information about a Windows API error message by typing **net helpmsg** and the error message number on the command line. -In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v***:5* option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. +In most cases, the ScanState and LoadState logs indicate why a USMT migration is failing. We recommend that you use the **/v**:5 option when testing your migration. This verbosity level can be adjusted in a production migration. Reducing the verbosity level might make it more difficult to diagnose failures that are encountered during production migrations. You can use a higher verbosity level if you want the log files output to go to a debugger. **Note**   -Running the ScanState and LoadState tools with the **/v***:5* option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. +Running the ScanState and LoadState tools with the **/v**:5 option creates a detailed log file. Although this option makes the log file large, it is helpful in determining where migration errors occurred. -  + After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft® System Center Configuration Manager (SCCM), or a non-Microsoft management technology. For more information, see [Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=140246). **Note**   For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration. -  + ## Related topics @@ -43,9 +43,9 @@ For testing purposes, you can create an uncompressed store using the **/hardlink [Log Files](usmt-log-files.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-troubleshooting.md b/windows/deployment/usmt/usmt-troubleshooting.md index 4bcd80d4b7..29613f1c1c 100644 --- a/windows/deployment/usmt/usmt-troubleshooting.md +++ b/windows/deployment/usmt/usmt-troubleshooting.md @@ -28,29 +28,29 @@ The following table describes topics that address common User State Migration To -

                                                                                          [Common Issues](usmt-common-issues.md)

                                                                                          +

                                                                                          Common Issues

                                                                                          Find troubleshooting solutions for common problems in USMT.

                                                                                          -

                                                                                          [Frequently Asked Questions](usmt-faq.md)

                                                                                          +

                                                                                          Frequently Asked Questions

                                                                                          Find answers to questions about how to use USMT.

                                                                                          -

                                                                                          [Log Files](usmt-log-files.md)

                                                                                          +

                                                                                          Log Files

                                                                                          Learn how to enable logging to help you troubleshoot issues in USMT.

                                                                                          -

                                                                                          [Return Codes](usmt-return-codes.md)

                                                                                          +

                                                                                          Return Codes

                                                                                          Learn how to use return codes to identify problems in USMT.

                                                                                          -

                                                                                          [USMT Resources](usmt-resources.md)

                                                                                          +

                                                                                          USMT Resources

                                                                                          Find more information and support for using USMT.

                                                                                          -  + ## Related topics @@ -63,9 +63,9 @@ The following table describes topics that address common User State Migration To [User State Migration Toolkit (USMT) Reference](usmt-reference.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-utilities.md b/windows/deployment/usmt/usmt-utilities.md index aa8adf97bf..aad70a5dee 100644 --- a/windows/deployment/usmt/usmt-utilities.md +++ b/windows/deployment/usmt/usmt-utilities.md @@ -73,17 +73,17 @@ usmtutils \[/ec | /rd *<storeDir>* | /verify *<filepath>* \[options\

                                                                                          /verify

                                                                                          Returns information on whether the compressed migration store is intact or whether it contains corrupted files or a corrupted catalog.

                                                                                          -

                                                                                          See [Verify Options](#bkmk-verifyoptions) for syntax and options to use with /verify.

                                                                                          +

                                                                                          See Verify Options for syntax and options to use with /verify.

                                                                                          /extract

                                                                                          Recovers files from a compressed USMT migration store.

                                                                                          -

                                                                                          See [Extract Options](#bkmk-extractoptions) for syntax and options to use with /extract.

                                                                                          +

                                                                                          See Extract Options for syntax and options to use with /extract.

                                                                                          -  + ## Verify Options @@ -187,12 +187,12 @@ usmtutils /verify\[:*<reportType>*\] *<filePath>* \[/l:*<logfile&

                                                                                        • /key:<KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

                                                                                        • /keyfile: <FileName> specifies the location and name of a text (.txt) file that contains the encryption key.

                                                                                        -

                                                                                        For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md)

                                                                                        +

                                                                                        For more information about supported encryption algorithms, see Migration Store Encryption

                                                                                        -  + Some examples of **/verify** commands: @@ -313,7 +313,7 @@ The syntax for **/extract** is:

                                                                                      • /key: <KeyString> specifies the encryption key. If there is a space in <KeyString>, you must surround the argument with quotation marks.

                                                                                      • /keyfile:<FileName> specifies a text (.txt) file that contains the encryption key

                                                                                      -

                                                                                      For more information about supported encryption algorithms, see [Migration Store Encryption](usmt-migration-store-encryption.md).

                                                                                      +

                                                                                      For more information about supported encryption algorithms, see Migration Store Encryption.

                                                                                      /o

                                                                                      @@ -322,7 +322,7 @@ The syntax for **/extract** is: -  + Some examples of **/extract** commands: @@ -341,9 +341,9 @@ Some examples of **/extract** commands: [Return Codes](usmt-return-codes.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md index 79302dc568..16fd8bd5bc 100644 --- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md +++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md @@ -83,14 +83,14 @@ This section describes the user data that USMT migrates by default, using the Mi **Note**   The asterisk (\*) stands for zero or more characters. -   + - **Access control lists.** USMT migrates ACLs for specified files and folders from computers running both Windows® XP and Windows Vista. For example, if you migrate a file named File1.txt that is read-only for User1 and read/write for User2, these settings will still apply on the destination computer after the migration. **Important**   To migrate ACLs, you must specify the directory to migrate in the MigUser.xml file. Using file patterns like \*.doc will not migrate a directory. The source ACL information is migrated only when you explicitly specify the directory. For example, `c:\test docs`. -  + ## Operating-system components @@ -152,12 +152,12 @@ The following components are migrated by default using the manifest files: **Important**   This list may not be complete. There may be additional components that are migrated. -  + **Note**   Some settings, such as fonts, are not applied by the LoadState tool until after the destination computer has been restarted. For this reason, restart the destination computer after you run the LoadState tool. -  + ## Supported applications @@ -167,12 +167,12 @@ Although it is not required for all applications, it is good practice to install **Note**   The versions of installed applications must match on the source and destination computers. USMT does not support migrating the settings of an earlier version of an application to a later version, except for Microsoft Office. -  + **Note**   USMT migrates only the settings that have been used or modified by the user. If there is an application setting on the source computer that was not touched by the user, the setting may not migrate. -  + When you specify the MigApp.xml file, USMT migrates the settings for the following applications: @@ -367,7 +367,7 @@ When you specify the MigApp.xml file, USMT migrates the settings for the followi -  + ## What USMT does not migrate @@ -419,9 +419,9 @@ Starting in Windows 10, version 1607 the USMT does not migrate the Start menu la [Plan your migration](usmt-plan-your-migration.md) -  + -  + diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 293a23d2fe..84d7c89277 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -56,66 +56,66 @@ The following table describes the XML elements and helper functions you can use -

                                                                                      [<addObjects>](#addobjects)

                                                                                      -

                                                                                      [<attributes>](#attribute)

                                                                                      -

                                                                                      [<bytes>](#bytes)

                                                                                      -

                                                                                      [<commandLine>](#commandline)

                                                                                      -

                                                                                      [<component>](#component)

                                                                                      -

                                                                                      [<condition>](#condition)

                                                                                      -

                                                                                      [<conditions>](#conditions)

                                                                                      -

                                                                                      [<content>](#content)

                                                                                      -

                                                                                      [<contentModify>](#contentmodify)

                                                                                      -

                                                                                      [<description>](#description)

                                                                                      -

                                                                                      [<destinationCleanup>](#destinationcleanup)

                                                                                      -

                                                                                      [<detect>](#detect)

                                                                                      -

                                                                                      [<detects>](#detects)

                                                                                      -

                                                                                      [<detection>](#detection)

                                                                                      -

                                                                                      [<displayName>](#displayname)

                                                                                      -

                                                                                      [<environment>](#bkmk-environment)

                                                                                      -

                                                                                      [<exclude>](#exclude)

                                                                                      -

                                                                                      [<excludeAttributes>](#excludeattributes)

                                                                                      -

                                                                                      [<extensions>](#extensions)

                                                                                      -

                                                                                      [<extension>](#extension)

                                                                                      -

                                                                                      [<externalProcess>](#externalprocess)

                                                                                      -

                                                                                      [<icon>](#icon)

                                                                                      -

                                                                                      [<include>](#include)

                                                                                      -

                                                                                      [<includeAttribute>](#includeattributes)

                                                                                      -

                                                                                      [<library>](#library)

                                                                                      -

                                                                                      [<location>](#location)

                                                                                      -

                                                                                      [<locationModify>](#locationmodify)

                                                                                      -

                                                                                      [<_locDefinition>](#locdefinition)

                                                                                      -

                                                                                      [<manufacturer>](#manufacturer)

                                                                                      -

                                                                                      [<merge>](#merge)

                                                                                      -

                                                                                      [<migration>](#migration)

                                                                                      -

                                                                                      [<namedElements>](#namedelements)

                                                                                      -

                                                                                      [<object>](#object)

                                                                                      -

                                                                                      [<objectSet>](#objectset)

                                                                                      -

                                                                                      [<path>](#path)

                                                                                      -

                                                                                      [<paths>](#paths)

                                                                                      -

                                                                                      [<pattern>](#pattern)

                                                                                      -

                                                                                      [<processing>](#processing)

                                                                                      -

                                                                                      [<plugin>](#plugin)

                                                                                      -

                                                                                      [<role>](#role)

                                                                                      -

                                                                                      [<rules>](#rules)

                                                                                      -

                                                                                      [<script>](#script)

                                                                                      -

                                                                                      [<text>](#text)

                                                                                      -

                                                                                      [<unconditionalExclude>](#unconditionalexclude)

                                                                                      -

                                                                                      [<variable>](#variable)

                                                                                      -

                                                                                      [<version>](#version)

                                                                                      -

                                                                                      [<windowsObjects>](#windowsobjects)

                                                                                      -

                                                                                      [<condition> functions](#conditionfunctions)

                                                                                      -

                                                                                      [<content> functions](#contentfunctions)

                                                                                      -

                                                                                      [<contentModify> functions](#contentmodifyfunctions)

                                                                                      -

                                                                                      [<include> and <exclude> filter functions](#persistfilterfunctions)

                                                                                      -

                                                                                      [<locationModify> functions](#locationmodifyfunctions)

                                                                                      -

                                                                                      [<merge> functions](#mergefunctions)

                                                                                      -

                                                                                      [<script> functions](#scriptfunctions)

                                                                                      -

                                                                                      [Internal USMT functions](#internalusmtfunctions)

                                                                                      +

                                                                                      <addObjects>

                                                                                      +

                                                                                      <attributes>

                                                                                      +

                                                                                      <bytes>

                                                                                      +

                                                                                      <commandLine>

                                                                                      +

                                                                                      <component>

                                                                                      +

                                                                                      <condition>

                                                                                      +

                                                                                      <conditions>

                                                                                      +

                                                                                      <content>

                                                                                      +

                                                                                      <contentModify>

                                                                                      +

                                                                                      <description>

                                                                                      +

                                                                                      <destinationCleanup>

                                                                                      +

                                                                                      <detect>

                                                                                      +

                                                                                      <detects>

                                                                                      +

                                                                                      <detection>

                                                                                      +

                                                                                      <displayName>

                                                                                      +

                                                                                      <environment>

                                                                                      +

                                                                                      <exclude>

                                                                                      +

                                                                                      <excludeAttributes>

                                                                                      +

                                                                                      <extensions>

                                                                                      +

                                                                                      <extension>

                                                                                      +

                                                                                      <externalProcess>

                                                                                      +

                                                                                      <icon>

                                                                                      +

                                                                                      <include>

                                                                                      +

                                                                                      <includeAttribute>

                                                                                      +

                                                                                      <library>

                                                                                      +

                                                                                      <location>

                                                                                      +

                                                                                      <locationModify>

                                                                                      +

                                                                                      <_locDefinition>

                                                                                      +

                                                                                      <manufacturer>

                                                                                      +

                                                                                      <merge>

                                                                                      +

                                                                                      <migration>

                                                                                      +

                                                                                      <namedElements>

                                                                                      +

                                                                                      <object>

                                                                                      +

                                                                                      <objectSet>

                                                                                      +

                                                                                      <path>

                                                                                      +

                                                                                      <paths>

                                                                                      +

                                                                                      <pattern>

                                                                                      +

                                                                                      <processing>

                                                                                      +

                                                                                      <plugin>

                                                                                      +

                                                                                      <role>

                                                                                      +

                                                                                      <rules>

                                                                                      +

                                                                                      <script>

                                                                                      +

                                                                                      <text>

                                                                                      +

                                                                                      <unconditionalExclude>

                                                                                      +

                                                                                      <variable>

                                                                                      +

                                                                                      <version>

                                                                                      +

                                                                                      <windowsObjects>

                                                                                      +

                                                                                      <condition> functions

                                                                                      +

                                                                                      <content> functions

                                                                                      +

                                                                                      <contentModify> functions

                                                                                      +

                                                                                      <include> and <exclude> filter functions

                                                                                      +

                                                                                      <locationModify> functions

                                                                                      +

                                                                                      <merge> functions

                                                                                      +

                                                                                      <script> functions

                                                                                      +

                                                                                      Internal USMT functions

                                                                                      -  + ## <addObjects> @@ -208,7 +208,7 @@ Syntax: -  + The following example is from the MigApp.xml file: @@ -271,7 +271,7 @@ Syntax: -  + The following example is from the MigApp.xml file: @@ -320,12 +320,12 @@ Syntax: -  + ## <component> -The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component. +The <component> element is required in a custom .xml file. This element defines the most basic construct of a migration .xml file. For example, in the MigApp.xml file, "Microsoft® Office 2003" is a component that contains another component, "Microsoft Office Access® 2003". You can use the child elements to define the component. A component can be nested inside another component; that is, the <component> element can be a child of the <role> element within the <component> element in two cases: 1) when the parent <component> element is a container or 2) if the child <component> element has the same role as the parent <component> element. @@ -365,7 +365,7 @@ hidden="Yes|No">

                                                                                      You can use the following to group settings, and define the type of the component.

                                                                                      • System: Operating system settings. All Windows® components are defined by this type.

                                                                                        -

                                                                                        When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.

                                                                                        • +

                                                                                        When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that is specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name. Otherwise, the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.

                                                                                      • Application: Settings for an application.

                                                                                      • Device: Settings for a device.

                                                                                      • Documents: Specifies files.

                                                                                        • @@ -388,17 +388,17 @@ hidden="Yes|No">

                                                                                        No

                                                                                        (default = TRUE)

                                                                                        Can be any of TRUE, FALSE, YES or NO. If this parameter is FALSE (or NO), the component will not be migrated unless there is an equivalent component on the destination computer.

                                                                                        -

                                                                                        When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.

                                                                                        +

                                                                                        When type="System" and defaultSupported="FALSE" the settings will not migrate unless there is an equivalent component in the .xml files that are specified on the LoadState command line. For example, the default MigSys.xml file contains components with type="System" and defaultSupported="FALSE". If you specify this file on the ScanState command line, you must also specify the file on the LoadState command line for the settings to migrate. This is because the LoadState tool must detect an equivalent component. That is, the component must have the same migration urlid of the .xml file and an identical display name or the LoadState tool will not migrate those settings from the store. This is helpful when the source computer is running Windows XP, and you are migrating to both Windows Vista and Windows XP because you can use the same store for both destination computers.

                                                                                        hidden

                                                                                        -

                                                                                         

                                                                                        +

                                                                                        This parameter is for internal USMT use only.

                                                                                        -  + For an example, see any of the default migration .xml files. @@ -449,7 +449,7 @@ Syntax: -  + For example, @@ -515,16 +515,18 @@ The <condition> functions return a Boolean value. You can use these elemen

                                                                                        OSVersion

                                                                                        Yes

                                                                                        -

                                                                                        The major version, minor version, build number and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version with a pattern. For example, 5.0.*.

                                                                                        +

                                                                                        The major version, minor version, build number and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version with a pattern. For example, 5.0.*.

                                                                                        -   - For example: - <condition>MigXmlHelper.DoesOSMatch("NT","\*")</condition> +~~~ +For example: + +<condition>MigXmlHelper.DoesOSMatch("NT","\*")</condition> +~~~ - **IsNative64Bit** @@ -553,22 +555,24 @@ The <condition> functions return a Boolean value. You can use these elemen

                                                                                        OSType

                                                                                        Yes

                                                                                        -

                                                                                        Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x”, the result will be FALSE.

                                                                                        +

                                                                                        Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x”, the result will be FALSE.

                                                                                        OSVersion

                                                                                        Yes

                                                                                        -

                                                                                        The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.

                                                                                        +

                                                                                        The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.

                                                                                        The IsOSLaterThan function returns TRUE if the current operating system is later than or equal to OSVersion.

                                                                                        -   - For example: - <condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","6.0")</condition> +~~~ +For example: + +<condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","6.0")</condition> +~~~ - **IsOSEarlierThan** @@ -593,412 +597,420 @@ The <condition> functions return a Boolean value. You can use these elemen

                                                                                        OSType

                                                                                        Yes

                                                                                        -

                                                                                        Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x” the result will be FALSE.

                                                                                        +

                                                                                        Can be 9x or NT. If OSType does not match the type of the current operating system, then it returns FALSE. For example, if the current operating system is Windows NT-based and OSType is “9x” the result will be FALSE.

                                                                                        OSVersion

                                                                                        Yes

                                                                                        -

                                                                                        The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.

                                                                                        +

                                                                                        The major version, minor version, build number, and corrected service diskette version separated by periods. For example, 5.0.2600.Service Pack 1. You can also specify partial specification of the version but no pattern is allowed. For example, 5.0.

                                                                                        The IsOSEarlierThan function returns TRUE if the current operating system is earlier than OSVersion.

                                                                                        -   + ### Object content functions -- **DoesObjectExist** +- **DoesObjectExist** - The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration. + The DoesObjectExist function returns TRUE if any object exists that matches the location pattern. Otherwise, it returns FALSE. The location pattern is expanded before attempting the enumeration. - Syntax: DoesObjectExist("*ObjectType*","*EncodedLocationPattern*") + Syntax: DoesObjectExist("*ObjectType*","*EncodedLocationPattern*") - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the object type. Can be File or Registry.

                                                                                        EncodedLocationPattern

                                                                                        Yes

                                                                                        The [location pattern](#locations). Environment variables are allowed.

                                                                                        + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the object type. Can be File or Registry.

                                                                                        EncodedLocationPattern

                                                                                        Yes

                                                                                        The location pattern. Environment variables are allowed.

                                                                                        -   - For an example of this element, see the MigApp.xml file. -- **DoesFileVersionMatch** +~~~ +For an example of this element, see the MigApp.xml file. +~~~ - The pattern check is case insensitive. +- **DoesFileVersionMatch** - Syntax: DoesFileVersionMatch("*EncodedFileLocation*","*VersionTag*","*VersionValue*") + The pattern check is case insensitive. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        EncodedFileLocation

                                                                                        Yes

                                                                                        The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.

                                                                                        VersionTag

                                                                                        Yes

                                                                                        The [version tag](#allowed) value that will be checked.

                                                                                        VersionValue

                                                                                        Yes

                                                                                        A string pattern. For example, "Microsoft*".

                                                                                        + Syntax: DoesFileVersionMatch("*EncodedFileLocation*","*VersionTag*","*VersionValue*") -   + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        EncodedFileLocation

                                                                                        Yes

                                                                                        The location pattern for the file that will be checked. Environment variables are allowed.

                                                                                        VersionTag

                                                                                        Yes

                                                                                        The version tag value that will be checked.

                                                                                        VersionValue

                                                                                        Yes

                                                                                        A string pattern. For example, "Microsoft*".

                                                                                        - For example: - <condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","6.\*")</condition> - <condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","7.\*")</condition> +~~~ +For example: -- **IsFileVersionAbove** +<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","6.\*")</condition> - The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*. +<condition>MigXmlHelper.DoesFileVersionMatch("%MSNMessengerInstPath%\\msnmsgr.exe","ProductVersion","7.\*")</condition> +~~~ - Syntax: IsFileVersionAbove("*EncodedFileLocation*","*VersionTag*","*VersionValue*") +- **IsFileVersionAbove** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        EncodedFileLocation

                                                                                        Yes

                                                                                        The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.

                                                                                        VersionTag

                                                                                        Yes

                                                                                        The [version tag](#allowed) value that will be checked.

                                                                                        VersionValue

                                                                                        Yes

                                                                                        The value to compare to. You cannot specify a pattern.

                                                                                        + The IsFileVersionAbove function returns TRUE if the version of the file is higher than *VersionValue*. -   + Syntax: IsFileVersionAbove("*EncodedFileLocation*","*VersionTag*","*VersionValue*") -- **IsFileVersionBelow** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        EncodedFileLocation

                                                                                        Yes

                                                                                        The location pattern for the file that will be checked. Environment variables are allowed.

                                                                                        VersionTag

                                                                                        Yes

                                                                                        The version tag value that will be checked.

                                                                                        VersionValue

                                                                                        Yes

                                                                                        The value to compare to. You cannot specify a pattern.

                                                                                        - Syntax: IsFileVersionBelow("*EncodedFileLocation*","*VersionTag*","*VersionValue*") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        EncodedFileLocation

                                                                                        Yes

                                                                                        The [location pattern](#locations) for the file that will be checked. Environment variables are allowed.

                                                                                        VersionTag

                                                                                        Yes

                                                                                        The [version tag](#allowed) value that will be checked.

                                                                                        VersionValue

                                                                                        Yes

                                                                                        The value to compare to. You cannot specify a pattern.

                                                                                        -   +- **IsFileVersionBelow** -- **IsSystemContext** + Syntax: IsFileVersionBelow("*EncodedFileLocation*","*VersionTag*","*VersionValue*") - The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        EncodedFileLocation

                                                                                        Yes

                                                                                        The location pattern for the file that will be checked. Environment variables are allowed.

                                                                                        VersionTag

                                                                                        Yes

                                                                                        The version tag value that will be checked.

                                                                                        VersionValue

                                                                                        Yes

                                                                                        The value to compare to. You cannot specify a pattern.

                                                                                        - Syntax: IsSystemContext() -- **DoesStringContentEqual** - The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`. +- **IsSystemContext** - Syntax: DoesStringContentEqual("*ObjectType*","*EncodedLocation*","*StringContent*") + The IsSystemContext function returns TRUE if the current context is "System". Otherwise, it returns FALSE. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the type of object. Can be File or Registry.

                                                                                        EncodedLocationPattern

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the object that will be examined. You can specify environment variables.

                                                                                        StringContent

                                                                                        Yes

                                                                                        The string that will be checked against.

                                                                                        + Syntax: IsSystemContext() -   +- **DoesStringContentEqual** - For example: + The DoesStringContentEqual function returns TRUE if the string representation of the given object is identical to `StringContent`. - ``` syntax - MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","") - ``` + Syntax: DoesStringContentEqual("*ObjectType*","*EncodedLocation*","*StringContent*") -- **DoesStringContentContain** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the type of object. Can be File or Registry.

                                                                                        EncodedLocationPattern

                                                                                        Yes

                                                                                        The encoded location for the object that will be examined. You can specify environment variables.

                                                                                        StringContent

                                                                                        Yes

                                                                                        The string that will be checked against.

                                                                                        - The DoesStringContentContain function returns TRUE if there is at least one occurrence of *StrToFind* in the string representation of the object. - Syntax: DoesStringContentContain("*ObjectType*","*EncodedLocation*","*StrToFind*") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the type of object. Can be File or Registry.

                                                                                        EncodedLocationPattern

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the object that will be examined. You can specify environment variables.

                                                                                        StrToFind

                                                                                        Yes

                                                                                        A string that will be searched inside the content of the given object.

                                                                                        +~~~ +For example: -   +``` syntax +MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","") +``` +~~~ -- **IsSameObject** +- **DoesStringContentContain** - The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE. + The DoesStringContentContain function returns TRUE if there is at least one occurrence of *StrToFind* in the string representation of the object. - Syntax: IsSameObject("*ObjectType*","*EncodedLocation1*","*EncodedLocation2*") + Syntax: DoesStringContentContain("*ObjectType*","*EncodedLocation*","*StrToFind*") - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the type of object. Can be File or Registry.

                                                                                        EncodedLocation1

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the first object. You can specify environment variables.

                                                                                        EncodedLocation2

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the second object. You can specify environment variables.

                                                                                        + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the type of object. Can be File or Registry.

                                                                                        EncodedLocationPattern

                                                                                        Yes

                                                                                        The encoded location for the object that will be examined. You can specify environment variables.

                                                                                        StrToFind

                                                                                        Yes

                                                                                        A string that will be searched inside the content of the given object.

                                                                                        -   - For example: - ``` syntax - - MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%") - %CSIDL_FAVORITES%\* [*] - - ``` +- **IsSameObject** -- **IsSameContent** + The IsSameObject function returns TRUE if the given encoded locations resolve to the same physical object. Otherwise, it returns FALSE. - The IsSameContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be compared byte by byte. + Syntax: IsSameObject("*ObjectType*","*EncodedLocation1*","*EncodedLocation2*") - Syntax: IsSameContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*") + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        ObjectType

                                                                                        Yes

                                                                                        Defines the type of object. Can be File or Registry.

                                                                                        EncodedLocation1

                                                                                        Yes

                                                                                        The encoded location for the first object. You can specify environment variables.

                                                                                        EncodedLocation2

                                                                                        Yes

                                                                                        The encoded location for the second object. You can specify environment variables.

                                                                                        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        ObjectType1

                                                                                        Yes

                                                                                        Defines the type of the first object. Can be File or Registry.

                                                                                        EncodedLocation1

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the first object. You can specify environment variables.

                                                                                        ObjectType2

                                                                                        Yes

                                                                                        Defines the type of the second object. Can be File or Registry.

                                                                                        EncodedLocation2

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the second object. You can specify environment variables.

                                                                                        -   -- **IsSameStringContent** +~~~ +For example: - The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string. +``` syntax + + MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%") + %CSIDL_FAVORITES%\* [*] + +``` +~~~ - Syntax: IsSameStringContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*") +- **IsSameContent** + + The IsSameContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be compared byte by byte. + + Syntax: IsSameContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*") + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        ObjectType1

                                                                                        Yes

                                                                                        Defines the type of the first object. Can be File or Registry.

                                                                                        EncodedLocation1

                                                                                        Yes

                                                                                        The encoded location for the first object. You can specify environment variables.

                                                                                        ObjectType2

                                                                                        Yes

                                                                                        Defines the type of the second object. Can be File or Registry.

                                                                                        EncodedLocation2

                                                                                        Yes

                                                                                        The encoded location for the second object. You can specify environment variables.

                                                                                        + + + +- **IsSameStringContent** + + The IsSameStringContent function returns TRUE if the given objects have the same content. Otherwise, it returns FALSE. The content will be interpreted as a string. + + Syntax: IsSameStringContent("*ObjectType1*","*EncodedLocation1*","*ObjectType2*","*EncodedLocation2*") + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        ObjectType1

                                                                                        Yes

                                                                                        Defines the type of the first object. Can be File or Registry.

                                                                                        EncodedLocation1

                                                                                        Yes

                                                                                        The encoded location for the first object. You can specify environment variables.

                                                                                        ObjectType2

                                                                                        Yes

                                                                                        Defines the type of the second object. Can be File or Registry.

                                                                                        EncodedLocation2

                                                                                        Yes

                                                                                        The encoded location for the second object. You can specify environment variables.

                                                                                        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        ObjectType1

                                                                                        Yes

                                                                                        Defines the type of the first object. Can be File or Registry.

                                                                                        EncodedLocation1

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the first object. You can specify environment variables.

                                                                                        ObjectType2

                                                                                        Yes

                                                                                        Defines the type of the second object. Can be File or Registry.

                                                                                        EncodedLocation2

                                                                                        Yes

                                                                                        The [encoded location](#locations) for the second object. You can specify environment variables.

                                                                                        -   ## <conditions> @@ -1039,7 +1051,7 @@ Syntax: -  + The following example is from the MigApp.xml file: @@ -1096,7 +1108,7 @@ Syntax: -  + ### <content> functions @@ -1135,19 +1147,21 @@ The following functions generate patterns out of the content of an object. These -   - For example: - ``` syntax - - ``` +~~~ +For example: - and +``` syntax + +``` - ``` syntax - - ``` +and + +``` syntax + +``` +~~~ - **ExtractMultipleFiles** @@ -1184,7 +1198,7 @@ The following functions generate patterns out of the content of an object. These -   + - **ExtractDirectory** @@ -1224,19 +1238,21 @@ The following functions generate patterns out of the content of an object. These -   - For example: - ``` syntax - - - - %HklmWowSoftware%\Classes\Software\RealNetworks\Preferences\DT_Common [] - - - - ``` +~~~ +For example: + +``` syntax + + + + %HklmWowSoftware%\Classes\Software\RealNetworks\Preferences\DT_Common [] + + + +``` +~~~ ## <contentModify> @@ -1280,7 +1296,7 @@ Syntax: -  + ### <contentModify> functions @@ -1314,7 +1330,7 @@ The following functions change the content of objects as they are migrated. Thes -   + - **ConvertToString** @@ -1344,17 +1360,19 @@ The following functions change the content of objects as they are migrated. Thes -   - For example: - ``` syntax - - - HKCU\Control Panel\Desktop [ScreenSaveUsePassword] - - - ``` +~~~ +For example: + +``` syntax + + + HKCU\Control Panel\Desktop [ScreenSaveUsePassword] + + +``` +~~~ - **ConvertToBinary** @@ -1390,7 +1408,7 @@ The following functions change the content of objects as they are migrated. Thes -   + - **SetValueByTable** @@ -1431,7 +1449,7 @@ The following functions change the content of objects as they are migrated. Thes -   + - **KeepExisting** @@ -1477,7 +1495,7 @@ The following functions change the content of objects as they are migrated. Thes -   + - **MergeMultiSzContent** @@ -1516,7 +1534,7 @@ The following functions change the content of objects as they are migrated. Thes -   + - **MergeDelimitedContent** @@ -1561,7 +1579,7 @@ The following functions change the content of objects as they are migrated. Thes -   + ## <description> @@ -1600,7 +1618,7 @@ Syntax: -  + The following code sample shows how the <description> element defines the "My custom component" description.: @@ -1613,10 +1631,10 @@ The following code sample shows how the <description> element defines the The <destinationCleanup> element deletes objects, such as files and registry keys, from the destination computer before applying the objects from the source computer. This element is evaluated only when the LoadState tool is run on the destination computer. That is, this element is ignored by the ScanState tool. -**Important**   +**Important** Use this option with extreme caution because it will delete objects from the destination computer. -  + For each <destinationCleanup> element there can be multiple <objectSet> elements. A common use for this element is if there is a missing registry key on the source computer and you want to ensure that a component is migrated. In this case, you can delete all of the component's registry keys before migrating the source registry keys. This will ensure that if there is a missing key on the source computer, it will also be missing on the destination computer. @@ -1655,7 +1673,7 @@ Syntax: -  + For example: @@ -1726,7 +1744,7 @@ Syntax: -  + For examples, see the examples for [<detection>](#detection). @@ -1785,7 +1803,7 @@ Syntax: -  + The following example is from the MigApp.xml file. @@ -1856,7 +1874,7 @@ Syntax: -  + For example: @@ -1923,7 +1941,7 @@ Syntax: -  + For example: @@ -1985,7 +2003,7 @@ Syntax: -  + ## @@ -2111,7 +2129,7 @@ Syntax: -  + For example, from the MigUser.xml file: @@ -2168,7 +2186,7 @@ Syntax: -  + Example: @@ -2275,7 +2293,7 @@ Syntax: -  + For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element: @@ -2344,7 +2362,7 @@ Syntax: -  + For an example of how to use the <externalProcess> element, see the example for [<excludeAttributes>](#excludeattributes). @@ -2396,7 +2414,7 @@ Syntax: -  + The following example is from the MigUser.xml file: @@ -2473,7 +2491,7 @@ The following functions return a Boolean value. You can use them to migrate cert -   + - **IgnoreIrrelevantLinks** @@ -2548,7 +2566,7 @@ Syntax:

                                                                                      • Owner. The owner of the object (SID).

                                                                                      • Group. The primary group for the object (SID).

                                                                                      • DACL (discretionary access control list). An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.

                                                                                        • -

                                                                                      • SACL (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

                                                                                        • +

                                                                                      • SACL (system access control list). An ACL that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

                                                                                    • TimeFields can be one of the following:

                                                                                        @@ -2561,7 +2579,7 @@ Syntax: -  + For an example of how to use the <includeAttributes> element, see the example for [<excludeAttributes>](#excludeattributes). @@ -2612,7 +2630,7 @@ Syntax: -  + The following example is from the MigApp.xml file: @@ -2673,7 +2691,7 @@ Syntax: -  + The following example is from the MigApp.xml file: @@ -2689,45 +2707,47 @@ The following example is from the MigApp.xml file: The following functions change the location of objects as they are migrated when using the <locationModify> element. These functions are called for every object that the parent <ObjectSet> element is enumerating. The <locationModify> element will create the appropriate folder on the destination computer if it does not already exist. -- **ExactMove** +- **ExactMove** - The ExactMove function moves all of the objects that are matched by the parent <ObjectSet> element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply. + The ExactMove function moves all of the objects that are matched by the parent <ObjectSet> element into the given *ObjectEncodedLocation*. You can use this function when you want to move a single file to a different location on the destination computer. If the destination location is a node, all of the matching source objects will be written to the node without any subdirectories. If the destination location is a leaf, the migration engine will migrate all of the matching source objects to the same location. If a collision occurs, the normal collision algorithms will apply. - Syntax: ExactMove(*ObjectEncodedLocation*) + Syntax: ExactMove(*ObjectEncodedLocation*) - - - - - - - - - - - - - - - - - - - - -
                                                                                        SettingRequired?Value

                                                                                        ObjectEncodedLocation

                                                                                        Yes

                                                                                        The destination [location](#locations) for all of the source objects.

                                                                                        + + + + + + + + + + + + + + + + + + + + +
                                                                                        SettingRequired?Value

                                                                                        ObjectEncodedLocation

                                                                                        Yes

                                                                                        The destination location for all of the source objects.

                                                                                        -   - For example: - ``` syntax - - - HKCU\Keyboard Layout\Toggle [] - - - ``` +~~~ +For example: + +``` syntax + + + HKCU\Keyboard Layout\Toggle [] + + +``` +~~~ - **Move** @@ -2757,7 +2777,7 @@ The following functions change the location of objects as they are migrated when -   + - **RelativeMove** @@ -2792,22 +2812,24 @@ The following functions change the location of objects as they are migrated when -   - For example: - ``` syntax - - +~~~ +For example: + +``` syntax + + + %CSIDL_COMMON_FAVORITES%\* [*] + + + + %CSIDL_COMMON_FAVORITES%\* [*] - - - - - %CSIDL_COMMON_FAVORITES%\* [*] - - - ``` + + +``` +~~~ ## <\_locDefinition> @@ -2851,7 +2873,7 @@ Syntax: -  + ## <merge> @@ -2897,7 +2919,7 @@ Syntax: -  + The following example is from the MigUser.xml file: @@ -2969,7 +2991,7 @@ These functions control how collisions are resolved. -   + - **NewestVersion** @@ -2999,7 +3021,7 @@ These functions control how collisions are resolved. -   + - **HigherValue()** @@ -3040,7 +3062,7 @@ The <migration> element is the single root element of a migration .xml fil Syntax: -<migration urlid="*UrlID/*Name"> +<migration urlid="UrlID/Name"> </migration> @@ -3061,7 +3083,7 @@ Syntax:

                                                                                        urlid

                                                                                        Yes

                                                                                        -

                                                                                        UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see [Use XML Namespaces](https://go.microsoft.com/fwlink/p/?LinkId=220938).

                                                                                        +

                                                                                        UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see Use XML Namespaces.

                                                                                        Name

                                                                                        @@ -3071,7 +3093,7 @@ Syntax: -  + The following example is from the MigApp.xml file: @@ -3114,10 +3136,10 @@ This filter helper function can be used to filter the migration of files based o -  + ``` syntax - + File_size @@ -3291,25 +3313,24 @@ Syntax:

                                                                                        Yes

                                                                                        A valid registry or file path pattern, followed by at least one space, followed by brackets [] that contain the object to be migrated.

                                                                                          -

                                                                                        • Path can contain the asterisk (*) wildcard character or can be an [Recognized Environment Variables](usmt-recognized-environment-variables.md). You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively.

                                                                                          • -

                                                                                        • Object can contain the asterisk (*) wildcard character. However, you cannot use the question mark as a wildcard character. For example:

                                                                                          -

                                                                                          C:\Folder\ [*] enumerates all files in C:\Path but no subfolders of C:\Folder.

                                                                                          -

                                                                                          C:\Folder\* [*] enumerates all files and subfolders of C:\Folder.

                                                                                          +

                                                                                        • Path can contain the asterisk () wildcard character or can be an Recognized Environment Variables. You cannot use the question mark as a wildcard character.You can use HKCU and HKLM to refer to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE respectively.

                                                                                          • +

                                                                                        • Object can contain the asterisk () wildcard character. However, you cannot use the question mark as a wildcard character. For example:

                                                                                          +

                                                                                          C:\Folder\ [] enumerates all files in C:<em>Path but no subfolders of C:\Folder.

                                                                                          +

                                                                                          C:\Folder* [] enumerates all files and subfolders of C:\Folder.

                                                                                          C:\Folder\ [*.mp3] enumerates all .mp3 files in C:\Folder.

                                                                                          C:\Folder\ [Sample.doc] enumerates only the Sample.doc file located in C:\Folder.

                                                                                          -Note   -

                                                                                          If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.

                                                                                          +Note

                                                                                          If you are migrating a file that has a square bracket character ([ or ]) in the file name, you must insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", you must specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.

                                                                                          -  +
                                                                                        -  + For example: @@ -3390,7 +3411,7 @@ Syntax: -  + ## <plugin> @@ -3446,20 +3467,20 @@ Syntax:

                                                                                      • Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:

                                                                                        • <component context="UserAndSystem" type="Application">
-  <displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName> 
+  <displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName> 
   <environment name="GlobalEnv" /> 
   <role role="Container">
     <detection name="AnyOffice2003Version" /> 
     <detection name="FrontPage2003" /> 
     <!-- 
- Office 2003 Common Settings 
-  --> 
+ Office 2003 Common Settings 
+  --> 
     <component context="UserAndSystem" type="Application">
                                                                                        -  + The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file: @@ -3546,7 +3567,7 @@ Syntax: -  + The following example is from the MigUser.xml file: @@ -3642,18 +3663,17 @@ The return value that is required by <script> depends on the parent elemen

                                                                                      • When used within <objectSet>, the return value must be a two-dimensional array of strings.

                                                                                      • When used within <location>, the return value must be a valid location that aligns with the type attribute of <location>. For example, if <location type="File">, the child script element, if specified, must be a valid file location.

                                                                                        -Note   -

                                                                                        If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.

                                                                                        +Note

                                                                                        If you are migrating a file that has a bracket character ([ or ]) in the file name, insert the carrot (^) character directly before the bracket for it to be valid. For example, if there is a file named "file].txt", specify <pattern type="File">c:\documents\mydocs [file^].txt]</pattern> instead of <pattern type="File">c:\documents\mydocs [file].txt]</pattern>.

                                                                                        -  +
                                                                                      -  + Examples: @@ -3719,137 +3739,143 @@ These functions return either a string or a pattern. -   - For example: - ``` syntax - - - - ``` +~~~ +For example: -- **GenerateDrivePatterns** +``` syntax + + + +``` +~~~ - The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with <script> elements that are within [<objectSet>](#objectset) that are within <include>/<exclude>. +- **GenerateDrivePatterns** - Syntax: GenerateDrivePatterns("*PatternSegment*","*DriveType*") + The GenerateDrivePatterns function will iterate all of the available drives and select the ones that match the requested drive type. It will then concatenate the selected drives with the end part of *PatternSegment* to form a full encoded file pattern. For example, if *PatternSegment* is `Path [file.txt]` and DriveType is `Fixed`, then the function will generate `C:\Path [file.txt]`, and other patterns if there are fixed drives other than C:. You cannot specify environment variables with this function. You can use GenerateDrivePatterns with <script> elements that are within [<objectSet>](#objectset) that are within <include>/<exclude>. - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                      SettingRequired?Value

                                                                                      PatternSegment

                                                                                      Yes

                                                                                      The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:\", to form a complete [encoded file pattern](#locations). For example, "* [*.doc]". PatternSegment cannot be an environment variable.

                                                                                      DriveType

                                                                                      Yes

                                                                                      The drive type for which the patterns are to be generated. You can specify one of:

                                                                                      -
                                                                                        -

                                                                                      • Fixed

                                                                                        • -

                                                                                      • CDROM

                                                                                        • -

                                                                                      • Removable

                                                                                        • -

                                                                                      • Remote

                                                                                        • -
                                                                                      + Syntax: GenerateDrivePatterns("*PatternSegment*","*DriveType*") -   + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                      SettingRequired?Value

                                                                                      PatternSegment

                                                                                      Yes

                                                                                      The suffix of an encoded pattern. It will be concatenated with a drive specification, such as "c:&quot;, to form a complete encoded file pattern. For example, "* [*.doc]". PatternSegment cannot be an environment variable.

                                                                                      DriveType

                                                                                      Yes

                                                                                      The drive type for which the patterns are to be generated. You can specify one of:

                                                                                      +
                                                                                        +

                                                                                      • Fixed

                                                                                        • +

                                                                                      • CDROM

                                                                                        • +

                                                                                      • Removable

                                                                                        • +

                                                                                      • Remote

                                                                                        • +
                                                                                      - See the last component in the MigUser.xml file for an example of this element. -- **GenerateUserPatterns** - The function will iterate through all users that are being migrated, excluding the currently processed user if <ProcessCurrentUser> is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns: +~~~ +See the last component in the MigUser.xml file for an example of this element. +~~~ - - "C:\\Documents and Settings\\A\\\* \[\*.doc\]" +- **GenerateUserPatterns** - - "C:\\Documents and Settings\\B\\\* \[\*.doc\]" + The function will iterate through all users that are being migrated, excluding the currently processed user if <ProcessCurrentUser> is FALSE, and will expand the specified pattern in the context of each user. For example, if users A, B and C have profiles in C:\\Documents and Settings), by calling `GenerateUserPattens('File','%userprofile% [*.doc]','TRUE')`, the helper function will generate the following three patterns: - - "C:\\Documents and Settings\\C\\\* \[\*.doc\]" + - "C:\\Documents and Settings\\A\\\* \[\*.doc\]" - Syntax:GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*") + - "C:\\Documents and Settings\\B\\\* \[\*.doc\]" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                                                      SettingRequired?Value

                                                                                      ObjectType

                                                                                      Yes

                                                                                      Defines the object type. Can be File or Registry.

                                                                                      EncodedLocationPattern

                                                                                      Yes

                                                                                      The [location pattern](#locations). Environment variables are allowed.

                                                                                      ProcessCurrentUser

                                                                                      Yes

                                                                                      Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user.

                                                                                      + - "C:\\Documents and Settings\\C\\\* \[\*.doc\]" -   + Syntax:GenerateUserPatterns("*ObjectType*","*EncodedLocationPattern*","*ProcessCurrentUser*") - **Example:** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
                                                                                      SettingRequired?Value

                                                                                      ObjectType

                                                                                      Yes

                                                                                      Defines the object type. Can be File or Registry.

                                                                                      EncodedLocationPattern

                                                                                      Yes

                                                                                      The location pattern. Environment variables are allowed.

                                                                                      ProcessCurrentUser

                                                                                      Yes

                                                                                      Can be TRUE or FALSE. Indicates if the patterns should be generated for the current user.

                                                                                      - If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile. - The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. - ``` syntax - - - - - - - - - %ProfilesFolder%\* [*.doc] - - - - - - - %ProfilesFolder%\* [*.doc] - - - - - - - - - ``` +~~~ +**Example:** + +If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile. + +The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. + +``` syntax + + + + + + + + + %ProfilesFolder%\* [*.doc] + + + + + + + %ProfilesFolder%\* [*.doc] + + + + + + + + +``` +~~~ ### MigXmlHelper.GenerateDocPatterns @@ -3887,27 +3913,27 @@ This helper function invokes the document finder to scan the system for all file -  + ``` syntax -  -    MigDocUser -    -      -        -          -            -          -        -        -          -            -          -        -      -    + + + MigDocUser + + + + + + + + + + + + + + + ``` ### Simple executing scripts @@ -3990,7 +4016,7 @@ Syntax: -  + For example: @@ -4086,7 +4112,7 @@ Syntax: -  + The following example is from the MigApp.xml file: @@ -4138,7 +4164,7 @@ Syntax: -  + For example: @@ -4227,9 +4253,9 @@ The following version tags contain values that can be compared: [USMT XML Reference](usmt-xml-reference.md) -  - -  + + + diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index c4264bdc3e..8dda62c31d 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -28,49 +28,49 @@ This section contains topics that you can use to work with and to customize the -

                                                                                      [Understanding Migration XML Files](understanding-migration-xml-files.md)

                                                                                      +

                                                                                      Understanding Migration XML Files

                                                                                      Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file.

                                                                                      -

                                                                                      [Config.xml File](usmt-configxml-file.md)

                                                                                      +

                                                                                      Config.xml File

                                                                                      Describes the Config.xml file and policies concerning its configuration.

                                                                                      -

                                                                                      [Customize USMT XML Files](usmt-customize-xml-files.md)

                                                                                      +

                                                                                      Customize USMT XML Files

                                                                                      Describes how to customize USMT XML files.

                                                                                      -

                                                                                      [Custom XML Examples](usmt-custom-xml-examples.md)

                                                                                      +

                                                                                      Custom XML Examples

                                                                                      Gives examples of XML files for various migration scenarios.

                                                                                      -

                                                                                      [Conflicts and Precedence](usmt-conflicts-and-precedence.md)

                                                                                      +

                                                                                      Conflicts and Precedence

                                                                                      Describes the precedence of migration rules and how conflicts are handled.

                                                                                      -

                                                                                      [General Conventions](usmt-general-conventions.md)

                                                                                      +

                                                                                      General Conventions

                                                                                      Describes the XML helper functions.

                                                                                      -

                                                                                      [XML File Requirements](xml-file-requirements.md)

                                                                                      +

                                                                                      XML File Requirements

                                                                                      Describes the requirements for custom XML files.

                                                                                      -

                                                                                      [Recognized Environment Variables](usmt-recognized-environment-variables.md)

                                                                                      +

                                                                                      Recognized Environment Variables

                                                                                      Describes environment variables recognized by USMT.

                                                                                      -

                                                                                      [XML Elements Library](usmt-xml-elements-library.md)

                                                                                      +

                                                                                      XML Elements Library

                                                                                      Describes the XML elements and helper functions for authoring migration XML files to use with USMT.

                                                                                      -  + -  + -  + diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 557541a962..07ff40a76b 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -85,7 +85,7 @@ For examples of activation issues, see [Troubleshoot the user experience](https: Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" ``` 3. Right-click the mounted image in file explorer and click **Eject**. -1. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image. +16. See instructions at [Upload and create VM from generalized VHD](https://docs.microsoft.com/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image. ## Azure Active Directory-joined VMs diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index d24cd75114..aff4f923e1 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -69,45 +69,45 @@ If you receive error 0xC004F015 when trying to activate Windows 10 Enterprise, **Configure KMS in Windows Server 2012 R2** -1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. -2. Launch Server Manager. -3. Add the Volume Activation Services role, as shown in Figure 4. +1. Sign in to a computer running Windows Server 2012 R2 with an account that has local administrative credentials. +2. Launch Server Manager. +3. Add the Volume Activation Services role, as shown in Figure 4. - ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) + ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg) - **Figure 4**. Adding the Volume Activation Services role in Server Manager\ + **Figure 4**. Adding the Volume Activation Services role in Server Manager\ -4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). +4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5). - ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) + ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg) - **Figure 5**. Launching the Volume Activation Tools + **Figure 5**. Launching the Volume Activation Tools - 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). - This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. + 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6). + This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10. - ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) + ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg) - **Figure 6**. Configuring the computer as a KMS host + **Figure 6**. Configuring the computer as a KMS host -6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). +5. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7). - ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) + ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg) - **Figure 7**. Installing your KMS host key + **Figure 7**. Installing your KMS host key -7. If asked to confirm replacement of an existing key, click **Yes**. -8. After the product key is installed, you must activate it. Click **Next** (Figure 8). +6. If asked to confirm replacement of an existing key, click **Yes**. +7. After the product key is installed, you must activate it. Click **Next** (Figure 8). - ![Activating the software](../images/volumeactivationforwindows81-08.jpg) + ![Activating the software](../images/volumeactivationforwindows81-08.jpg) - **Figure 8**. Activating the software + **Figure 8**. Activating the software - The KMS key can be activated online or by phone. See Figure 9. + The KMS key can be activated online or by phone. See Figure 9. - ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) + ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg) - **Figure 9**. Choosing to activate online + **Figure 9**. Choosing to activate online Now that the KMS host is configured, it will begin to listen for activation requests. However, it will not activate clients successfully until the activation threshold is met. diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index f5f2054fd7..f913c13504 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -25,6 +25,6 @@ This section describes how to add client computers into the Volume Activation Ma |[Add and Remove Computers](add-remove-computers-vamt.md) |Describes how to add client computers to VAMT. | |[Update Product Status](update-product-status-vamt.md) |Describes how to update the status of product license. | |[Remove Products](remove-products-vamt.md) |Describes how to remove a product from the product list. | -  -  -  + + + diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 95f2386079..0f68956571 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -59,5 +59,5 @@ You can delete a computer by clicking on it in the product list view, and then c ## Related topics - [Add and Manage Products](add-manage-products-vamt.md) -  -  + + diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index 8f40b4acca..c602675503 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -90,5 +90,5 @@ The above configurations will open an additional port through the Windows Firewa ## Related topics - [Install and Configure VAMT](install-configure-vamt.md) -  -  + + diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index f532570ba7..3ca3caf3c4 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -41,5 +41,5 @@ You can use the Volume Activation Management Tool (VAMT) to install retail, Mult ## Related topics - [Manage Product Keys](manage-product-keys-vamt.md) -  -  + + diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 989d017feb..87422aa8b3 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -70,5 +70,5 @@ To uninstall VAMT using the **Programs and Features** Control Panel: 2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT. -  -  + + diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 4635a9a3a8..57f8ef18af 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -62,5 +62,5 @@ VAMT provides a single, graphical user interface for managing activations, and f ## Related topics - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) -  -  + + diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index 6137176257..36a4814fd5 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -28,6 +28,6 @@ This section describes how to activate a client computer, by using a variety of |[Perform Local Reactivation](local-reactivation-vamt.md) |Describes how to reactivate an operating system or Office program that was reinstalled. | |[Activate an Active Directory Forest Online](activate-forest-vamt.md) |Describes how to use Active Directory-Based Activation to online activate an Active Directory forest. | |[Activate by Proxy an Active Directory Forest](activate-forest-by-proxy-vamt.md) |Describes how to use Active Directory-Based Activation to proxy activate an Active Directory forest that is not connected to the Internet. | -  -  -  + + + diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index 5453c5ceb5..80fd4d4ff0 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -24,6 +24,6 @@ This section describes how to add and remove a product key from the Volume Activ |[Add and Remove a Product Key](add-remove-product-key-vamt.md) |Describes how to add a product key to the VAMT database. | |[Install a Product Key](install-product-key-vamt.md) |Describes how to install a product key for specific product. | |[Install a KMS Client Key](install-kms-client-key-vamt.md) |Describes how to install a GVLK (KMS client) key. | -  -  -  + + + diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index e9ae247dc1..cc415fc1ac 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -228,5 +228,5 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence: ## See also - [Volume Activation for Windows 10](volume-activation-windows-10.md) -  -  + + diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index 9976115cda..805b3dfd6c 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -53,6 +53,6 @@ The product keys that are installed on the client products must have a sufficien **Note**   You can use proxy activation to select products that have different key types and activate the products at the same time. -  -  -  + + + diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index 153e272b33..2e35cec348 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -82,14 +82,14 @@ You can sort the list of products so that it is easier to find the computers tha ## Step 6: Collect status information from the computers in the list To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: -- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. -**To collect status information from the selected computers** -1. In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. -2. VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. +- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. +- To select computers which are not listed consecutively, hold down the **Ctrl** key and select each computer for which you want to collect the status information. + **To collect status information from the selected computers** +- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box, type the appropriate user name and password and then click **OK**. +- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. - **Note**   - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + **Note** + If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. ## Step 7: Add product keys and determine the remaining activation count @@ -132,5 +132,5 @@ To collect the status from select computers in the database, you can select comp ## Related topics - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) -  -  + + diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index 26ea722372..c06bae6554 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -68,14 +68,14 @@ You can sort the list of products so that it is easier to find the computers tha ## Step 6: Collect Status Information from the Computers in the Isolated Lab To collect the status from select computers in the database, you can select computers in the product list view by using one of the following methods: -- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. -- To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information. -**To collect status information from the selected computers** -1. In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**. -2. VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. +- To select a block of consecutively listed computers, click the first computer that you want to select, and then click the last computer while pressing the **Shift** key. +- To select computers which are not listed consecutively, hold down the **Ctrl** ley and select each computer for which you want to collect the status information. + **To collect status information from the selected computers** +- In the right-side **Actions** pane, click **Update license status** in the **Selected Items** menu and then click a credential option. Choose **Alternate Credentials** only if you are updating products that require administrator credentials that are different from the ones that you used to log on to the computer. Otherwise, click **Current Credentials** and continue to step 2.If you are supplying alternate credentials, in the **Windows Security** dialog box type the appropriate user name and password and then click **OK**. +- VAMT displays the **Collecting product information** dialog box while it collects the license status of all supported products on the selected computers. When the process is finished, the updated license status of each product will appear in the product list view in the center pane. - **Note**   - If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. + **Note** + If a computer has more than one supported product installed, VAMT adds an entry for each product. The entry appears under the appropriate product heading. ## Step 7: Add Product Keys @@ -166,5 +166,5 @@ If you have captured new images of the computers in the isolated lab, but the un ## Related topics - [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) -  -  + + diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index aa307e4a0e..35c36497d3 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -33,6 +33,6 @@ The license-status query requires a valid computer name for each system queried. **Note**   If a previously discovered Microsoft Office 2010 product has been uninstalled from the remote computer, updating its licensing status will cause the entry to be deleted from the **Office** product list view, and, consequently, the total number of discovered products will be smaller. However, the Windows installation of the same computer will not be deleted and will always be shown in the **Windows** products list view. -  + ## Related topics - [Add and Manage Products](add-manage-products-vamt.md) diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index bb8257075d..034bbfc2c8 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -18,28 +18,28 @@ ms.topic: article The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool. **To install PowerShell 3.0** -- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=218356). -**To install the Windows Assessment and Deployment Kit** -- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK). -**To prepare the VAMT PowerShell environment** -1. To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**. +- VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=218356). + **To install the Windows Assessment and Deployment Kit** +- In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK). + **To prepare the VAMT PowerShell environment** +- To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**. - **Important**   - If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories: - - The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe - - The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe -2. For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. + **Important** + If you are using a computer that has an 64-bit processor, select **Windows PowerShell (x86)**. VAMT PowerShell cmdlets are supported for the x86 architecture only. You must use an x86 version of Windows PowerShell to import the VAMT module, which are available in these directories: + - The x86 version of PowerShell is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe + - The x86 version of the PowerShell ISE is available in C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\_ise.exe +- For all supported operating systems you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. - For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type: + For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, type: - ``` ps1 - cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” - ``` -3. Import the VAMT PowerShell module. To import the module, type the following at a command prompt: - ``` syntax - Import-Module .\VAMT.psd1 - ``` - Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. + ``` ps1 + cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” + ``` +- Import the VAMT PowerShell module. To import the module, type the following at a command prompt: + ``` syntax + Import-Module .\VAMT.psd1 + ``` + Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. ## To Get Help for VAMT PowerShell cmdlets @@ -57,19 +57,19 @@ The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view onl **To view VAMT PowerShell Help sections** -1. To get the syntax to use with a cmdlet, type the following at a command prompt: - ``` ps1 - get-help - ``` - For example, type: - ``` ps1 - get-help get-VamtProduct - ``` -2. To see examples using a cmdlet, type: - ``` ps1 - get-help -examples - ``` - For example, type: - ``` ps1 - get-help get-VamtProduct -examples - ``` +1. To get the syntax to use with a cmdlet, type the following at a command prompt: + ``` ps1 + get-help + ``` + For example, type: + ``` ps1 + get-help get-VamtProduct + ``` +2. To see examples using a cmdlet, type: + ``` ps1 + get-help -examples + ``` + For example, type: + ``` ps1 + get-help get-VamtProduct -examples + ``` diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index 5d0bcbfeca..d8bb56ec77 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -40,4 +40,4 @@ VAMT is only available in an EN-US (x86) package. |[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | |[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | |[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. | -  + diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 5920a0ded1..0837197376 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -78,17 +78,17 @@ Windows 10 Enterprise edition has a number of features that are unavailable in -

                                                                                      Credential Guard\*

                                                                                      +

                                                                                      Credential Guard

                                                                                      This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.

                                                                                      Credential Guard has the following features:

                                                                                        -

                                                                                      • **Hardware-level security**.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

                                                                                        • -

                                                                                      • **Virtualization-based security**.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

                                                                                        • -

                                                                                      • **Improved protection against persistent threats**.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

                                                                                        • -

                                                                                      • **Improved manageability**.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

                                                                                        • +

                                                                                      • Hardware-level security.  Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.

                                                                                        • +

                                                                                      • Virtualization-based security.  Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.

                                                                                        • +

                                                                                      • Improved protection against persistent threats.  Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.

                                                                                        • +

                                                                                      • Improved manageability.  Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.

                                                                                      -

                                                                                      For more information, see [Protect derived domain credentials with Credential Guard](https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard).

                                                                                      -

                                                                                      \* Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

                                                                                      +

                                                                                      For more information, see Protect derived domain credentials with Credential Guard.

                                                                                      +

                                                                                      Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)

                                                                                      Device Guard

                                                                                      @@ -99,17 +99,17 @@ Windows 10 Enterprise edition has a number of features that are unavailable in

                                                                                    • Helps protect the Windows system core from vulnerability and zero-day exploits

                                                                                    • Allows only trusted apps to run

                                                                                    -

                                                                                    For more information, see [Introduction to Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies).

                                                                                    +

                                                                                    For more information, see Introduction to Device Guard.

                                                                                    AppLocker management

                                                                                    This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

                                                                                    -

                                                                                    For more information, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview).

                                                                                    +

                                                                                    For more information, see AppLocker.

                                                                                    Application Virtualization (App-V)

                                                                                    -

                                                                                    This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

                                                                                    -

                                                                                    For more information, see [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started).

                                                                                    +

                                                                                    This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.

                                                                                    +

                                                                                    For more information, see Getting Started with App-V for Windows 10.

                                                                                    User Experience Virtualization (UE-V)

                                                                                    @@ -121,7 +121,7 @@ Windows 10 Enterprise edition has a number of features that are unavailable in

                                                                                  • Create custom templates for your third-party or line-of-business applications

                                                                                  • Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state

                                                                                  -

                                                                                  For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows).

                                                                                  +

                                                                                  For more information, see User Experience Virtualization (UE-V) for Windows 10 overview.

                                                                                  Managed User Experience

                                                                                  diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index 68d88904f4..f6f85fd75d 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -48,13 +48,13 @@ Topics and procedures in this guide are summarized in the following table. An es
                                                                                  TopicDescriptionTime -
                                                                                  [About MDT](#about-mdt)A high-level overview of the Microsoft Deployment Toolkit (MDT).Informational -
                                                                                  [Install MDT](#install-mdt)Download and install MDT.40 minutes -
                                                                                  [Create a deployment share and reference image](#create-a-deployment-share-and-reference-image)A reference image is created to serve as the template for deploying new images.90 minutes -
                                                                                  [Deploy a Windows 10 image using MDT](#deploy-a-windows-10-image-using-mdt)The reference image is deployed in the PoC environment.60 minutes -
                                                                                  [Refresh a computer with Windows 10](#refresh-a-computer-with-windows-10)Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes -
                                                                                  [Replace a computer with Windows 10](#replace-a-computer-with-windows-10)Back up an existing client computer, then restore this backup to a new computer.60 minutes -
                                                                                  [Troubleshooting logs, events, and utilities](#troubleshooting-logs-events-and-utilities)Log locations and troubleshooting hints.Informational +
                                                                                  About MDTA high-level overview of the Microsoft Deployment Toolkit (MDT).Informational +
                                                                                  Install MDTDownload and install MDT.40 minutes +
                                                                                  Create a deployment share and reference imageA reference image is created to serve as the template for deploying new images.90 minutes +
                                                                                  Deploy a Windows 10 image using MDTThe reference image is deployed in the PoC environment.60 minutes +
                                                                                  Refresh a computer with Windows 10Export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings.60 minutes +
                                                                                  Replace a computer with Windows 10Back up an existing client computer, then restore this backup to a new computer.60 minutes +
                                                                                  Troubleshooting logs, events, and utilitiesLog locations and troubleshooting hints.Informational
                                                                                  @@ -497,12 +497,12 @@ This section will demonstrate how to export user data from an existing client co **Note**: The USMT will still back up the computer. 7. Lite Touch Installation will perform the following actions: - - Back up user settings and data using USMT. - - Install the Windows 10 Enterprise X64 operating system. - - Update the operating system via Windows Update. - - Restore user settings and data using USMT. + - Back up user settings and data using USMT. + - Install the Windows 10 Enterprise X64 operating system. + - Update the operating system via Windows Update. + - Restore user settings and data using USMT. - You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. + You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. 8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). @@ -563,18 +563,18 @@ At a high level, the computer replace process consists of:
                                                                                  Remove-Item c:\_SMSTaskSequence -recurse Restart-Computer ``` -2. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: +3. Sign in to PC1 using the contoso\administrator account, and then type the following at an elevated command prompt: ``` cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs ``` -3. Complete the deployment wizard using the following: +4. Complete the deployment wizard using the following: - **Task Sequence**: Backup Only Task Sequence - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - **Computer Backup**: Do not back up the existing computer. -4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -5. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. -6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: +5. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. +6. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +7. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: ``` PS C:\> dir C:\MigData\PC1\USMT @@ -585,15 +585,15 @@ At a high level, the computer replace process consists of:
                                                                                  ---- ------------- ------ ---- -a--- 9/6/2016 11:34 AM 14248685 USMT.MIG ``` -### Deploy PC3 + ### Deploy PC3 -1. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: +8. On the Hyper-V host, type the following commands at an elevated Windows PowerShell prompt: ``` New-VM –Name "PC3" –NewVHDPath "c:\vhd\pc3.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC3" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes 2048MB -Buffer 20 ``` -2. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: +9. Temporarily disable the external network adapter on SRV1 again, so that we can successfully boot PC3 from WDS. To disable the adapter, type the following command at an elevated Windows PowerShell prompt on SRV1: ``` Disable-NetAdapter "Ethernet 2" -Confirm:$false @@ -602,32 +602,32 @@ At a high level, the computer replace process consists of:
                                                                                  >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. -3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: +10. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: - ``` - Start-VM PC3 - vmconnect localhost PC3 - ``` + ``` + Start-VM PC3 + vmconnect localhost PC3 + ``` -4. When prompted, press ENTER for network boot. +11. When prompted, press ENTER for network boot. -6. On PC3, use the following settings for the Windows Deployment Wizard: - - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** +12. On PC3, use the following settings for the Windows Deployment Wizard: + - **Task Sequence**: Windows 10 Enterprise x64 Custom Image + - **Move Data and Settings**: Do not move user data and settings + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** -5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: +13. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: - ``` - Enable-NetAdapter "Ethernet 2" - ``` -7. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. + ``` + Enable-NetAdapter "Ethernet 2" + ``` +14. Setup will install the Windows 10 Enterprise operating system, update via Windows Update, and restore the user settings and data from PC1. -8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. +15. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. -9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. +16. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. -10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. +17. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. ## Troubleshooting logs, events, and utilities @@ -647,7 +647,7 @@ Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade- [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
                                                                                  [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -  + diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index e650744f25..9c5989a965 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -47,17 +47,17 @@ Topics and procedures in this guide are summarized in the following table. An es
                                                                                  TopicDescriptionTime -
                                                                                  [Install prerequisites](#install-prerequisites)Install prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes -
                                                                                  [Install System Center Configuration Manager](#install-system-center-configuration-manager)Download System Center Configuration Manager, configure prerequisites, and install the package.45 minutes -
                                                                                  [Download MDOP and install DaRT](#download-mdop-and-install-dart)Download the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes -
                                                                                  [Prepare for Zero Touch installation](#prepare-for-zero-touch-installation)Prerequisite procedures to support Zero Touch installation.60 minutes -
                                                                                  [Create a boot image for Configuration Manager](#create-a-boot-image-for-configuration-manager)Use the MDT wizard to create the boot image in Configuration Manager.20 minutes -
                                                                                  [Create a Windows 10 reference image](#create-a-windows-10-reference-image)This procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes -
                                                                                  [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image)Add a Windows 10 operating system image and distribute it.10 minutes
                                                                                  [Create a task sequence](#create-a-task-sequence)Create a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes -
                                                                                  [Finalize the operating system configuration](#finalize-the-operating-system-configuration)Enable monitoring, configure rules, and distribute content.30 minutes -
                                                                                  [Deploy Windows 10 using PXE and Configuration Manager](#deploy-windows-10-using-pxe-and-configuration-manager)Deploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes -
                                                                                  [Replace a client with Windows 10 using Configuration Manager](#replace-a-client-with-windows-10-using-configuration-manager)Replace a client computer with Windows 10 using Configuration Manager.90 minutes -
                                                                                  [Refresh a client with Windows 10 using Configuration Manager](#refresh-a-client-with-windows-10-using-configuration-manager)Use a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes +
                                                                                  Install prerequisitesInstall prerequisite Windows Server roles and features, download, install and configure SQL Server, configure firewall rules, and install the Windows ADK.60 minutes +
                                                                                  Install System Center Configuration ManagerDownload System Center Configuration Manager, configure prerequisites, and install the package.45 minutes +
                                                                                  Download MDOP and install DaRTDownload the Microsoft Desktop Optimization Pack 2015 and install DaRT 10.15 minutes +
                                                                                  Prepare for Zero Touch installationPrerequisite procedures to support Zero Touch installation.60 minutes +
                                                                                  Create a boot image for Configuration ManagerUse the MDT wizard to create the boot image in Configuration Manager.20 minutes +
                                                                                  Create a Windows 10 reference imageThis procedure can be skipped if it was done previously, otherwise instructions are provided to create a reference image.0-60 minutes +
                                                                                  Add a Windows 10 operating system imageAdd a Windows 10 operating system image and distribute it.10 minutes
                                                                                  Create a task sequenceCreate a Configuration Manager task sequence with MDT integration using the MDT wizard15 minutes +
                                                                                  Finalize the operating system configurationEnable monitoring, configure rules, and distribute content.30 minutes +
                                                                                  Deploy Windows 10 using PXE and Configuration ManagerDeploy Windows 10 using Configuration Manager deployment packages and task sequences.60 minutes +
                                                                                  Replace a client with Windows 10 using Configuration ManagerReplace a client computer with Windows 10 using Configuration Manager.90 minutes +
                                                                                  Refresh a client with Windows 10 using Configuration ManagerUse a task sequence to refresh a client with Windows 10 using Configuration Manager and MDT90 minutes
                                                                                  @@ -277,7 +277,7 @@ This section contains several procedures to support Zero Touch installation with 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. 4. Click the yellow starburst and then click **New Account**. 5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. -6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice. +6. Next to **Password** and **Confirm Password**, type pass@word1, and then click **OK** twice. ### Configure a boundary group @@ -316,16 +316,16 @@ WDSUTIL /Set-Server /AnswerClients:None 2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. 4. On the PXE tab, select the following settings: - - **Enable PXE support for clients**. Click **Yes** in the popup that appears. - - **Allow this distribution point to respond to incoming PXE requests** - - **Enable unknown computer support**. Click **OK** in the popup that appears. - - **Require a password when computers use PXE** - - **Password** and **Confirm password**: pass@word1 - - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. - See the following example: + See the following example: - Config Mgr PXE + Config Mgr PXE 5. Click **OK**. 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: @@ -595,20 +595,20 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. 4. On the Details page, enter the following settings: - - Join a domain: **contoso.com** - - Account: click **Set** - - User name: **contoso\CM_JD** - - Password: **pass@word1** - - Confirm password: **pass@word1** - - Click **OK** - - Windows Settings - - User name: **Contoso** - - Organization name: **Contoso** - - Product key: \ - - Administrator Account: **Enable the account and specify the local administrator password** - - Password: **pass@word1** - - Confirm password: **pass@word1** - - Click **Next** + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \ + - Administrator Account: **Enable the account and specify the local administrator password** + - Password: pass@word1 + - Confirm password: pass@word1 + - Click **Next** 5. On the Capture Settings page, accept the default settings and click **Next**. @@ -753,20 +753,20 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce 2. Press ENTER when prompted to start the network boot service. -3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. +3. In the Task Sequence Wizard, provide the password: pass@word1, and then click **Next**. 4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. 5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. 6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations: - - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. - - x:\smstslog\smsts.log after disks are formatted. - - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. - - c:\windows\ccm\logs\smsts.log when the task sequence is complete. + - X:\windows\temp\SMSTSLog\smsts.log before disks are formatted. + - x:\smstslog\smsts.log after disks are formatted. + - c:\_SMSTaskSequence\Logs\Smstslog\smsts.log before the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\Smstslog\smsts.log after the System Center Configuration Manager client is installed. + - c:\windows\ccm\logs\smsts.log when the task sequence is complete. - Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. + Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open. 7. In the explorer window, click **Tools** and then click **Map Network Drive**. @@ -1032,7 +1032,7 @@ In the Configuration Manager console, in the Software Library workspace under Op Start-VM PC4 vmconnect localhost PC4 ``` -2. In the **Welcome to the Task Sequence Wizard**, enter **pass@word1** and click **Next**. +2. In the **Welcome to the Task Sequence Wizard**, enter pass@word1 and click **Next**. 3. Choose the **Windows 10 Enterprise X64** image. 4. Setup will install the operating system using the Windows 10 Enterprise x64 reference image, install the configuration manager client, join PC4 to the domain, and restore users and settings from PC1. 5. Save checkpoints for all VMs if you wish to review their status at a later date. This is not required (checkpoints do take up space on the Hyper-V host). Note: the next procedure will install a new OS on PC1 update its status in Configuration Manager and in Active Directory as a Windows 10 device, so you cannot return to a previous checkpoint only on the PC1 VM without a conflict. Therefore, if you do create a checkpoint, you should do this for all VMs. @@ -1073,7 +1073,7 @@ In the Configuration Manager console, in the Software Library workspace under Op [System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides) -  + diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index eb417fe1b5..a8e9c7409f 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -31,9 +31,9 @@ Approximately 3 hours are required to configure the PoC environment. You will ne Windows PowerShell commands are provided to set up the PoC environment quickly. You do not need to be an expert in Windows PowerShell to complete the steps in the guide, however you are required to customize some commands to your environment. ->Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. - ->A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. +> Instructions to "type" Windows PowerShell commands provided in this guide can be followed literally by typing the commands, but the preferred method is to copy and paste these commands. +> +> A Windows PowerShell window can be used to run all commands in this guide. However, when commands are specified for a command prompt, you must either type CMD at the Windows PowerShell prompt to enter the command prompt, or preface the command with "cmd /c", or if desired you can escape special characters in the command using the back-tick character (`). In most cases, the simplest thing is to type cmd and enter a command prompt, type the necessary commands, then type "exit" to return to Windows PowerShell. Hyper-V is installed, configured and used extensively in this guide. If you are not familiar with Hyper-V, review the [terminology](#appendix-b-terminology-used-in-this-guide) used in this guide before starting. @@ -51,18 +51,18 @@ Topics and procedures in this guide are summarized in the following table. An es -
                                                                                  TopicDescriptionTime
                                                                                  [Hardware and software requirements](#hardware-and-software-requirements)Prerequisites to complete this guide.Informational -
                                                                                  [Lab setup](#lab-setup)A description and diagram of the PoC environment.Informational -
                                                                                  [Configure the PoC environment](#configure-the-poc-environment)Parent topic for procedures.Informational -
                                                                                  [Verify support and install Hyper-V](#verify-support-and-install-hyper-v)Verify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes -
                                                                                  [Download VHD and ISO files](#download-vhd-and-iso-files)Download evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes -
                                                                                  [Convert PC to VM](#convert-pc-to-vm)Convert a physical computer on your network to a VM hosted in Hyper-V.30 minutes -
                                                                                  [Resize VHD](#resize-vhd)Increase the storage capacity for one of the Windows Server VMs.5 minutes -
                                                                                  [Configure Hyper-V](#configure-hyper-v)Create virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes -
                                                                                  [Configure service and user accounts](#configure-vms)Start virtual machines and configure all services and settings.60 minutes -
                                                                                  [Configure VMs](#configure-vms)Start virtual machines and configure all services and settings.60 minutes -
                                                                                  [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)Verify and troubleshoot network connectivity and services in the PoC environment.30 minutes -
                                                                                  [Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)Terms used in this guide.Informational +
                                                                                  Hardware and software requirementsPrerequisites to complete this guide.Informational +
                                                                                  Lab setupA description and diagram of the PoC environment.Informational +
                                                                                  Configure the PoC environmentParent topic for procedures.Informational +
                                                                                  Verify support and install Hyper-VVerify that installation of Hyper-V is supported, and install the Hyper-V server role.10 minutes +
                                                                                  Download VHD and ISO filesDownload evaluation versions of Windows Server 2012 R2 and Windows 10 and prepare these files to be used on the Hyper-V host.30 minutes +
                                                                                  Convert PC to VMConvert a physical computer on your network to a VM hosted in Hyper-V.30 minutes +
                                                                                  Resize VHDIncrease the storage capacity for one of the Windows Server VMs.5 minutes +
                                                                                  Configure Hyper-VCreate virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes +
                                                                                  Configure service and user accountsStart virtual machines and configure all services and settings.60 minutes +
                                                                                  Configure VMsStart virtual machines and configure all services and settings.60 minutes +
                                                                                  Appendix A: Verify the configurationVerify and troubleshoot network connectivity and services in the PoC environment.30 minutes +
                                                                                  Appendix B: Terminology in this guideTerms used in this guide.Informational
                                                                                  @@ -80,52 +80,52 @@ Harware requirements are displayed below: - - + + - + - + - - + + - + - + - + - + - + - + @@ -220,7 +220,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon ![hyper-v](images/svr_mgr2.png) -

                                                                                  If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**. +

                                                                                  If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. ### Download VHD and ISO files @@ -233,7 +233,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below.

                                                                                  **Computer 1** (required)**Computer 2** (recommended)Computer 1 (required)Computer 2 (recommended)
                                                                                  **Role**Role Hyper-V host Client computer
                                                                                  **Description**Description This computer will run Hyper-V, the Hyper-V management tools, and the Hyper-V Windows PowerShell module. This computer is a Windows 7 or Windows 8/8.1 client on your corporate network that will be converted to a VM to demonstrate the upgrade process.
                                                                                  **OS**Windows 8.1/10 or Windows Server 2012/2012 R2/2016\*OSWindows 8.1/10 or Windows Server 2012/2012 R2/2016* Windows 7 or a later
                                                                                  **Edition**Edition Enterprise, Professional, or Education Any
                                                                                  **Architecture**Architecture 64-bit Any
                                                                                  Note: Retaining applications and settings requires that architecture (32 or 64-bit) is the same before and after the upgrade.
                                                                                  **RAM**RAM 8 GB RAM (16 GB recommended) to test Windows 10 deployment with MDT.
                                                                                  16 GB RAM to test Windows 10 deployment with System Center Configuration Manager.                                                                                  		 Any
                                                                                  **Disk**Disk 200 GB available hard disk space, any format. Any size, MBR formatted.
                                                                                  **CPU**CPU SLAT-Capable CPU Any
                                                                                  **Network**Network Internet connection Any
                                                                                  - +
                                                                                  ![VHD](images/download_vhd.png)
                                                                                  VHD
                                                                                  2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type. @@ -249,13 +249,13 @@ After completing these steps, you will have three files in the **C:\VHD** direct The following displays the procedures described in this section, both before and after downloading files: 
                                                                                  -C:\>mkdir VHD
-C:\>cd VHD
-C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
-C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
+C:>mkdir VHD
+C:>cd VHD
+C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
+C:\VHD>copy 2012R2-poc-1.vhd 2012R2-poc-2.vhd
    1 file(s) copied.
 C:\VHD ren *.iso w10-enterprise.iso
-C:\VHD>dir /B
+C:\VHD>dir /B
 2012R2-poc-1.vhd
 2012R2-poc-2.vhd
 w10-enterprise.iso
@@ -269,14 +269,14 @@ w10-enterprise.iso
 If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
 
                                                                                  
 
                                                                                    
-
                                                                                  1. Open the [Download virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) page.
-
                                                                                  2. Under **Virtual machine**, choose **IE11 on Win7**.
-
                                                                                  3. Under **Select platform** choose **HyperV (Windows)**.
-
                                                                                  4. Click **Download .zip**. The download is 3.31 GB.
+
                                                                                  5. Open the Download virtual machines page.
+
                                                                                  6. Under Virtual machine, choose IE11 on Win7.
+
                                                                                  7. Under Select platform choose HyperV (Windows).
+
                                                                                  8. Click Download .zip. The download is 3.31 GB.
 
                                                                                  9. Extract the zip file. Three directories are created.
-
                                                                                  10. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
                                                                                  11. Rename **IE11 - Win7.vhd** to **w7.vhd** (do not rename the file to w7.vhdx).
-
                                                                                  12. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+
                                                                                  13. Open the Virtual Hard Disks directory and then copy IE11 - Win7.vhd to the C:\VHD directory.
+
                                                                                  14. Rename IE11 - Win7.vhd to w7.vhd (do not rename the file to w7.vhdx).
+
                                                                                  15. In step 5 of the Configure Hyper-V section, replace the VHD file name w7.vhdx with w7.vhd.
 
                                                                                  
 
 
@@ -330,7 +330,7 @@ Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Ca
 If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
 
 
                                                                                  -PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
 
 SystemName                           Caption                                 Type
 ----------                           -------                                 ----
@@ -341,7 +341,7 @@ USER-PC1                             Disk #0, Partition #1                   GPT
 On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
 
 
                                                                                  -PS C:\> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
+PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
 
 SystemName                            Caption                               Type
 ----------                            -------                               ----
@@ -351,7 +351,7 @@ PC-X1                                 Disk #0, Partition #2                 GPT:
 PC-X1                                 Disk #0, Partition #3                 GPT: Basic Data
 PC-X1                                 Disk #0, Partition #4                 GPT: Basic Data
 
-PS C:\> Get-Disk
+PS C:> Get-Disk
 
 Number Friendly Name                  OperationalStatus                     Total Size Partition Style
 ------ -------------                  -----------------                     ---------- ---------------
@@ -379,12 +379,12 @@ The following table displays the Hyper-V VM generation to choose based on the OS
         MBR
         32
         1
-        [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+        Prepare a generation 1 VM
     
     
         64
         1
-        [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+        Prepare a generation 1 VM
     
     
         GPT
@@ -395,30 +395,30 @@ The following table displays the Hyper-V VM generation to choose based on the OS
     
         64
         1
-        [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
+        Prepare a generation 1 VM from a GPT disk
     
     
         Windows 8 or later
         MBR
         32
         1
-        [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+        Prepare a generation 1 VM
     
     
         64
         1, 2
-        [Prepare a generation 1 VM](#prepare-a-generation-1-vm)
+        Prepare a generation 1 VM
     
     
         GPT
         32
         1
-        [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
+        Prepare a generation 1 VM from a GPT disk
     
     
         64
         2
-        [Prepare a generation 2 VM](#prepare-a-generation-2-vm)
+        Prepare a generation 2 VM
     
 
 
@@ -426,9 +426,9 @@ The following table displays the Hyper-V VM generation to choose based on the OS
 
 Notes:
                                                                                  
 
                                                                                    
-
                                                                                  • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk).
-
                                                                                  • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the **mountvol** command. In this case, see [Prepare a generation 2 VM](#prepare-a-generation-2-vm).
-
                                                                                  • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see [Prepare a generation 1 VM](#prepare-a-generation-1-vm).
+
                                                                                  • If the PC is running Windows 7, it can only be converted and hosted in Hyper-V as a generation 1 VM. This Hyper-V requirement means that if the Windows 7 PC is also using a GPT partition style, the OS disk can be shadow copied, but a new system partition must be created. In this case, see Prepare a generation 1 VM from a GPT disk.
+
                                                                                  • If the PC is running Windows 8 or later and uses the GPT partition style, you can capture the disk image and create a generation 2 VM. To do this, you must temporarily mount the EFI system partition which is accomplished using the mountvol command. In this case, see Prepare a generation 2 VM.
+
                                                                                  • If the PC is using an MBR partition style, you can convert the disk to VHD and use it to create a generation 1 VM. If you use the Disk2VHD tool described in this guide, it is not necessary to mount the MBR system partition, but it is still necessary to capture it. In this case, see Prepare a generation 1 VM.
 
                                                                                  
 
 #### Prepare a generation 1 VM
@@ -438,7 +438,7 @@ Notes:
                                                                                  
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkboxes next to the **C:\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
+3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
 
     ![disk2vhd](images/disk2vhd.png)
@@ -468,7 +468,7 @@ Notes:
                                                                                  
     This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
 
 3. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-4. Select the checkboxes next to the **C:\** and the **S:\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
+4. Select the checkboxes next to the **C:\\** and the **S:\\** volumes, and clear the **Use Volume Shadow Copy checkbox**. Volume shadow copy will not work if the EFI system partition is selected.
 
     **Important**: You must include the EFI system partition in order to create a bootable VHD. The Windows RE tools partition (shown below) is not required, but it can also be converted if desired.
 
@@ -495,7 +495,7 @@ Notes:
                                                                                  
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
 2. On the computer you wish to convert, double-click the disk2vhd utility to start the graphical user interface.
-3. Select the checkbox next to the **C:\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
+3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
 
     ![disk2vhd](images/disk2vhd4.png)
@@ -517,7 +517,7 @@ Notes:
                                                                                  
 ### Resize VHD
 
 
                                                                                  
-**Enhanced session mode**
+Enhanced session mode
 
 **Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
 
@@ -645,48 +645,48 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
     The VM will automatically boot into Windows Setup. In the PC1 window:
 
-    1. Click **Next**.
-    2. Click **Repair your computer**.
-    3. Click **Troubleshoot**.
-    4. Click **Command Prompt**.
-    5. Type the following command to save an image of the OS drive:
+   1. Click **Next**.
+   2. Click **Repair your computer**.
+   3. Click **Troubleshoot**.
+   4. Click **Command Prompt**.
+   5. Type the following command to save an image of the OS drive:
 
-    
                                                                                  -    dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
-    
                                                                                  
+      
                                                                                  +      dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
+      
                                                                                  
 
-    6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
+   6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
 
-    
                                                                                  -    diskpart
-    select disk 0
-    clean
-    convert MBR
-    create partition primary size=100
-    format fs=ntfs quick
-    active
-    create partition primary
-    format fs=ntfs quick label=OS
-    assign letter=c
-    exit
-    
                                                                                  
+      
                                                                                  +      diskpart
+      select disk 0
+      clean
+      convert MBR
+      create partition primary size=100
+      format fs=ntfs quick
+      active
+      create partition primary
+      format fs=ntfs quick label=OS
+      assign letter=c
+      exit
+      
                                                                                  
 
-    7. Type the following commands to restore the OS image and boot files:
+   7. Type the following commands to restore the OS image and boot files:
 
-    
                                                                                  -    dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
-    bcdboot c:\windows
-    exit
-    
                                                                                  
+      
                                                                                  +      dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
+      bcdboot c:\windows
+      exit
+      
                                                                                  
 
-    8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
-    9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
-    10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
+   8. Click **Continue** and verify the VM boots successfully (do not boot from DVD).
+   9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
+   10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
 
-    
                                                                                  -    Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
-    Set-VMDvdDrive -VMName PC1 -Path $null
-    
                                                                                  
+       
                                                                                  +       Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
+       Set-VMDvdDrive -VMName PC1 -Path $null
+       
                                                                                  
 
 ### Configure VMs
 
@@ -697,7 +697,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     vmconnect localhost DC1
     
                                                                                  
 
-2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of **pass@word1**, and click **Finish**.
+2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
 3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
 4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
 5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
@@ -708,9 +708,9 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
     
                                                                                  
 
-    >The default gateway at 192.168.0.2 will be configured later in this guide.
-
-    >Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
+   > The default gateway at 192.168.0.2 will be configured later in this guide.
+   > 
+   > Note: A list of available tasks for an app will be populated the first time you run it on the taskbar. Because these tasks aren't available until the App has been run, you will not see the **Run as Administrator** task until you have left-clicked Windows PowerShell for the first time. In this newly created VM, you will need to left-click Windows PowerShell one time, and then you can right-click and choose Run as Administrator to open an elevated Windows PowerShell prompt.
 
 6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
 
@@ -903,7 +903,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
     vmconnect localhost SRV1
                                                                                  -25. Accept the default settings, read license terms and accept them, provide an administrator password of **pass@word1**, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. +25. Accept the default settings, read license terms and accept them, provide an administrator password of pass@word1, and click **Finish**. When you are prompted about finding PCs, devices, and content on the network, click **Yes**. 26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM. 27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands: @@ -1084,7 +1084,7 @@ Use the following procedures to verify that the PoC environment is configured pr Hyper-V ManagerThe user-interface console used to view and configure Hyper-V. MBRMaster Boot Record (MBR) is a legacy hard-disk formatting scheme that limits support for newer hardware. MBR is one of the partition formats that can be chosen when first initializing a hard drive, prior to creating and formatting partitions. MBR is in the process of being replaced by the GPT partition format. Proof of concept (PoC)Confirmation that a process or idea works as intended. A PoC is carried out in a test environment to learn about and verify a process. -Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. +Shadow copyA copy or "snapshot" of a computer at a point in time, created by the Volume Shadow Copy Service (VSS), typically for backup purposes. Virtual machine (VM)A VM is a virtual computer with its own operating system, running on the Hyper-V host. Virtual switchA virtual network connection used to connect VMs to each other and to physical network adapters on the Hyper-V host. VM snapshotA point in time image of a VM that includes its disk, memory and device state. It can be used to return a virtual machine to a former state corresponding to the time the snapshot was taken. @@ -1096,9 +1096,9 @@ Use the following procedures to verify that the PoC environment is configured pr [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -  + -  + diff --git a/windows/deployment/windows-autopilot/administer.md b/windows/deployment/windows-autopilot/administer.md index 58cf59cf64..9c7d729b96 100644 --- a/windows/deployment/windows-autopilot/administer.md +++ b/windows/deployment/windows-autopilot/administer.md @@ -40,15 +40,15 @@ Several platforms are available to register devices with Windows Autopilot. A su Partner Center -YES - 1000 at a time max +YES - 1000 at a time max YES Tuple or PKID or 4K HH Intune -YES - 500 at a time max\* -YES\* +YES - 175 at a time max +YES 4K HH diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 8134e5f95e..9df667a4bc 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -18,7 +18,7 @@ ms.topic: article # Windows Autopilot FAQ -**Applies to: Windows 10** +**Applies to: Windows 10** This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. @@ -93,16 +93,15 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e ## The end user experience -| Question | Answer | -| --- | --- | -| How do I know that I received Autopilot? | You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page. | -| Windows Autopilot didn’t work, what do I do now? | Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). | -| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? | No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE. | -| What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? | If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience. | -| What may be a reason why I did not receive a customized sign-in screen during Autopilot? | Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience. | -| What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? | The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device. | -| How can I collect logs on Autopilot? | The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request. | - +| Question | Answer | +|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| How do I know that I received Autopilot? | You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page. | +| Windows Autopilot didn’t work, what do I do now? | Questions and actions to assist in troubleshooting: Did a screen not get skipped? Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts. For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). | +| If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed? | No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE. | +| What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy? | If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience. The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience. | +| What may be a reason why I did not receive a customized sign-in screen during Autopilot? | Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience. | +| What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned? | The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device. | +| How can I collect logs on Autopilot? | The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request. | ## MDM @@ -128,21 +127,21 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e ## General -| Question | Answer | -| --- | --- | -| If I wipe the machine and restart, will I still receive Windows Autopilot? | Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience. | -| Can I harvest the device fingerprint on existing machines? | Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703. | -| What is Windows 10, version 1703 7B and why does it matter? | Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

                                                                                  Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.

                                                                                  **Key Take-Aways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. | -| What is the impact of not updating to 7B? | See the detailed scenario described directly above. | -| Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile. | No, Windows Autopilot isn’t supported on other SKUs. | -| Does Windows Autopilot work after MBR or image re-installation? | Yes. | -| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. | There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots. | -| What happens if a device is registered to a malicious agent? | By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur. | -| Where is the Windows Autopilot data stored? | Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot. | -| Why is Windows Autopilot data stored in the US and not in a sovereign cloud? | It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft. | -| How many ways are there to register a device for Windows Autopilot | There are six ways to register a device, depending on who is doing the registering:

                                                                                  1. OEM Direct API (only available to TVOs)
                                                                                  2. MPC via the MPC API (must be a CSP)
                                                                                  3. MPC via manual upload of CSV file in the UI (must be a CSP)
                                                                                  4. MSfB via CSV file upload
                                                                                  5. Intune via CSV file upload
                                                                                  6. Microsoft 365 Business portal via CSV file upload | -| How many ways are there to create an Windows Autopilot profile? | There are four ways to create & assign an Windows Autopilot profile:

                                                                                  1. Through MPC (must be a CSP)
                                                                                  2. Through MSfB
                                                                                  3. Through Intune (or another MDM)
                                                                                  4. Microsoft 365 Business portal

                                                                                  Microsoft recommends creation and assignment of profiles through Intune.| -| What are some common causes of registration failures? |
                                                                                  1. Bad or missing Hardware hash entries can lead to faulty registration attempts
                                                                                  2. Hidden special characters in CSV files.

                                                                                  To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.| +| Question | Answer | +|------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| If I wipe the machine and restart, will I still receive Windows Autopilot? | Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience. | +| Can I harvest the device fingerprint on existing machines? | Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703. | +| What is Windows 10, version 1703 7B and why does it matter? | Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

                                                                                  Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.

                                                                                  **Key Take-Aways**: When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B. | +| What is the impact of not updating to 7B? | See the detailed scenario described directly above. | +| Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile. | No, Windows Autopilot isn’t supported on other SKUs. | +| Does Windows Autopilot work after MBR or image re-installation? | Yes. | +| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003. | There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune. (These are somewhat configurable but not “infinite.”) You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots. | +| What happens if a device is registered to a malicious agent? | By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below. If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur. | +| Where is the Windows Autopilot data stored? | Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot. | +| Why is Windows Autopilot data stored in the US and not in a sovereign cloud? | It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft. | +| How many ways are there to register a device for Windows Autopilot | There are six ways to register a device, depending on who is doing the registering:

                                                                                  1. OEM Direct API (only available to TVOs)
                                                                                  2. MPC via the MPC API (must be a CSP)
                                                                                  3. MPC via manual upload of CSV file in the UI (must be a CSP)
                                                                                  4. MSfB via CSV file upload
                                                                                  5. Intune via CSV file upload
                                                                                  6. Microsoft 365 Business portal via CSV file upload | +| How many ways are there to create an Windows Autopilot profile? | There are four ways to create & assign an Windows Autopilot profile:

                                                                                  1. Through MPC (must be a CSP)
                                                                                  2. Through MSfB
                                                                                  3. Through Intune (or another MDM)
                                                                                  4. Microsoft 365 Business portal

                                                                                  Microsoft recommends creation and assignment of profiles through Intune. | +| What are some common causes of registration failures? |
                                                                                  1. Bad or missing Hardware hash entries can lead to faulty registration attempts
                                                                                  2. Hidden special characters in CSV files.

                                                                                  To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions. | ## Glossary diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md index fa575cae44..d53325cfde 100644 --- a/windows/deployment/windows-autopilot/autopilot-support.md +++ b/windows/deployment/windows-autopilot/autopilot-support.md @@ -18,30 +18,26 @@ ms.topic: article # Windows Autopilot support information -**Applies to: Windows 10** +**Applies to: Windows 10** The following table displays support information for the Windows Autopilot program. Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md). -| Audience | Support contact | -| --- | --- | -OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | -| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
                                                                                  Low – 120 hours
                                                                                  Normal – 72 hours
                                                                                  High – 24 hours
                                                                                  Immediate – 4 hours | -| OEM with a PFE | Reach out to your PFE for support. | -| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | -| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. | -| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | -| End-user | Contact your IT administrator. | -| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | -| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | -| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | -| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | -| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | -| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | - - - - +| Audience | Support contact | +|---------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. | +| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority:
                                                                                  Low – 120 hours
                                                                                  Normal – 72 hours
                                                                                  High – 24 hours
                                                                                  Immediate – 4 hours | +| OEM with a PFE | Reach out to your PFE for support. | +| Partners with a Partner Technology Strategist (PTS) | If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). | +| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues. | +| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative. | +| End-user | Contact your IT administrator. | +| Microsoft Partner Center (MPC) users | Use the [help resources](https://partner.microsoft.com/support) available in MPC. | +| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB. | +| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview). | +| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in: https://support.microsoft.com/en-us. | +| Queries relating to MDA testing | Contact MDAHelp@microsoft.com. | +| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. | diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index ebb9fb80e6..f160c51abb 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -35,8 +35,8 @@ The following video provides an overview of the process: ## Prerequisites These are the things you'll need to complete this lab: - - +
                                                                                  Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
                                                                                  Internet accessIf you are behind a firewall, see the detailed [networking requirements](windows-autopilot-requirements-network.md). Otherwise, just ensure that you have a connection to the Internet.
                                                                                  +
                                                                                  Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
                                                                                  Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
                                                                                  Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
                                                                                  A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
                                                                                  @@ -107,7 +107,7 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh ![hyper-v](../images/svr_mgr2.png) -

                                                                                  If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**. +

                                                                                  If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box. @@ -168,7 +168,7 @@ After entering these commands, connect to the VM that you just created and wait See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. 

                                                                                  -PS C:\autopilot> dir c:\iso
+PS C:\autopilot> dir c:\iso
 
 
     Directory: C:\iso
@@ -178,24 +178,24 @@ Mode                LastWriteTime         Length Name
 ----                -------------         ------ ----
 -a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
 
-PS C:\autopilot> (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
 Ethernet
-PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
 
 Name              SwitchType NetAdapterInterfaceDescription
 ----              ---------- ------------------------------
 AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
 
-PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
 
 Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
 ----             ----- ----------- ----------------- ------   ------             -------
 WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
 
-PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-PS C:\autopilot> Start-VM -VMName WindowsAutopilot
-PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
-PS C:\autopilot> dir
+PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+PS C:\autopilot> Start-VM -VMName WindowsAutopilot
+PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
+PS C:\autopilot> dir
 
     Directory: C:\autopilot
 
@@ -204,7 +204,7 @@ Mode                LastWriteTime         Length Name
 d-----        3/12/2019   3:15 PM                VMData
 d-----        3/12/2019   3:42 PM                VMs
 
-PS C:\autopilot>
+PS C:\autopilot>
                                                                                  ### Install Windows 10 @@ -603,7 +603,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: 
                                                                                  -C:\>systeminfo
+C:>systeminfo
 
 ...
 Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
@@ -619,7 +619,7 @@ In this example, the computer supports SLAT and Hyper-V.
 You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
 
 
                                                                                  -C:\>coreinfo -v
+C:>coreinfo -v
 
 Coreinfo v3.31 - Dump information on system CPU and memory topology
 Copyright (C) 2008-2014 Mark Russinovich
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index 228358a845..36282fb100 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -18,7 +18,7 @@ ms.topic: article
 
 # Windows Autopilot for existing devices
 
-**Applies to: Windows 10**
+**Applies to: Windows 10**
 
 Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away.
 
@@ -67,19 +67,19 @@ See the following examples.
     ```
 
 3. Enter the following lines and provide Intune administrative credentials
-    - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights.
+   - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights.
 
-    ```
-    Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com
-    ```
-    The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. 
-    
                                                                                  See the following example:
+     ```
+     Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com
+     ```
+     The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. 
+     
                                                                                  See the following example:
 
-    ![Azure AD authentication](images/pwd.png)
+     ![Azure AD authentication](images/pwd.png)
 
-    If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions:
-    - Select **Consent on behalf or your organization**
-    - Click **Accept**
+     If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions:
+   - Select **Consent on behalf or your organization**
+   - Click **Accept**
 
 4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format:
 
@@ -108,17 +108,19 @@ See the following examples.
 
     See the following table for a description of properties used in the JSON file.
 
-    | Property | Description |
-    | --- | --- |
-    | Version (number, optional) | The version number that identifies the format of the JSON file.  For Windows 10 1809, the version specified must be 2049. |
-    | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used.  This is the GUID for the tenant, and can be found in properties of the tenant.  The value should not include braces. |
-    | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. |
-    | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
-    | CloudAssignedDomainJoinMethod (number, required) | This property should be set to 0 and specifies that the device should join Azure AD. |
-    | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.  
                                                                                  0 = not required, 1 = required.   |
-    | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.|
-    | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled. 
                                                                                   Example value: "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}"|
-    | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer.  This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. |
+
+   |                          Property                          |                                                                                                                                                                        Description                                                                                                                                                                         |
+   |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+   |                 Version (number, optional)                 |                                                                                                                 The version number that identifies the format of the JSON file.  For Windows 10 1809, the version specified must be 2049.                                                                                                                  |
+   |           CloudAssignedTenantId (guid, required)           |                                                                                      The Azure Active Directory tenant ID that should be used.  This is the GUID for the tenant, and can be found in properties of the tenant.  The value should not include braces.                                                                                       |
+   |        CloudAssignedTenantDomain (string, required)        |                                                                                                                                  The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com.                                                                                                                                  |
+   |         CloudAssignedOobeConfig (number, required)         |                                                                           This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16                                                                           |
+   |      CloudAssignedDomainJoinMethod (number, required)      |                                                                                                                                    This property should be set to 0 and specifies that the device should join Azure AD.                                                                                                                                    |
+   |      CloudAssignedForcedEnrollment (number, required)      |                                                                                                                         Specifies that the device should require AAD Join and MDM enrollment.  
                                                                                  0 = not required, 1 = required.                                                                                                                         |
+   |             ZtdCorrelationId (guid, required)              | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration. |
+   | CloudAssignedAadServerData (encoded JSON string, required) |                                                  An embedded JSON string used for branding. It requires AAD corp branding enabled. 
                                                                                   Example value: "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}"                                                   |
+   |         CloudAssignedDeviceName (string, optional)         |                                                                          The name automatically assigned to the computer.  This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use.                                                                           |
+
 
 5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below:
 
@@ -159,19 +161,19 @@ See the following examples.
 1. Navigate to **\Assets and Compliance\Overview\Device Collections**
 2. On the ribbon, click **Create** and then click **Create Device Collection**
 3. In the **Create Device Collection Wizard** enter the following **General** details:
-    - Name: **Autopilot for existing devices collection**
-    - Comment: (optional)
-    - Limiting collection: Click **Browse** and select **All Systems**
+   - Name: **Autopilot for existing devices collection**
+   - Comment: (optional)
+   - Limiting collection: Click **Browse** and select **All Systems**
 
-    >[!NOTE]
-    >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select.
+     >[!NOTE]
+     >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select.
 
 4. Click **Next**, then enter the following **Membership Rules** details:
-    - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection.
-    - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples.
+   - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection.
+   - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples.
 
-    ![Named resource1](images/pc-01a.png)
-    ![Named resource2](images/pc-01b.png)
+     ![Named resource1](images/pc-01a.png)
+     ![Named resource2](images/pc-01b.png)
 
 5. Continue creating the device collection with the default settings:
     - Use incremental updates for this collection: not selected
@@ -187,28 +189,28 @@ See the following examples.
 2. On the Home ribbon, click **Create Task Sequence**
 3. Select **Install an existing image package** and then click **Next**
 4. In the Create Task Sequence Wizard enter the following details:
-    - Task sequence name: **Autopilot for existing devices**
-    - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later)
-    - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later.
-    - Select the **Partition and format the target computer before installing the operating system** checkbox.
-    - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional.
-    - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode.
-    - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional.
-    - Enable the account and specify the local administrator password: Optional.
-    - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**.
+   - Task sequence name: **Autopilot for existing devices**
+   - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later)
+   - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later.
+   - Select the **Partition and format the target computer before installing the operating system** checkbox.
+   - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional.
+   - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode.
+   - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional.
+   - Enable the account and specify the local administrator password: Optional.
+   - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**.
 
-    >[!IMPORTANT]
-    >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain.
+     >[!IMPORTANT]
+     >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain.
 
 5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page.
 6. On the State Migration page, enter the following details:
-    - Clear the **Capture user settings and files** checkbox.
-    - Clear the **Capture network settings** checkbox.
-    - Clear the **Capture Microsoft Windows settings** checkbox.
-    - Click **Next**.
+   - Clear the **Capture user settings and files** checkbox.
+   - Clear the **Capture network settings** checkbox.
+   - Clear the **Capture Microsoft Windows settings** checkbox.
+   - Click **Next**.
 
-    >[!NOTE]
-    >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined devices.
+     >[!NOTE]
+     >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined devices.
 
 7. On the Include Updates page, choose one of the three available options. This selection is optional.
 8. On the Install applications page, add applications if desired. This is optional.
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
index 5e871a2c28..9f6fa6b55a 100644
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@@ -70,7 +70,7 @@ Regardless of the scenario, the process to be performed by the technician is the
 - Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
 - From the first OOBE screen (which could be a language selection or locale selection screen), do not click **Next**.  Instead, press the Windows key five times to view an additional options dialog.  From that screen, choose the **Windows Autopilot provisioning** option and then click **Continue**.
 
- ![choice](images/choice.png)
+  ![choice](images/choice.png)
 
 - On the **Windows Autopilot Configuration** screen, information will be displayed about the device:
     - The Autopilot profile assigned to the device.
@@ -79,7 +79,7 @@ Regardless of the scenario, the process to be performed by the technician is the
     - A QR code containing a unique identifier for the device, useful to look up the device in Intune to make any configuration changes needed (e.g. assigning a user, adding the device to any additional groups needed for app or policy targeting).
 - Validate the information displayed.  If any changes are needed, make these and then click **Refresh** to re-download the updated Autopilot profile details.
 
- ![landing](images/landing.png)
+  ![landing](images/landing.png)
 
 - Click **Provision** to begin the provisioning process.
 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index 938b65188a..54153ca0f0 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -31,7 +31,7 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
     -   Windows 10 Education
     -   Windows 10 Enterprise 2019 LTSC
     
- - If you're using Autopilot for Surface devices, note that only the following Surface devices support Autopilot:
+  - If you're using Autopilot for Surface devices, note that only the following Surface devices support Autopilot:
     - Surface Go
     - Surface Go with LTE Advanced
     - Surface Pro (5th gen) 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
index d5bfc2b1ab..aa2c84a967 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
@@ -60,10 +60,10 @@ Performing a local Windows Autopilot Reset is a two-step process: trigger it and
     ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png)
 
     This will open up a custom login screen for the local Autopilot Reset. The screen serves two purposes:
-    1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
-    2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process.
+   1. Confirm/verify that the end user has the right to trigger Local Autopilot Reset
+   2. Notify the user in case a provisioning package, created using Windows Configuration Designer, will be used as part of the process.
 
-    ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png)
+      ![Custom login screen for local Autopilot Reset](images/autopilot-reset-customlogin.png)
 
 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger the local Autopilot Reset.
 
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 1132c2b34b..c4e4de3c77 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -61,7 +61,7 @@ USMT is a backup and restore tool that allows you to migrate user state, data, a
 **Note**  
 Occasionally, we find that customers are wary of USMT because they believe it requires significant configuration, but, as you will learn below, using USMT is not difficult. If you use MDT and Lite Touch to deploy your machines, the USMT feature is automatically configured and extended so that it is easy to use. With MDT, you do nothing at all and USMT just works.
 
- 
+ 
 
 USMT includes several command-line tools, the most important of which are ScanState and LoadState:
 
@@ -94,7 +94,7 @@ By default USMT migrates many settings, most of which are related to the user pr
     **Note**  
     The OpenDocument extensions (\*.odt, \*.odp, \*.ods, etc.) that Microsoft Office applications can use are not migrated by default.
 
-     
+     
 
 -   Operating system component settings
 
@@ -198,7 +198,7 @@ MDT has two main parts: the first is Lite Touch, which is a stand-alone deployme
 **Note**  
 Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.
 
- 
+ 
 
 ![figure 11](images/mdt-11-fig13.png)
 
@@ -340,9 +340,9 @@ For more information on UEFI, see the [UEFI firmware](https://go.microsoft.com/f
 
 [Windows ADK for Windows 10 scenarios for IT pros](windows-adk-scenarios-for-it-pros.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index bac00186ea..7c76654379 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -20,7 +20,7 @@
         "files": [
           "**/*.png",
           "**/*.jpg",
-		  "**/*.gif"
+          "**/*.gif"
         ],
         "exclude": [
           "**/obj/**",
@@ -31,21 +31,22 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-		"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
-		"ms.technology": "windows",
-		"ms.topic": "article",
-		"ms.author": "justinha",
-		"ms.date": "04/05/2017",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.win-device-security",
-                          "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "ms.author": "justinha",
+      "ms.date": "04/05/2017",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.win-device-security",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
-    "dest": "win-device-security"
+    "dest": "win-device-security",
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 292438cfe3..31963629cf 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -4,7 +4,7 @@
       {
         "files": [
           "**/*.md",
-		  "**/*.yml"
+          "**/*.yml"
         ],
         "exclude": [
           "**/obj/**",
@@ -22,8 +22,8 @@
           "**/*.png",
           "**/*.jpg",
           "**/*.svg",
-		  "**/*.gif",
-		  "**/*.pdf"
+          "**/*.gif",
+          "**/*.pdf"
         ],
         "exclude": [
           "**/obj/**",
@@ -34,24 +34,24 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"uhfHeaderId": "MSDocsHeader-WindowsIT", 
-		"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
-		"ms.technology": "windows",
-		"ms.topic": "article",
-		"ms.author": "brianlic",
-		"feedback_system": "GitHub",
-		"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-		"feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.windows-hub",
-                           "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "ms.author": "brianlic",
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.windows-hub",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
     "dest": "windows-hub",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json
index e7c4c32d2a..49eb6c151a 100644
--- a/windows/keep-secure/docfx.json
+++ b/windows/keep-secure/docfx.json
@@ -30,15 +30,16 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.keep-secure",
-                          "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.keep-secure",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
-    "dest": "keep-secure"
+    "dest": "keep-secure",
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json
index 36d3bfc69c..a65600c79b 100644
--- a/windows/manage/docfx.json
+++ b/windows/manage/docfx.json
@@ -30,15 +30,16 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.windows-manage",
-			  "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.windows-manage",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
-    "dest": "windows-manage"
+    "dest": "windows-manage",
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json
index 1a52d12cc9..a05d2009a6 100644
--- a/windows/plan/docfx.json
+++ b/windows/plan/docfx.json
@@ -30,15 +30,16 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-		"_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.windows-plan",
-			  "folder_relative_path_in_docset": "./"
-			}
-		}
-	},
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.windows-plan",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
+    },
     "fileMetadata": {},
     "template": [],
-    "dest": "windows-plan"
+    "dest": "windows-plan",
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 961279662e..d407ef1215 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -21,7 +21,7 @@
         "files": [
           "**/*.png",
           "**/*.jpg",
-           "**/*.gif"
+          "**/*.gif"
         ],
         "exclude": [
           "**/obj/**",
@@ -32,24 +32,24 @@
     "overwrite": [],
     "externalReference": [],
     "globalMetadata": {
-	  "uhfHeaderId": "MSDocsHeader-WindowsIT", 
-	  "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
-	  "ms.technology": "windows",
-	  "ms.topic": "article",
-	  "feedback_system": "GitHub",
-	  "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
-          "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
-	  "ms.author": "justinha",
-	  "_op_documentIdPathDepotMapping": {
-			"./": {
-			  "depot_name": "MSDN.security",
-                          "folder_relative_path_in_docset": "./"
-			}
-		}
+      "uhfHeaderId": "MSDocsHeader-WindowsIT",
+      "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+      "ms.technology": "windows",
+      "ms.topic": "article",
+      "feedback_system": "GitHub",
+      "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
+      "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+      "ms.author": "justinha",
+      "_op_documentIdPathDepotMapping": {
+        "./": {
+          "depot_name": "MSDN.security",
+          "folder_relative_path_in_docset": "./"
+        }
+      }
     },
     "fileMetadata": {},
     "template": [],
     "dest": "security",
-    "markdownEngineName": "dfm"
+    "markdownEngineName": "markdig"
   }
 }
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 9988978dd6..36a6c863ed 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -106,7 +106,7 @@ When you need to change the permissions on a file, you can run Windows Explorer,
 **Note**  
 Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](https://technet.microsoft.com/library/cc754178.aspx).
 
- 
+ 
 
 ### Ownership of objects
 
@@ -137,9 +137,9 @@ For more information about auditing, see [Security Auditing Overview](/windows/d
 -   For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/library/jj134043(v=ws.11).aspx).
 
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index fef9007690..9b684b3be6 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -61,7 +61,7 @@ This topic describes the following:
 
 Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server.
 
-You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU).
+You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU).
 
 The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory.
 
@@ -73,7 +73,7 @@ Primarily, default local accounts do the following:
 
 -   Audit the actions that are carried out on a user account.
 
-In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications.
+In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications.
 
 Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md).
 
@@ -106,10 +106,10 @@ The Administrator account can also be disabled when it is not required. Renaming
 
 On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources.
 
-**Note**  
+**Note**  
 When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
 
- 
+
 
 When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation.
 
@@ -164,7 +164,7 @@ When Active Directory is installed on the first domain controller in the domain,
 
 
 
- 
+
 
 ## Guest account
 
@@ -246,7 +246,7 @@ For details about the Guest account attributes, see the following table.
 
 
 
- 
+
 
 ## HelpAssistant account (installed with a Remote Assistance session)
 
@@ -317,7 +317,7 @@ For details about the HelpAssistant account attributes, see the following table.
 
 
 
- 
+
 
 ## KRBTGT account
 
@@ -334,9 +334,9 @@ A strong password is assigned to the KRBTGT account automatically. Be sure that
 
 On occasion, the KRBTGT account password requires a reset, for example, when an attempt to change the password on the KRBTGT account fails. In order to resolve this issue, you reset the KRBTGT user account password twice by using Active Directory Users and Computers. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.
 
-Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
+Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
 
-After you reset the KRBTGT password, ensure that event ID 6 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
+After you reset the KRBTGT password, ensure that event ID 6 in the (Kerberos) Key-Distribution-Center event source is written to the System event log.
 
 ### Security considerations
 
@@ -356,14 +356,14 @@ For all account types (users, computers, and services)
 
 Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
 
-**Important**  
+**Important**  
 Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
 
 For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
 
 ### Read-only domain controllers and the KRBTGT account
 
-Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
+Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy.
 
 After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.
 
@@ -418,7 +418,7 @@ For details about the KRBTGT account attributes, see the following table.
 
 
 
- 
+
 
 ## Settings for default local accounts in Active Directory
 
@@ -454,7 +454,7 @@ Each default local account in Active Directory has a number of account settings
 
 
                                                                                  Store passwords using reversible encryption
                                                                                  
 
                                                                                  Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.
                                                                                  
-
                                                                                  This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).
                                                                                  
+
                                                                                  This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).
                                                                                  
 
 
 
                                                                                  Account is disabled
                                                                                  
@@ -472,7 +472,7 @@ Each default local account in Active Directory has a number of account settings
 
 
 
                                                                                  Account is trusted for delegation
                                                                                  
-
                                                                                  Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.
                                                                                  
+
                                                                                  Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.
                                                                                  
 
 
 
                                                                                  Account is sensitive and cannot be delegated
                                                                                  
@@ -482,26 +482,25 @@ Each default local account in Active Directory has a number of account settings
 
                                                                                  Use DES encryption types for this account
                                                                                  
 
                                                                                  Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
                                                                                  
 
                                                                                  
-Note  
-
                                                                                  DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx).
                                                                                  
+Note
                                                                                  DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.
                                                                                  
 
                                                                                  
 
                                                                                  
- 
+
 
                                                                                  
 
 
 
                                                                                  Do not require Kerberos preauthentication
                                                                                  
-
                                                                                  Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time.
                                                                                  
+
                                                                                  Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time.
                                                                                  
 
 
 
 
- 
+
 
 ## Manage default local accounts in Active Directory
 
 
-After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools.
+After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools.
 
 You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner.
 
@@ -554,19 +553,19 @@ Restrict Domain Admins accounts and other sensitive accounts to prevent them fro
 
 -   **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights.
 
-**Important**  
+**Important**  
 Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
 
- 
+
 
 ### Create dedicated workstation hosts without Internet and email access
 
 Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts).
 
-**Note**  
+**Note**  
 If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task.
 
- 
+
 
 -   **Minimum**. Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access:
 
@@ -584,7 +583,7 @@ If the administrators in your environment can sign in locally to managed servers
 
 The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
 
-**Note**  
+**Note**  
 In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
 
 **To install administrative workstations in a domain and block Internet and email access (minimum)**
@@ -621,10 +620,10 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     4.  Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
 
-        **Important**  
+        **Important**  
         These instructions assume that the workstation is to be dedicated to domain administrators.
 
-         
+
 
     5.  Click **Add User or Group**, type **Administrators**, and > **OK**.
 
@@ -715,10 +714,10 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
 It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer.
 
-**Important**  
+**Important**  
 Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation.
 
- 
+
 
 Restrict logon access to lower-trust servers and workstations by using the following guidelines:
 
@@ -728,10 +727,10 @@ Restrict logon access to lower-trust servers and workstations by using the follo
 
 -   **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators.
 
-**Note**  
+**Note**  
 For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
 
- 
+
 
 **To restrict domain administrators from workstations (minimum)**
 
@@ -761,19 +760,19 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
         ![Active Directory local accounts](images/adlocalaccounts-proc2-sample3.png)
 
-        **Note**  
+        **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
 
-         
+
 
     4.  Click **OK** to complete the configuration.
 
 8.  Configure the user rights to deny batch and service logon rights for domain administrators as follows:
 
-    **Note**  
+    **Note**  
     Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services.
 
-     
+
 
     1.  Double-click **Deny logon as a batch job**, and > **Define these policy settings**.
 
@@ -783,10 +782,10 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
         ![Active Directory local accounts](images/adlocalaccounts-proc2-sample4.png)
 
-        **Note**  
+        **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
 
-         
+
 
     4.  Double-click **Deny logon as a service**, and > **Define these policy settings**.
 
@@ -796,10 +795,10 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
         ![Active Directory local accounts](images/adlocalaccounts-proc2-sample5.png)
 
-        **Note**  
+        **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
 
-         
+
 
 9.  Link the GPO to the first Workstations OU.
 
@@ -819,10 +818,10 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations).
 
-    **Important**  
+    **Important**  
     If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators.
 
-     
+
 
 ### Disable the account delegation right for sensitive administrator accounts
 
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 88277561b2..65e1e3a384 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -82,7 +82,7 @@ Groups are characterized by a scope that identifies the extent to which the grou
 **Note**  
 In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed.
 
- 
+ 
 
 The following table lists the three group scopes and more information about each scope for a security group.
 
@@ -143,7 +143,7 @@ The following table lists the three group scopes and more information about each
 
 
 
- 
+ 
 
 ### Special identity groups
 
@@ -189,357 +189,357 @@ The following tables provide descriptions of the default groups that are located
 
 
 
-
                                                                                  [Access Control Assistance Operators](#bkmk-acasstops)
                                                                                  
+
                                                                                  Access Control Assistance Operators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [Account Operators](#bkmk-accountoperators)
                                                                                  
+
                                                                                  Account Operators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Administrators](#bkmk-admins)
                                                                                  
+
                                                                                  Administrators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl)
                                                                                  
+
                                                                                  Allowed RODC Password Replication Group
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Backup Operators](#bkmk-backupoperators)
                                                                                  
+
                                                                                  Backup Operators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess)
                                                                                  
+
                                                                                  Certificate Service DCOM Access
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Cert Publishers](#bkmk-certpublishers)
                                                                                  
+
                                                                                  Cert Publishers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)
                                                                                  
+
                                                                                  Cloneable Domain Controllers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [Cryptographic Operators](#bkmk-cryptographicoperators)
                                                                                  
+
                                                                                  Cryptographic Operators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Denied RODC Password Replication Group
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Device Owners](#bkmk-device-owners)
                                                                                  
+
                                                                                  Device Owners
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Distributed COM Users](#bkmk-distributedcomusers)
                                                                                  
+
                                                                                  Distributed COM Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [DnsUpdateProxy](#bkmk-dnsupdateproxy)
                                                                                  
+
                                                                                  DnsUpdateProxy
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [DnsAdmins](#bkmk-dnsadmins)
                                                                                  
+
                                                                                  DnsAdmins
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Domain Admins](#bkmk-domainadmins)
                                                                                  
+
                                                                                  Domain Admins
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Domain Computers](#bkmk-domaincomputers)
                                                                                  
+
                                                                                  Domain Computers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Domain Controllers](#bkmk-domaincontrollers)
                                                                                  
+
                                                                                  Domain Controllers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Domain Guests](#bkmk-domainguests)
                                                                                  
+
                                                                                  Domain Guests
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Domain Users](#bkmk-domainusers)
                                                                                  
+
                                                                                  Domain Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Enterprise Admins](#bkmk-entadmins)
                                                                                  
+
                                                                                  Enterprise Admins
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Enterprise Key Admins](#enterprise-key-admins)
                                                                                  
+
                                                                                  Enterprise Key Admins
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [Enterprise Read-only Domain Controllers](#bkmk-entrodc)
                                                                                  
+
                                                                                  Enterprise Read-only Domain Controllers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Event Log Readers](#bkmk-eventlogreaders)
                                                                                  
+
                                                                                  Event Log Readers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Group Policy Creator Owners](#bkmk-gpcreatorsowners)
                                                                                  
+
                                                                                  Group Policy Creator Owners
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Guests](#bkmk-guests)
                                                                                  
+
                                                                                  Guests
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Hyper-V Administrators](#bkmk-hypervadministrators)
                                                                                  
+
                                                                                  Hyper-V Administrators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [IIS_IUSRS](#bkmk-iis-iusrs)
                                                                                  
+
                                                                                  IIS_IUSRS
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)
                                                                                  
+
                                                                                  Incoming Forest Trust Builders
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Key Admins](#key-admins)
                                                                                  
+
                                                                                  Key Admins
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [Network Configuration Operators](#bkmk-networkcfgoperators)
                                                                                  
+
                                                                                  Network Configuration Operators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Performance Log Users](#bkmk-perflogusers)
                                                                                  
+
                                                                                  Performance Log Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Performance Monitor Users](#bkmk-perfmonitorusers)
                                                                                  
+
                                                                                  Performance Monitor Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)
                                                                                  
+
                                                                                  Pre–Windows 2000 Compatible Access
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Print Operators](#bkmk-printoperators)
                                                                                  
+
                                                                                  Print Operators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Protected Users](#bkmk-protectedusers)
                                                                                  
+
                                                                                  Protected Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [RAS and IAS Servers](#bkmk-rasandias)
                                                                                  
+
                                                                                  RAS and IAS Servers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [RDS Endpoint Servers](#bkmk-rdsendpointservers)
                                                                                  
+
                                                                                  RDS Endpoint Servers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [RDS Management Servers](#bkmk-rdsmanagementservers)
                                                                                  
+
                                                                                  RDS Management Servers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)
                                                                                  
+
                                                                                  RDS Remote Access Servers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [Read-only Domain Controllers](#bkmk-rodc)
                                                                                  
+
                                                                                  Read-only Domain Controllers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Remote Desktop Users](#bkmk-remotedesktopusers)
                                                                                  
+
                                                                                  Remote Desktop Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Remote Management Users](#bkmk-remotemanagementusers)
                                                                                  
+
                                                                                  Remote Management Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [Replicator](#bkmk-replicator)
                                                                                  
+
                                                                                  Replicator
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Schema Admins](#bkmk-schemaadmins)
                                                                                  
+
                                                                                  Schema Admins
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Server Operators](#bkmk-serveroperators)
                                                                                  
+
                                                                                  Server Operators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Storage Replica Administrators](#storage-replica-administrators)
                                                                                  
+
                                                                                  Storage Replica Administrators
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [System Managed Accounts Group](#system-managed-accounts-group)
                                                                                  
+
                                                                                  System Managed Accounts Group
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  
 
                                                                                  
 
                                                                                  
 
 
-
                                                                                  [Terminal Server License Servers](#bkmk-terminalserverlic)
                                                                                  
+
                                                                                  Terminal Server License Servers
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Users](#bkmk-users)
                                                                                  
+
                                                                                  Users
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [Windows Authorization Access Group](#bkmk-winauthaccess)
                                                                                  
+
                                                                                  Windows Authorization Access Group
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
 
 
-
                                                                                  [WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)
                                                                                  
+
                                                                                  WinRMRemoteWMIUsers_
                                                                                  
 
                                                                                  
 
                                                                                  Yes
                                                                                  
 
                                                                                  Yes
                                                                                  
@@ -548,7 +548,7 @@ The following tables provide descriptions of the default groups that are located
 
 
 
- 
+ 
 
 ### Access Control Assistance Operators
 
@@ -610,7 +610,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Account Operators
 
@@ -623,7 +623,7 @@ The Account Operators group applies to versions of the Windows Server operating
 **Note**  
 By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved.
 
- 
+ 
 
 This security group has not changed since Windows Server 2008.
 
@@ -673,12 +673,12 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
                                                                                  
+
                                                                                  Allow log on locally: SeInteractiveLogonRight
                                                                                  
 
 
 
 
- 
+ 
 
 ### Administrators
 
@@ -691,7 +691,7 @@ The Administrators group has built-in capabilities that give its members full co
 
 Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain.
 
- 
+ 
 
 This security group includes the following changes since Windows Server 2008:
 
@@ -745,38 +745,38 @@ This security group includes the following changes since Windows Server 2008:
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
                                                                                  
-
                                                                                  [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
                                                                                  
-
                                                                                  [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
                                                                                  
-
                                                                                  [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight
                                                                                  
-
                                                                                  [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege
                                                                                  
-
                                                                                  [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
                                                                                  
-
                                                                                  [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege
                                                                                  
-
                                                                                  [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
                                                                                  
-
                                                                                  [Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege
                                                                                  
-
                                                                                  [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
                                                                                  
-
                                                                                  [Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege
                                                                                  
-
                                                                                  [Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege
                                                                                  
-
                                                                                  [Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege
                                                                                  
-
                                                                                  [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege
                                                                                  
-
                                                                                  [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
                                                                                  
-
                                                                                  [Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege
                                                                                  
-
                                                                                  [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege
                                                                                  
-
                                                                                  [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight
                                                                                  
-
                                                                                  [Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege
                                                                                  
-
                                                                                  [Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege
                                                                                  
-
                                                                                  [Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege
                                                                                  
-
                                                                                  [Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege
                                                                                  
-
                                                                                  [Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege
                                                                                  
-
                                                                                  [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege
                                                                                  
-
                                                                                  [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
                                                                                  
-
                                                                                  [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
                                                                                  
-
                                                                                  [Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege
                                                                                  
+
                                                                                  Adjust memory quotas for a process: SeIncreaseQuotaPrivilege
                                                                                  
+
                                                                                  Access this computer from the network: SeNetworkLogonRight
                                                                                  
+
                                                                                  Allow log on locally: SeInteractiveLogonRight
                                                                                  
+
                                                                                  Allow log on through Remote Desktop Services: SeRemoteInteractiveLogonRight
                                                                                  
+
                                                                                  Back up files and directories: SeBackupPrivilege
                                                                                  
+
                                                                                  Bypass traverse checking: SeChangeNotifyPrivilege
                                                                                  
+
                                                                                  Change the system time: SeSystemTimePrivilege
                                                                                  
+
                                                                                  Change the time zone: SeTimeZonePrivilege
                                                                                  
+
                                                                                  Create a pagefile: SeCreatePagefilePrivilege
                                                                                  
+
                                                                                  Create global objects: SeCreateGlobalPrivilege
                                                                                  
+
                                                                                  Create symbolic links: SeCreateSymbolicLinkPrivilege
                                                                                  
+
                                                                                  Debug programs: SeDebugPrivilege
                                                                                  
+
                                                                                  Enable computer and user accounts to be trusted for delegation: SeEnableDelegationPrivilege
                                                                                  
+
                                                                                  Force shutdown from a remote system: SeRemoteShutdownPrivilege
                                                                                  
+
                                                                                  Impersonate a client after authentication: SeImpersonatePrivilege
                                                                                  
+
                                                                                  Increase scheduling priority: SeIncreaseBasePriorityPrivilege
                                                                                  
+
                                                                                  Load and unload device drivers: SeLoadDriverPrivilege
                                                                                  
+
                                                                                  Log on as a batch job: SeBatchLogonRight
                                                                                  
+
                                                                                  Manage auditing and security log: SeSecurityPrivilege
                                                                                  
+
                                                                                  Modify firmware environment values: SeSystemEnvironmentPrivilege
                                                                                  
+
                                                                                  Perform volume maintenance tasks: SeManageVolumePrivilege
                                                                                  
+
                                                                                  Profile system performance: SeSystemProfilePrivilege
                                                                                  
+
                                                                                  Profile single process: SeProfileSingleProcessPrivilege
                                                                                  
+
                                                                                  Remove computer from docking station: SeUndockPrivilege
                                                                                  
+
                                                                                  Restore files and directories: SeRestorePrivilege
                                                                                  
+
                                                                                  Shut down the system: SeShutdownPrivilege
                                                                                  
+
                                                                                  Take ownership of files or other objects: SeTakeOwnershipPrivilege
                                                                                  
 
 
 
 
- 
+ 
 
 ### Allowed RODC Password Replication Group
 
@@ -837,7 +837,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Backup Operators
 
@@ -893,16 +893,16 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
                                                                                  
-
                                                                                  [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege
                                                                                  
-
                                                                                  [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight
                                                                                  
-
                                                                                  [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
                                                                                  
-
                                                                                  [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
                                                                                  
+
                                                                                  Allow log on locally: SeInteractiveLogonRight
                                                                                  
+
                                                                                  Back up files and directories: SeBackupPrivilege
                                                                                  
+
                                                                                  Log on as a batch job: SeBatchLogonRight
                                                                                  
+
                                                                                  Restore files and directories: SeRestorePrivilege
                                                                                  
+
                                                                                  Shut down the system: SeShutdownPrivilege
                                                                                  
 
 
 
 
- 
+ 
 
 ### Certificate Service DCOM Access
 
@@ -963,7 +963,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Cert Publishers
 
@@ -1003,7 +1003,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Denied RODC Password Replication Group
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -1024,7 +1024,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Cloneable Domain Controllers
 
@@ -1085,7 +1085,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
 
 
- 
+ 
 
 ### Cryptographic Operators
 
@@ -1146,7 +1146,7 @@ This security group was introduced in Windows Vista Service Pack 1, and it h
 
 
 
- 
+ 
 
 ### Denied RODC Password Replication Group
 
@@ -1184,14 +1184,14 @@ This security group includes the following changes since Windows Server 2008:
 
 
 
                                                                                  Default members
                                                                                  
-
                                                                                  [Cert Publishers](#bkmk-certpublishers)
                                                                                  
-
                                                                                  [Domain Admins](#bkmk-domainadmins)
                                                                                  
-
                                                                                  [Domain Controllers](#bkmk-domaincontrollers)
                                                                                  
-
                                                                                  [Enterprise Admins](#bkmk-entadmins)
                                                                                  
+
                                                                                  Cert Publishers
                                                                                  
+
                                                                                  Domain Admins
                                                                                  
+
                                                                                  Domain Controllers
                                                                                  
+
                                                                                  Enterprise Admins
                                                                                  
 
                                                                                  Group Policy Creator Owners
                                                                                  
 
                                                                                  krbtgt
                                                                                  
-
                                                                                  [Read-only Domain Controllers](#bkmk-rodc)
                                                                                  
-
                                                                                  [Schema Admins](#bkmk-schemaadmins)
                                                                                  
+
                                                                                  Read-only Domain Controllers
                                                                                  
+
                                                                                  Schema Admins
                                                                                  
 
 
 
                                                                                  Default member of
                                                                                  
@@ -1269,16 +1269,16 @@ The Device Owners group applies to versions of the Windows Server operating syst
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
                                                                                  
-
                                                                                  [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
                                                                                  
-
                                                                                  [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
                                                                                  
-
                                                                                  [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
                                                                                  
+
                                                                                  Allow log on locally: SeInteractiveLogonRight
                                                                                  
+
                                                                                  Access this computer from the network: SeNetworkLogonRight
                                                                                  
+
                                                                                  Bypass traverse checking: SeChangeNotifyPrivilege
                                                                                  
+
                                                                                  Change the time zone: SeTimeZonePrivilege
                                                                                  
 
 
 
 
 
- 
+ 
 
 ### Distributed COM Users
 
@@ -1339,7 +1339,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### DnsUpdateProxy
 
@@ -1402,7 +1402,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### DnsAdmins
 
@@ -1463,7 +1463,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Domain Admins
 
@@ -1505,8 +1505,8 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Administrators](#bkmk-admins)
                                                                                  
-
                                                                                  [Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Administrators
                                                                                  
+
                                                                                  Denied RODC Password ReplicationGroup
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -1522,13 +1522,13 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  See [Administrators](#bkmk-admins)
                                                                                  
-
                                                                                  See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  See Administrators
                                                                                  
+
                                                                                  See Denied RODC Password Replication Group
                                                                                  
 
 
 
 
- 
+ 
 
 ### Domain Computers
 
@@ -1589,7 +1589,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Domain Controllers
 
@@ -1629,7 +1629,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Denied RODC Password Replication Group
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -1650,7 +1650,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Domain Guests
 
@@ -1690,7 +1690,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Guests](#bkmk-guests)
                                                                                  
+
                                                                                  Guests
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -1706,12 +1706,12 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  See [Guests](#bkmk-guests)
                                                                                  
+
                                                                                  See Guests
                                                                                  
 
 
 
 
- 
+ 
 
 ### Domain Users
 
@@ -1754,7 +1754,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Users](#bkmk-users)
                                                                                  
+
                                                                                  Users
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -1770,12 +1770,12 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  See [Users](#bkmk-users)
                                                                                  
+
                                                                                  See Users
                                                                                  
 
 
 
 
- 
+ 
 
 ### Enterprise Admins
 
@@ -1817,8 +1817,8 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Administrators](#bkmk-admins)
                                                                                  
-
                                                                                  [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Administrators
                                                                                  
+
                                                                                  Denied RODC Password Replication Group
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -1834,8 +1834,8 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  See [Administrators](#bkmk-admins)
                                                                                  
-
                                                                                  See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  See Administrators
                                                                                  
+
                                                                                  See Denied RODC Password Replication Group
                                                                                  
 
 
 
@@ -1858,7 +1858,7 @@ The Enterprise Key Admins group was introduced in Windows Server 2016.
 | Safe to delegate management of this group to non-Service admins? | No |
 | Default User Rights | None |
 
- 
+ 
 ### Enterprise Read-Only Domain Controllers
 
 Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller.
@@ -1922,7 +1922,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Event Log Readers
 
@@ -1983,7 +1983,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Group Policy Creators Owners
 
@@ -2025,7 +2025,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Denied RODC Password Replication Group
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -2041,12 +2041,12 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  See Denied RODC Password Replication Group
                                                                                  
 
 
 
 
- 
+ 
 
 ### Guests
 
@@ -2061,7 +2061,7 @@ A Guest account is a default member of the Guests security group. People who do
 
 The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled.
 
- 
+ 
 
 The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
@@ -2097,7 +2097,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Domain Guests](#bkmk-domainguests)
                                                                                  
+
                                                                                  Domain Guests
                                                                                  
 
                                                                                  Guest
                                                                                  
 
 
@@ -2119,7 +2119,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Hyper-V Administrators
 
@@ -2128,7 +2128,7 @@ Members of the Hyper-V Administrators group have complete and unrestricted acces
 **Note**  
 Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group.
 
- 
+ 
 
 This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
 
@@ -2183,7 +2183,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
 
 
- 
+ 
 
 ### IIS\_IUSRS
 
@@ -2244,7 +2244,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Incoming Forest Trust Builders
 
@@ -2255,7 +2255,7 @@ To make this determination, the Windows security system computes a trust path be
 **Note**  
 This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
- 
+ 
 
 For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](https://technet.microsoft.com/library/f5c70774-25cd-4481-8b7a-3d65c86e69b1).
 
@@ -2264,7 +2264,7 @@ The Incoming Forest Trust Builders group applies to versions of the Windows Serv
 **Note**  
 This group cannot be renamed, deleted, or moved.
 
- 
+ 
 
 This security group has not changed since Windows Server 2008.
 
@@ -2362,14 +2362,14 @@ Members of the Network Configuration Operators group can have the following admi
 **Note**  
 This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
- 
+ 
 
 The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
 **Note**  
 This group cannot be renamed, deleted, or moved.
 
- 
+ 
 
 This security group has not changed since Windows Server 2008.
 
@@ -2424,7 +2424,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Performance Log Users
 
@@ -2437,7 +2437,7 @@ Members of the Performance Log Users group can manage performance counters, logs
     **Warning**  
     If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials.
 
-     
+     
 
 -   Cannot use the Windows Kernel Trace event provider in Data Collector Sets.
 
@@ -2446,14 +2446,14 @@ For members of the Performance Log Users group to initiate data logging or modif
 **Note**  
 This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
- 
+ 
 
 The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
 **Note**  
 This account cannot be renamed, deleted, or moved.
 
- 
+ 
 
 This security group has not changed since Windows Server 2008.
 
@@ -2503,12 +2503,12 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight
                                                                                  
+
                                                                                  Log on as a batch job: SeBatchLogonRight
                                                                                  
 
 
 
 
- 
+ 
 
 ### Performance Monitor Users
 
@@ -2527,12 +2527,12 @@ Specifically, members of this security group:
     **Warning**  
     You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group.
 
-     
+     
 
 **Note**  
 This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved.
 
- 
+ 
 
 The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
@@ -2589,7 +2589,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Pre–Windows 2000 Compatible Access
 
@@ -2598,7 +2598,7 @@ Members of the Pre–Windows 2000 Compatible Access group have Read access for
 **Warning**  
 This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
 
- 
+ 
 
 The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
 
@@ -2650,13 +2650,13 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
                                                                                  
-
                                                                                  [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
                                                                                  
+
                                                                                  Access this computer from the network: SeNetworkLogonRight
                                                                                  
+
                                                                                  Bypass traverse checking: SeChangeNotifyPrivilege
                                                                                  
 
 
 
 
- 
+ 
 
 ### Print Operators
 
@@ -2714,14 +2714,14 @@ This security group has not changed since Windows Server 2008. However, in Windo
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
                                                                                  
-
                                                                                  [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege
                                                                                  
-
                                                                                  [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
                                                                                  
+
                                                                                  Allow log on locally: SeInteractiveLogonRight
                                                                                  
+
                                                                                  Load and unload device drivers: SeLoadDriverPrivilege
                                                                                  
+
                                                                                  Shut down the system: SeShutdownPrivilege
                                                                                  
 
 
 
 
- 
+ 
 
 ### Protected Users
 
@@ -2798,7 +2798,7 @@ The following table specifies the properties of the Protected Users group.
 
 
 
- 
+ 
 
 ### RAS and IAS Servers
 
@@ -2859,7 +2859,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### RDS Endpoint Servers
 
@@ -2920,7 +2920,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
 
 
- 
+ 
 
 ### RDS Management Servers
 
@@ -2979,7 +2979,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
 
 
- 
+ 
 
 ### RDS Remote Access Servers
 
@@ -3040,7 +3040,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
 
 
- 
+ 
 
 ### Remote Desktop Users
 
@@ -3101,7 +3101,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Read-Only Domain Controllers
 
@@ -3153,7 +3153,7 @@ This security group was introduced in Windows Server 2008, and it has not chang
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Denied RODC Password Replication Group
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -3169,12 +3169,12 @@ This security group was introduced in Windows Server 2008, and it has not chang
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  See Denied RODC Password Replication Group
                                                                                  
 
 
 
 
- 
+ 
 
 ### Remote Management Users
 
@@ -3237,7 +3237,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
 
 
 
- 
+ 
 
 ### Replicator
 
@@ -3304,7 +3304,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### Schema Admins
 
@@ -3350,7 +3350,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default member of
                                                                                  
-
                                                                                  [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  Denied RODC Password Replication Group
                                                                                  
 
 
 
                                                                                  Protected by ADMINSDHOLDER?
                                                                                  
@@ -3366,12 +3366,12 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)
                                                                                  
+
                                                                                  See Denied RODC Password Replication Group
                                                                                  
 
 
 
 
- 
+ 
 
 ### Server Operators
 
@@ -3429,13 +3429,13 @@ This security group has not changed since Windows Server 2008.
 
 
 
                                                                                  Default User Rights
                                                                                  
-
                                                                                  [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
                                                                                  
-
                                                                                  [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege
                                                                                  
-
                                                                                  [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege
                                                                                  
-
                                                                                  [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
                                                                                  
-
                                                                                  [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege
                                                                                  
-
                                                                                  [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege
                                                                                  
-
                                                                                  [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege
                                                                                  
+
                                                                                  Allow log on locally: SeInteractiveLogonRight
                                                                                  
+
                                                                                  Back up files and directories: SeBackupPrivilege
                                                                                  
+
                                                                                  Change the system time: SeSystemTimePrivilege
                                                                                  
+
                                                                                  Change the time zone: SeTimeZonePrivilege
                                                                                  
+
                                                                                  Force shutdown from a remote system: SeRemoteShutdownPrivilege
                                                                                  
+
                                                                                  Restore files and directories: Restore files and directories SeRestorePrivilege
                                                                                  
+
                                                                                  Shut down the system: SeShutdownPrivilege
                                                                                  
 
 
 
@@ -3492,7 +3492,7 @@ The Terminal Server License Servers group applies to versions of the Windows Ser
 **Note**  
 This group cannot be renamed, deleted, or moved.
 
- 
+ 
 
 This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2.
 
@@ -3547,7 +3547,7 @@ This security group only applies to Windows Server 2003 and Windows Server 200
 
 
 
- 
+ 
 
 ### Users
 
@@ -3590,7 +3590,7 @@ This security group includes the following changes since Windows Server 2008:
 
 
                                                                                  Default members
                                                                                  
 
                                                                                  Authenticated Users
                                                                                  
-
                                                                                  [Domain Users](#bkmk-domainusers)
                                                                                  
+
                                                                                  Domain Users
                                                                                  
 
                                                                                  INTERACTIVE
                                                                                  
 
 
@@ -3616,7 +3616,7 @@ This security group includes the following changes since Windows Server 2008:
 
 
 
- 
+ 
 
 ### Windows Authorization Access Group
 
@@ -3627,7 +3627,7 @@ The Windows Authorization Access group applies to versions of the Windows Server
 **Note**  
 This group cannot be renamed, deleted, or moved.
 
- 
+ 
 
 This security group has not changed since Windows Server 2008.
 
@@ -3682,7 +3682,7 @@ This security group has not changed since Windows Server 2008.
 
 
 
- 
+ 
 
 ### WinRMRemoteWMIUsers\_
 
@@ -3707,7 +3707,7 @@ In Windows Server 2012, the Access Denied Assistance functionality adds the Aut
 **Note**  
 The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console.
 
- 
+ 
 
 This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions.
 
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 4bf7fbed65..4d8f5e6d6e 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -96,12 +96,12 @@ In this case, Group Policy can be used to enable secure settings that can contro
 **Note**  
 Blank passwords are not allowed in the versions designated in the **Applies To** list at the beginning of this topic.
 
- 
+ 
 
 **Important**  
 Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
 
- 
+ 
 
 ### Guest account
 
@@ -205,7 +205,7 @@ Each of these approaches is described in the following sections.
 **Note**  
 These approaches do not apply if all administrative local accounts are disabled.
 
- 
+ 
 
 ### Enforce local account restrictions for remote access
 
@@ -241,7 +241,7 @@ The following table shows the Group Policy and registry settings that are used t
 
 
                                                                                  1
                                                                                  
 
                                                                                  Policy name
                                                                                  
-
                                                                                  [User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)
                                                                                  
+
                                                                                  User Account Control: Run all administrators in Admin Approval Mode
                                                                                  
 
 
 
                                                                                  
@@ -256,7 +256,7 @@ The following table shows the Group Policy and registry settings that are used t
 
 
                                                                                  
 
                                                                                  Policy name
                                                                                  
-
                                                                                  [User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)
                                                                                  
+
                                                                                  User Account Control: Run all administrators in Admin Approval Mode
                                                                                  
 
 
 
                                                                                  
@@ -289,7 +289,7 @@ The following table shows the Group Policy and registry settings that are used t
 
 >[!NOTE]
 >You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
- 
+ 
 
 **To enforce local account restrictions for remote access**
 
@@ -364,7 +364,7 @@ Denying local accounts the ability to perform network logons can help prevent a
 **Note**  
 In order to perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
 
- 
+ 
 
 The following table shows the Group Policy settings that are used to deny network logon for all local Administrator accounts.
 
@@ -388,7 +388,7 @@ The following table shows the Group Policy settings that are used to deny networ
 
 
                                                                                  1
                                                                                  
 
                                                                                  Policy name
                                                                                  
-
                                                                                  [Deny access to this computer from the network](/windows/device-security/security-policy-settings/deny-access-to-this-computer-from-the-network)
                                                                                  
+
                                                                                  Deny access to this computer from the network
                                                                                  
 
 
 
                                                                                  
@@ -404,7 +404,7 @@ The following table shows the Group Policy settings that are used to deny networ
 
 
                                                                                  
 
                                                                                  Policy name
                                                                                  
-
                                                                                  [Deny log on through Remote Desktop Services](/windows/device-security/security-policy-settings/deny-log-on-through-remote-desktop-services)
                                                                                  
+
                                                                                  Deny log on through Remote Desktop Services
                                                                                  
 
 
 
                                                                                  
@@ -415,7 +415,7 @@ The following table shows the Group Policy settings that are used to deny networ
 
 
 
- 
+ 
 
 **To deny network logon to all local administrator accounts**
 
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index f9966fd28a..cd289738ae 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -84,7 +84,7 @@ A managed service account is dependent on encryption types supported by Kerberos
 **Note**  
 Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](https://technet.microsoft.com/library/dd560670(WS.10).aspx).
 
- 
+ 
 
 Group managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012.
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 2e08324717..1a19c1ea01 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -90,21 +90,21 @@ See the following article on Citrix support for Secure Boot:
 
 Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
 
--	For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
-[Support for Windows Defender Device Guard and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+- For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
+  [Support for Windows Defender Device Guard and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
 
--	For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
-[Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Windows Defender Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+- For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+  [Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Windows Defender Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
 
--	For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
-[Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+- For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
+  [Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
 
--	For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
-[ThinkPad support for Windows Defender Device Guard and Windows Defender Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+- For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+  [ThinkPad support for Windows Defender Device Guard and Windows Defender Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
 
--	For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
-[Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+- For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
+  [Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
 
- This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
+  This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard. 
 
- Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
+  Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 1fe70db10d..9c9ac33d77 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -64,9 +64,9 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
 If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
 You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
 > [!NOTE]
-If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
+> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
 
- 
+ 
 **Add the virtualization-based security features by using Programs and Features**
 
 1.  Open the Programs and Features control panel.
@@ -155,32 +155,32 @@ DG_Readiness_Tool_v3.5.ps1 -Ready
 
 To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
 
-1.  If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
-2.  Delete the following registry settings:
-    - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
-    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
-3.  If you also wish to disable virtualization-based security delete the following registry settings:
-    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
-    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
-    > [!IMPORTANT]
-    > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
+2. Delete the following registry settings:
+   - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
+   - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
+3. If you also wish to disable virtualization-based security delete the following registry settings:
+   - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
+   - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
+     > [!IMPORTANT]
+     > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
 
-4.  Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
+4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
 
-    ``` syntax
-    mountvol X: /s
-    copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
-    bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
-    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
-    bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
-    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
-    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
-    mountvol X: /d
-    ```
+   ``` syntax
+   mountvol X: /s
+   copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
+   bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
+   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
+   bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
+   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
+   bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
+   mountvol X: /d
+   ```
 
-5.  Restart the PC.
-6.  Accept the prompt to disable Windows Defender Credential Guard.
-7.  Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
+5. Restart the PC.
+6. Accept the prompt to disable Windows Defender Credential Guard.
+7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
 
 > [!NOTE]
 > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 87ca2f495c..8c3d26bfae 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -108,11 +108,11 @@ The following tables describe baseline protections, plus protections for improve
 
 ### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
 
-| Protections for Improved Security          | Description                                        |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **IOMMU** (input/output memory management unit)  |  **Requirement**: VT-D or AMD Vi IOMMU **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
                                                                                  • BIOS password or stronger authentication must be supported.
                                                                                  • In the BIOS configuration, BIOS authentication must be set.
                                                                                  • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
                                                                                  • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | **Security benefits**:
                                                                                  • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
                                                                                  • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR, revision 2 implementation**  |  **Requirement**: Secure MOR, revision 2 implementation | **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+|             Protections for Improved Security             |                                                                                                                                                                                                                                                                                                               Description                                                                                                                                                                                                                                                                                                                |
+|-----------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Hardware: **IOMMU** (input/output memory management unit) |                                                                                                                                                                               **Requirement**: VT-D or AMD Vi IOMMU **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables).                                                                                                                                                                               |
+| Firmware: **Securing Boot Configuration and Management**  | **Requirements**:
                                                                                  • BIOS password or stronger authentication must be supported.
                                                                                  • In the BIOS configuration, BIOS authentication must be set.
                                                                                  • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
                                                                                  • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. |
+|    Firmware: **Secure MOR, revision 2 implementation**    |                                                                                                                                                                                                                                                                                          **Requirement**: Secure MOR, revision 2 implementation                                                                                                                                                                                                                                                                                          |
 
 
                                                                                  
 
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index be88becc57..c6f6c2f100 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -21,7 +21,7 @@ ms.reviewer:
 # Enterprise Certificate Pinning
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name. 
 Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
@@ -69,7 +69,6 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ
   
 
 
-
 ```
 
 #### PinRules Element
@@ -112,7 +111,7 @@ The **Site** element can have the following attributes.
 |-----------|-------------|----------|
 | **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows: 
                                                                                  - If the DNS name has a leading "*" it is removed. 
                                                                                  - Non-ASCII DNS name are converted to ASCII Puny Code. 
                                                                                  - Upper case ASCII characters are converted to lower case. 
                                                                                  If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
 | **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
                                                                                  For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
-    
+
 ### Create a Pin Rules Certificate Trust List
 
 The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy. 
@@ -185,27 +184,27 @@ Now you need to configure a Group Policy object to include the applied certifica
 
 Sign-in to the reference computer using domain administrator equivalent credentials.
 
-1.	Start the **Group Policy Management Console** (gpmc.msc)
-2.	In the navigation pane, expand the forest node and then expand the domain node.
-3.	Expand the node that has contains your Active Directory’s domain name
-4.	Select the **Group Policy objects** node.  Right-click the **Group Policy objects** node and click **New**.
-5.	In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
-6.	In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
-7.	In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
-8.	Right-click the **Registry** node and click **New**.
-9.	In the **New Registry Properties** dialog box, select **Update** from the **Action** list.  Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
-10.	For the **Key Path**, click **…** to launch the **Registry Item Browser**.  Navigate to the following registry key and select the **PinRules** registry value name:
+1.  Start the **Group Policy Management Console** (gpmc.msc)
+2.  In the navigation pane, expand the forest node and then expand the domain node.
+3.  Expand the node that has contains your Active Directory’s domain name
+4.  Select the **Group Policy objects** node.  Right-click the **Group Policy objects** node and click **New**.
+5.  In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
+6.  In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
+7.  In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
+8.  Right-click the **Registry** node and click **New**.
+9.  In the **New Registry Properties** dialog box, select **Update** from the **Action** list.  Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
+10. For the **Key Path**, click **…** to launch the **Registry Item Browser**.  Navigate to the following registry key and select the **PinRules** registry value name:
 
     HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config  
 
     Click **Select** to close the **Registry Item Browser**.
-    
-11.	The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
+
+11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
 
     ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)
-    
+
 12. Close the **Group Policy Management Editor** to save your settings.
-13.	Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
+13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
 
 ## Additional Pin Rules Logging
 
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index a9b7d9c199..c33567fa7c 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -340,15 +340,15 @@ The Group Policy object contains the policy settings needed to trigger Windows H
 5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
                                                                                  
-![Group Policy Editor](images/multifactorUnlock/gpme.png)
+   ![Group Policy Editor](images/multifactorUnlock/gpme.png)
 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.
                                                                                  
-![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
+   ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
 9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
 10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
 11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
 
- ## Troubleshooting
-Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+    ## Troubleshooting
+    Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
 
 ### Events
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index b7eea4f6e3..8e27516437 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -30,7 +30,7 @@ Windows Hello is the biometric authentication feature that helps strengthen auth
 
 Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
 
-##How does Windows Hello work?
+## How does Windows Hello work?
 Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
 
 The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
@@ -88,9 +88,9 @@ To allow facial recognition, you must have devices with integrated special infra
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
 
- 
+ 
 
- 
+ 
 
 
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 1553c99149..fc0ae7661b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -347,14 +347,14 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
 
 Sign-in the AD FS server with domain administrator equivalent credentials. 
 
-1.	Open a **Windows PowerShell** prompt.
-2.	Type the following command   
+1. Open a **Windows PowerShell** prompt.
+2. Type the following command   
   
-    ```PowerShell
-    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
-    ```
->[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It’s important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+   ```PowerShell
+   Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
+   ```
+   >[!NOTE]
+   > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It’s important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
 
 ### Enrollment Agent Certificate Enrollment
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index 347624389a..ec2e495b92 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -412,11 +412,11 @@ Sign in the User Portal server with _local administrator_ equivalent credentials
 ### Edit MFA User Portal config file
 
 Sign in the User Portal server with _local administrator_ equivalent credentials.
-1.	Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
-2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
-3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
-4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
+2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
 
 ### Create a DNS entry for the User Portal web site
 
@@ -497,11 +497,11 @@ Follow [Install a standalone instance of the AD FS adapter by using the Web Serv
 ### Edit the MFA AD FS Adapter config file on all ADFS Servers
 
 Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-1.	Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
-2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
-3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
-4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
+2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
 
 ### Edit the AD FS Adapter Windows PowerShell cmdlet
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 67f81eda4a..fa0224fc1d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -85,12 +85,12 @@ If the error occurs again, check the error code against the following table to s
 
 0x80090029
 TPM is not set up.
-Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. 
+Sign on with an administrator account. Click Start, type "tpm.msc", and select tpm.msc Microsoft Common Console Document. In the Actions pane, select Prepare the TPM. 
 
 
 0x80090031
 NTE_AUTHENTICATION_IGNORED
-Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)
+Reboot the device. If the error occurs again after rebooting, reset the TPM or run Clear-TPM
 
 
 0x80090035
@@ -105,7 +105,7 @@ If the error occurs again, check the error code against the following table to s
 
 0x801C000E
 Registration quota reached
-
                                                                                  Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933).
                                                                                  
+
                                                                                  Unjoin some other device that is currently joined using the same account or increase the maximum number of devices per user.
                                                                                  
 
 
 0x801C000F
@@ -135,17 +135,17 @@ If the error occurs again, check the error code against the following table to s
 
 0x801C0016
 The federation provider configuration is empty
-Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.
+Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty.
 
 
 0x801C0017
 ​The federation provider domain is empty
-Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.
+Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty.
 
 
 0x801C0018
 The federation provider client configuration URL is empty
-Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.
+Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL.
 
 
 0x801C03E9
@@ -169,13 +169,13 @@ If the error occurs again, check the error code against the following table to s
 
 
 0x801C03ED
-
                                                                                  Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed
                                                                                  
+
                                                                                  Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed
                                                                                  
 
                                                                                  -or-
                                                                                  
 
                                                                                  Token was not found in the Authorization header
                                                                                  
 
                                                                                  -or-
                                                                                  
 
                                                                                  Failed to read one or more objects
                                                                                  
 
                                                                                  -or-
                                                                                  The request sent to the server was invalid.
                                                                                  
-Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
+Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
 
 
 0x801C03EE
@@ -199,7 +199,7 @@ If the error occurs again, check the error code against the following table to s
 
 
 
- 
+ 
 ## Errors with unknown mitigation
 For errors listed in this table, contact Microsoft Support for assistance.
 
@@ -224,7 +224,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
 | 0x801C03F0  | ​There is no key registered for the user   |
 | 0x801C03F1  | ​There is no UPN in the token          |
 | ​0x801C044C | There is no core window for the current thread     |
- 
+ 
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index df8fd348cb..d0a4a28eb0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -28,13 +28,13 @@ This event is created when Windows Hello for Business is successfully created an
 
 ## Event details
 
-| **Product:** | Windows 10 operating system |     
-| --- | --- |                                                                                                                                
-| **ID:** | 300 |
-| **Source:**  | Microsoft Azure Device Registration Service |
-| **Version:** | 10  |
+| **Product:** |                                                                                                                                            Windows 10 operating system                                                                                                                                            |
+|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   **ID:**    |                                                                                                                                                        300                                                                                                                                                        |
+| **Source:**  |                                                                                                                                    Microsoft Azure Device Registration Service                                                                                                                                    |
+| **Version:** |                                                                                                                                                        10                                                                                                                                                         |
 | **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
                                                                                  Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
- 
+ 
 ## Resolve
 
 This is a normal condition. No further action is required.
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index 0796d9d0cd..cc796078e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -129,15 +129,15 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
 
 1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
 2. You need your tenant ID to complete the following task.  You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal.  You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
                                                                                  
-```
-dsregcmd /status | findstr -snip "tenantid"
-```
+   ```
+   dsregcmd /status | findstr -snip "tenantid"
+   ```
 3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
 4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list.  Select **Custom** from the **Profile type** list.
 5. In the **Custom OMA-URI Settings** blade, Click **Add**.
 6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
 7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-8. Click **OK** to save the row configuration. Click **OK** to close the **Custom OMA-URI Settings blade.  Click **Create** to save the profile.
+8. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade.  Click **Create to save the profile.
  
 ##### Assign the PIN Reset Device configuration profile using Microsoft Intune
 1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account. 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 80d21a2948..0492d0e9fc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -17,7 +17,7 @@ ms.reviewer:
 ---
 # Windows Hello for Business Provisioning
 
-**Applies to:**
+Applies to:
 -   Windows 10
 
 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication.  Provisioning experience vary based on:
@@ -61,12 +61,14 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
 ![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed ennvironment](images/howitworks/prov-haadj-keytrust-managed.png)
 
-| Phase  | Description  |
-| :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
-|D | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
+
+| Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+|:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   B   | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                         |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.                                                                                                                                                                                                                                                                                                                                                         |
+|   D   | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+
 > [!IMPORTANT]
 > The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
 
@@ -77,16 +79,18 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 ## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment
 ![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png)
 
-| Phase  | Description  |
-| :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration.|
-|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
                                                                                   The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
                                                                                    After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
-|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
                                                                                    If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes.  The application is informed of the deferment and exits to the user's desktop.  The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes.  The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment.  If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in.
                                                                                   After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
-|G |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
-|H | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.|    
-|F | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
+
+| Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+|:-----:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application.                                                     |
+|   B   | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                                                                             |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration.                                                                                                                                                                                                                                                                                                                                                                                                                               |
+|   D   | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
                                                                                   The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
                                                                                    After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.                                                                                                                                                                                                                                                                                           |
+|   E   | The registration authority validates the public key in the certificate request matches a registered key for the user.
                                                                                    If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes.  The application is informed of the deferment and exits to the user's desktop.  The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes.  The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment.  If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in.
                                                                                   After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate. |
+|   G   | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|   H   | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+|   F   | Azure AD Connect requests updates on its next synchronization cycle.  Azure Active Directory sends the user's public key that was securely registered through provisioning.  AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+
 > [!IMPORTANT]
 > The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
 
@@ -95,15 +99,17 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment
 ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png)
 
-| Phase  | Description  |
-| :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.|
-|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
                                                                                   The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
                                                                                    After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
-|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
                                                                                    If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
                                                                                  After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.|
-|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
-|G | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.|    
+
+| Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+|:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services provides the second factor of authentication.  If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   B   | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                         |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.                                                                                                                                                                                                                                                                                                                                                         |
+|   D   | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
                                                                                   The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
                                                                                    After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.                                                                                                                                                                                                                       |
+|   E   | The registration authority validates the public key in the certificate request matches a registered key for the user.
                                                                                    If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
                                                                                  After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|   F   | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
+|   G   | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+
 > [!IMPORTANT]
 > Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
 
@@ -112,15 +118,17 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
 ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 
-| Phase  | Description  |
-| :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                    In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services (or a third party MFA service) provides the second factor of authentication.
                                                                                   The on-premises STS server issues a enterprise token on successful MFA.  The application sends the token to Azure Active Directory.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.|
-|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
                                                                                   The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
                                                                                    After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
-|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
                                                                                    If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
                                                                                  After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.|
-|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
-|G | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.| 
+
+| Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+|:-----:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   A   | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
                                                                                    In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services.  The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
                                                                                  Users must provide two factors of authentication.  In this phase, the user has already provided one factor of authentication, typically user name and password.  Azure MFA services (or a third party MFA service) provides the second factor of authentication.
                                                                                   The on-premises STS server issues a enterprise token on successful MFA.  The application sends the token to Azure Active Directory.
                                                                                  Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|   B   | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor.  If the application detects a biometric sensor, it gives the user the choice to enroll biometrics.  After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics).  The user provides and confirms their PIN.  Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data.  This is the user key (ukpub/ukpriv).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+|   C   | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration.  Azure DRS validates the MFA claim remains current.  On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+|   D   | The certificate request portion of provisioning begins after the application receives a successful response from key registration.  The application creates a PKCS#10 certificate request.  The key used in the certificate request is the same key that was securely provisioned.
                                                                                   The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
                                                                                    After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+|   E   | The registration authority validates the public key in the certificate request matches a registered key for the user.
                                                                                    If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
                                                                                  After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+|   F   | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|   G   | The application receives the newly issued certificate and installs the it into the Personal store of the user.  This signals the end of provisioning.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+
 > [!IMPORTANT]
 > Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate.  Users can sign-in using the certificate immediately after provisioning completes.  Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index c5463018d8..fe8e1659ff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -18,7 +18,7 @@ ms.reviewer:
 # Technology and Terms
 
 **Applies to:**
--   Windows 10
+- Windows 10
 
 - [Attestation Identity Keys](#attestation-identity-keys)
 - [Azure AD Joined](#azure-ad-joined)
@@ -41,7 +41,7 @@ ms.reviewer:
 - [Storage Root Key](#storage-root-key)
 - [Trust Type](#trust-type)
 - [Trusted Platform Module](#trusted-platform-module)
-
                                                                                  
+  
                                                                                  
 
 ## Attestation Identity Keys
 Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 644901962f..fbb7791800 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -114,16 +114,16 @@ You need to host your new certificate revocation list of a web server so Azure A
 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
 2. Expand the navigation pane to show **Default Web Site**.  Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
 3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**.  For physical path, type or browse for the physical file location where you will host the certificate revocation list.  For this example, the path **c:\cdp** is used. Click **OK**.
-![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) 
-> [!NOTE]
-> Make note of this path as you will use it later to configure share and file permissions.
+   ![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) 
+   > [!NOTE]
+   > Make note of this path as you will use it later to configure share and file permissions.
 
 4. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Directory Browsing** in the content pane.  Click **Enable** in the details pane.
 5. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Configuration Editor**.
 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
-![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png)   
-In the list of named value-pairs in the content pane, configure **allowDoubleEscapting** to **True**.  Click **Apply** in the actions pane.
-![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png)
+   ![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png)   
+   In the list of named value-pairs in the content pane, configure **allowDoubleEscapting** to **True**.  Click **Apply** in the actions pane.
+   ![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png)
 7. Close **Internet Information Services (IIS) Manager**. 
 
 #### Create a DNS resource record for the CRL distribution point URL 
@@ -180,12 +180,12 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
 2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
 3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**. Type **http://crl.[domainname]/cdp/** in **location**.  For example, *http://crl.corp.contoso.com/cdp/* or *http://crl.contoso.com/cdp/* (do not forget the trailing forward slash). 
-![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png)
+4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**.  For example, ** or ** (do not forget the trailing forward slash). 
+   ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png)
 5. Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
 7. Select the CDP you just created.
-![CDP complete http](images/aadj/cdp-extension-complete-http.png)
+   ![CDP complete http](images/aadj/cdp-extension-complete-http.png)
 8. Select **Include in CRLs.  Clients use this to find Delta CRL locations**.
 9. Select **Include in the CDP extension of issued certificates**.
 10. Click **Apply** save your selections.  Click **No** when ask to restart the service.
@@ -198,11 +198,11 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**. 
 2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
 3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
-4. On the **Extensions** tab, click **Add**.  Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share).  For example, **\\\app\cdp$\** (do not forget the trailing backwards slash).
+4. On the **Extensions** tab, click **Add**.  Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share).  For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash).
 5. Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.  Select **\** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
 7. Select the CDP you just created.
-![CDP publishing location](images/aadj/cdp-extension-complete-unc.png)
+   ![CDP publishing location](images/aadj/cdp-extension-complete-unc.png)
 8. Select **Publish CRLs to this location**.
 9. Select **Publish Delta CRLs to this location**.
 10. Click **Apply** save your selections.  Click **Yes** when ask to restart the service.  Click **OK** to close the properties dialog box.
@@ -218,8 +218,8 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 
 Validate your new CRL distribution point is working. 
 
-1. Open a web browser.  Navigate to **http://crl.[yourdomain].com/cdp**.  You should see two files created from publishing your new CRL.
-![Validate the new CRL](images/aadj/validate-cdp-using-browser.png)
+1. Open a web browser.  Navigate to http://crl.[yourdomain].com/cdp.  You should see two files created from publishing your new CRL.
+   ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png)
 
 ### Reissue domain controller certificates
 
@@ -297,25 +297,25 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Click **device enrollment**.
 4. Click **Windows enrollment**
 5. Under **Windows enrollment**, click **Windows Hello for Business**.
-![Create Intune Windows Hello for Business Policy](images/aadj/IntuneWHFBPolicy-00.png)
+   ![Create Intune Windows Hello for Business Policy](images/aadj/IntuneWHFBPolicy-00.png)
 6. Under **Priority**, click **Default**. 
 7. Under **All users and all devices**, click **Settings**.
 8. Select **Enabled** from the **Configure Windows Hello for Business** list.
 9. Select **Required** next to **Use a Trusted Platform Module (TPM)**.  By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys.
 10. Type the desired **Minimum PIN length** and **Maximum PIN length**.
-> [!IMPORTANT]
-> The default minimum PIN length for Windows Hello for Business on Windows 10 is 6.  Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN.  If you do not have a desired PIN length, set the minimum PIN length to 6.
+    > [!IMPORTANT]
+    > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6.  Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN.  If you do not have a desired PIN length, set the minimum PIN length to 6.
 
 ![Intune Windows Hello for Business policy settings](images/aadj/IntuneWHFBPolicy-01.png)
 
 11. Select the appropriate configuration for the following settings.
-  * **Lowercase letters in PIN**
-  * **Uppercase letters in PIN**
-  * **Special characters in PIN**
-  * **PIN expiration (days)**
-  * **Remember PIN history**
-> [!NOTE]
-> The Windows Hello for Business PIN is not a symmetric key (a password).  A copy of the current PIN is not stored locally or on a server like in the case of passwords.  Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs.  Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN.  If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+   * **Lowercase letters in PIN**
+   * **Uppercase letters in PIN**
+   * **Special characters in PIN**
+   * **PIN expiration (days)**
+   * **Remember PIN history**
+     > [!NOTE]
+     > The Windows Hello for Business PIN is not a symmetric key (a password).  A copy of the current PIN is not stored locally or on a server like in the case of passwords.  Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs.  Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN.  If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
 
 12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device.  To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
 13. Select **No** to **Allow phone sign-in**.  This feature has been deprecated.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index d41ec2141b..4baae2e5a4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -79,9 +79,9 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
 
 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
 2. Click **Login** and provide Azure credentials
-3. In the Azure AD Graph Explorer URL, type **https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory.  Click **Go**
+3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid] is the user principal name of user in Azure Active Directory.  Click **Go**
 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and the value is accurate for the given user.
-![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png)
+   ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png)
 
 ## Prepare the Network Device Enrollment Services (NDES) Service Account
 
@@ -178,9 +178,9 @@ When deploying certificates using Microsoft Intune, you have the option of provi
 Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
 
 1. Open and elevated command prompt.  Type the command
-```
-certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
-```
+   ```
+   certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
+   ```
 2. Restart the **Active Directory Certificate Services** service. 
 
 ### Create an NDES-Intune authentication certificate template
@@ -252,27 +252,27 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 1. Open **Server Manager** on the NDES server.
 2. Click **Manage**.  Click **Add Roles and Features**. 
 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Click **Next**.  Click **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Click **Next**.
-![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png)
+   ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png)
 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.  
-![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png)
-Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
-![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png)
+   ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png)
+   Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
+   ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png)
 5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
-![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png)
+   ![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png)
 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
-![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
+   ![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
 7. Click **Next** on the **Web Server Role (IIS)** page.
 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
-  * **Web Server > Security > Request Filtering**
-  * **Web Server > Application Development > ASP.NET 3.5**.
-  * **Web Server > Application Development > ASP.NET 4.5**.   .
-  * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
-  * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
-![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png)
+   * **Web Server > Security > Request Filtering**
+   * **Web Server > Application Development > ASP.NET 3.5**.
+   * **Web Server > Application Development > ASP.NET 4.5**.   .
+   * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
+   * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+   ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png)
 9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
-> [!Important]
-> The .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\
-![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png)
+   > [!Important]
+   > The .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\
+   ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png)
 
 ### Configure the NDES service account
 This task adds the NDES service account to the local IIS_USRS group.  The task also configures the NDES service account for Kerberos authentication and delegation
@@ -392,18 +392,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
 3. Under **MANAGE**, click **Application proxy**.
 4. Click **Download connector service**.  Click **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
-![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
+   ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
-> [!IMPORTANT]
-> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
+   > [!IMPORTANT]
+   > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
-![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png)
+   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png)
 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
-![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png)
+   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png)
 9. When the installation completes. Read the information regarding outbound proxy servers.  Click **Close**.
-![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png)
+   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png)
 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
@@ -428,14 +428,14 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
 6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 7. Under **Internal Url**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
-![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
+   ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
 8. Select **Passthrough** from the **Pre Authentication** list.
 9. Select **NDES WHFB Connectors** from the **Connector Group** list.
 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
 11. Click **Add**.
 12. Sign-out of the Azure Portal.
-> [!IMPORTANT]
-> Write down the internal and external URLs.  You will need this information when you enroll the NDES-Intune Authentication certificate.
+    > [!IMPORTANT]
+    > Write down the internal and external URLs.  You will need this information when you enroll the NDES-Intune Authentication certificate.
 
 
 ### Enroll the NDES-Intune Authentication certificate
@@ -548,39 +548,39 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
 3. On the **Microsoft Intune** page, click **Next**. 
-![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png)
+   ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png)
 4. Read the **End User License Agreement**.  Click **Next** to accept the agreement and to proceed with the installation.
 5. On the **Destination Folder** page, click **Next**.
 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
-![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png)
+   ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png)
 7. On the **Client certificate for Microsoft Intune** page, Click **Select**.  Select the certificate previously enrolled for the NDES server. Click **Next**. 
-![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png)
-> [!NOTE]
-> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate.  However, the application rembers the selection and shows it in the next page.
+   ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png)
+   > [!NOTE]
+   > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate.  However, the application rembers the selection and shows it in the next page.
 
 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
-![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png)
-> [!NOTE]
-> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
+   ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png)
+   > [!NOTE]
+   > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
 
 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. 
-![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png)
+    ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png)
 
 ### Configure the Intune Certificate Connector
 Sign-in the NDES server with access equivalent to _domain administrator_.
 
 1. The **NDES Connector** user interface should be open from the last task.
-> [!NOTE]
-> If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
+   > [!NOTE]
+   > If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
 
 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect.  Click **Apply**
-![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png)
+   ![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png)
 
 3. Click **Sign-in**.  Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
-![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png)
-> [!IMPORTANT]
-> The user account must have a valid Intune licenese asssigned.  If the user account does not have a valid Intune license, the sign-in fails.
+   ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png)
+   > [!IMPORTANT]
+   > The user account must have a valid Intune licenese asssigned.  If the user account does not have a valid Intune license, the sign-in fails.
 
 4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task. 
 
@@ -643,14 +643,14 @@ Sign-in a workstation with access equivalent to a _domain user_.
 2. Select **All Services**.  Type **Intune** to filter the list of services.  Click **Microsoft Intune**.
 3. Select **Device Configuration**, and then click **Profiles**.
 4. Select **Create Profile**.
-![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png)
+   ![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png)
 5. Next to **Name**, type **WHFB Certificate Enrollment**.
 6. Next to **Description**, provide a description meaningful for your environment.
 7. Select **Windows 10 and later** from the **Platform** list.
 8. Select **SCEP certificate** from the **Profile** list.
-![WHFB Scep Profile Blade](images/aadjcert/intunewhfbscepprofile-00.png)
+   ![WHFB Scep Profile Blade](images/aadjcert/intunewhfbscepprofile-00.png)
 9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization.
-> [!IMPORTANT]
+   > [!IMPORTANT]
     > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
 
 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
@@ -658,10 +658,10 @@ Sign-in a workstation with access equivalent to a _domain user_.
 12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name.  The **Key usage** that maps to that registry value name is **Digital Signature**.
 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
-![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png)
-15. Under **Extended key usage**, type **Smart Card Logon** under **Name. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**.  Click **Add**.
+    ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png)
+15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**.  Click **Add**.
 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
-![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png)
+    ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png)
 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**.  For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll.  Click **Add**.  Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile.
 18. Click **OK**.
 19. Click **Create**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 3bc4f61f6f..0a8ef8fa68 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -104,11 +104,11 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
 
 ### Azure Multi-Factor Authentication (MFA) Cloud ###
 > [!IMPORTANT]
-As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
+> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
 > * Azure Multi-Factor Authentication
 > * Azure Active Directory Premium
 > * Enterprise Mobility + Security
->
+> 
 > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. 
 
 #### Azure MFA Provider #### 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 6dd0d1630d..4dc8b49caf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -23,9 +23,9 @@ ms.reviewer:
 -  Hybrid deployment
 -  Certificate trust
 
- 
+
 Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.  
-  
+
 > [!IMPORTANT]
 > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. 
 
@@ -76,11 +76,11 @@ Manually updating Active Directory uses the command-line utility **adprep.exe**
 
 Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
 
-1.	Open an elevated command prompt.
-2.	Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
-3.	To update the schema, type ```adprep /forestprep```.
-4.	Read the Adprep Warning.  Type the letter **C*** and press **Enter** to update the schema.
-5.	Close the Command Prompt and sign-out.
+1.  Open an elevated command prompt.
+2.  Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
+3.  To update the schema, type ```adprep /forestprep```.
+4.  Read the Adprep Warning.  Type the letter **C*** and press **Enter** to update the schema.
+5.  Close the Command Prompt and sign-out.
 
 > [!NOTE]
 > If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
@@ -116,12 +116,12 @@ If your AD FS farm is not already configured for Device Authentication (you can
 1.  Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
 
 ![Device Registration](images/hybridct/device2.png)
-  
-2.  On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
-	
-	`Import-module activedirectory`  
-	`PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 
-3.  On the pop-up window click **Yes**.
+
+2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
+
+   `Import-module activedirectory`  
+   `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` 
+3. On the pop-up window click **Yes**.
 
 > [!NOTE]
 > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
@@ -137,15 +137,15 @@ The above PSH creates the following objects:
 
 ![Device Registration](images/hybridct/device4.png)  
 
-4.  Once this is done, you will see a successful completion message.
+4. Once this is done, you will see a successful completion message.
 
 ![Device Registration](images/hybridct/device5.png) 
 
 ### Create Service Connection Point (SCP) in Active Directory  
 If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS  
 1.  Open Windows PowerShell and execute the following:
-	
-	`PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` 
+
+    `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` 
 
 > [!NOTE]
 > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server.  This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
@@ -154,16 +154,16 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure
 
 2. Provide your Azure AD global administrator credentials  
 
-	`PS C:>$aadAdminCred = Get-Credential`
+    `PS C:>$aadAdminCred = Get-Credential`
 
 ![Device Registration](images/hybridct/device7.png) 
 
-3.  Run the following PowerShell command 
+3. Run the following PowerShell command 
 
-	`PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` 
+   `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` 
 
 Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
-  
+
 The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.  
 
 ### Prepare AD for Device Write Back   
@@ -171,7 +171,7 @@ To ensure AD DS objects and containers are in the correct state for write back o
 
 1.  Open Windows PowerShell and execute the following:  
 
-	`PS C:>Initialize-ADSyncDeviceWriteBack -DomainName  -AdConnectorAccount [AD connector account name] ` 
+    `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName  -AdConnectorAccount [AD connector account name] ` 
 
 Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format  
 
@@ -211,7 +211,7 @@ If you are already issuing an ImmutableID claim (e.g., alternate login ID) you n
 * `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
 
 In the following sections, you find information about:
- 
+
 - The values each claim should have
 - How a definition would look like in AD FS
 
@@ -224,100 +224,100 @@ The definition helps you to verify whether the values are present or if you need
 
 **`http://schemas.microsoft.com/ws/2012/01/accounttype`** - This claim must contain a value of **DJ**, which identifies the device as a domain-joined computer. In AD FS, you can add an issuance transform rule that looks like this:
 
-	@RuleName = "Issue account type for domain-joined computers"
-	c:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value = "DJ"
-	);
+    @RuleName = "Issue account type for domain-joined computers"
+    c:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value = "DJ"
+    );
 
 #### Issue objectGUID of the computer account on-premises
 
 **`http://schemas.microsoft.com/identity/claims/onpremobjectguid`** - This claim must contain the **objectGUID** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
 
-	@RuleName = "Issue object GUID for domain-joined computers"
-	c1:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		store = "Active Directory", 
-		types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
-		query = ";objectguid;{0}", 
-		param = c2.Value
-	);
- 
+    @RuleName = "Issue object GUID for domain-joined computers"
+    c1:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        store = "Active Directory", 
+        types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
+        query = ";objectguid;{0}", 
+        param = c2.Value
+    );
+
 #### Issue objectSID of the computer account on-premises
 
 **`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
 
-	@RuleName = "Issue objectSID for domain-joined computers"
-	c1:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(claim = c2);
+    @RuleName = "Issue objectSID for domain-joined computers"
+    c1:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(claim = c2);
 
 #### Issue issuerID for computer when multiple verified domain names in Azure AD
 
 **`http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid`** - This claim must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or 3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the rules below, a first rule identifying user vs. computer authentication is added.
 
-	@RuleName = "Issue account type with the value User when its not a computer"
-	NOT EXISTS(
-	[
-		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value == "DJ"
-	]
-	)
-	=> add(
-		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value = "User"
-	);
-	
-	@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
-	c1:[
-		Type == "http://schemas.xmlsoap.org/claims/UPN"
-	]
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value == "User"
-	]
-	=> issue(
-		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-		Value = regexreplace(
-		c1.Value, 
-		".+@(?.+)", 
-		"http://${domain}/adfs/services/trust/"
-		)
-	);
-	
-	@RuleName = "Issue issuerID for domain-joined computers"
-	c:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-		Value = "http:///adfs/services/trust/"
-	);
+    @RuleName = "Issue account type with the value User when its not a computer"
+    NOT EXISTS(
+    [
+        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value == "DJ"
+    ]
+    )
+    => add(
+        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value = "User"
+    );
+
+    @RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
+    c1:[
+        Type == "http://schemas.xmlsoap.org/claims/UPN"
+    ]
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value == "User"
+    ]
+    => issue(
+        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+        Value = regexreplace(
+        c1.Value, 
+        ".+@(?.+)", 
+        "http://${domain}/adfs/services/trust/"
+        )
+    );
+
+    @RuleName = "Issue issuerID for domain-joined computers"
+    c:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+        Value = "http:///adfs/services/trust/"
+    );
 
 
 In the claim above,
@@ -332,146 +332,146 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
 
 **`http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`** - This claim must contain a valid value for computers. In AD FS, you can create an issuance transform rule as follows:
 
-	@RuleName = "Issue ImmutableID for computers"
-	c1:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	] 
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		store = "Active Directory", 
-		types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
-		query = ";objectguid;{0}", 
-		param = c2.Value
-	);
+    @RuleName = "Issue ImmutableID for computers"
+    c1:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ] 
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        store = "Active Directory", 
+        types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
+        query = ";objectguid;{0}", 
+        param = c2.Value
+    );
 
 #### Helper script to create the AD FS issuance transform rules
 
 The following script helps you with the creation of the issuance transform rules described above.
 
-	$multipleVerifiedDomainNames = $false
-	$immutableIDAlreadyIssuedforUsers = $false
-	$oneOfVerifiedDomainNames = 'example.com'   # Replace example.com with one of your verified domains
-	
-	$rule1 = '@RuleName = "Issue account type for domain-joined computers"
-	c:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value = "DJ"
-	);'
+    $multipleVerifiedDomainNames = $false
+    $immutableIDAlreadyIssuedforUsers = $false
+    $oneOfVerifiedDomainNames = 'example.com'   # Replace example.com with one of your verified domains
 
-	$rule2 = '@RuleName = "Issue object GUID for domain-joined computers"
-	c1:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		store = "Active Directory", 
-		types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
-		query = ";objectguid;{0}", 
-		param = c2.Value
-	);'
+    $rule1 = '@RuleName = "Issue account type for domain-joined computers"
+    c:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value = "DJ"
+    );'
 
-	$rule3 = '@RuleName = "Issue objectSID for domain-joined computers"
-	c1:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(claim = c2);'
+    $rule2 = '@RuleName = "Issue object GUID for domain-joined computers"
+    c1:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        store = "Active Directory", 
+        types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), 
+        query = ";objectguid;{0}", 
+        param = c2.Value
+    );'
 
-	$rule4 = ''
-	if ($multipleVerifiedDomainNames -eq $true) {
-	$rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
-	NOT EXISTS(
-	[
-		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value == "DJ"
-	]
-	)
-	=> add(
-		Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value = "User"
-	);
-	
-	@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
-	c1:[
-		Type == "http://schemas.xmlsoap.org/claims/UPN"
-	]
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
-		Value == "User"
-	]
-	=> issue(
-		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-		Value = regexreplace(
-		c1.Value, 
-		".+@(?.+)", 
-		"http://${domain}/adfs/services/trust/"
-		)
-	);
-	
-	@RuleName = "Issue issuerID for domain-joined computers"
-	c:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
-		Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/"
-	);'
-	}
+    $rule3 = '@RuleName = "Issue objectSID for domain-joined computers"
+    c1:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(claim = c2);'
 
-	$rule5 = ''
-	if ($immutableIDAlreadyIssuedforUsers -eq $true) {
-	$rule5 = '@RuleName = "Issue ImmutableID for computers"
-	c1:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
-		Value =~ "-515$", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	] 
-	&& 
-	c2:[
-		Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
-		Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
-	]
-	=> issue(
-		store = "Active Directory", 
-		types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
-		query = ";objectguid;{0}", 
-		param = c2.Value
-	);'
-	}
+    $rule4 = ''
+    if ($multipleVerifiedDomainNames -eq $true) {
+    $rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
+    NOT EXISTS(
+    [
+        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value == "DJ"
+    ]
+    )
+    => add(
+        Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value = "User"
+    );
 
-	$existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules 
+    @RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
+    c1:[
+        Type == "http://schemas.xmlsoap.org/claims/UPN"
+    ]
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", 
+        Value == "User"
+    ]
+    => issue(
+        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+        Value = regexreplace(
+        c1.Value, 
+        ".+@(?.+)", 
+        "http://${domain}/adfs/services/trust/"
+        )
+    );
 
-	$updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5
+    @RuleName = "Issue issuerID for domain-joined computers"
+    c:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", 
+        Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/"
+    );'
+    }
 
-	$crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules 
+    $rule5 = ''
+    if ($immutableIDAlreadyIssuedforUsers -eq $true) {
+    $rule5 = '@RuleName = "Issue ImmutableID for computers"
+    c1:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", 
+        Value =~ "-515$", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ] 
+    && 
+    c2:[
+        Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", 
+        Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
+    ]
+    => issue(
+        store = "Active Directory", 
+        types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), 
+        query = ";objectguid;{0}", 
+        param = c2.Value
+    );'
+    }
 
-	Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString 
+    $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules 
+
+    $updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5
+
+    $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules 
+
+    Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString 
 
 #### Remarks 
 
@@ -480,8 +480,10 @@ The following script helps you with the creation of the issuance transform rules
 - If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains cmdlet), set the value of **$multipleVerifiedDomainNames** in the script to **$true**. Also make sure that you remove any existing issuerid claim that might have been created by Azure AD Connect or via other means. Here is an example for this rule:
 
 
-		c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
-		=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)",  "http://${domain}/adfs/services/trust/")); 
+~~~
+    c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
+    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)",  "http://${domain}/adfs/services/trust/")); 
+~~~
 
 - If you have already issued an **ImmutableID** claim  for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.
 
@@ -493,21 +495,21 @@ Using an elevated PowerShell command window, configure AD FS policy by executing
 #### Check your configuration  
 For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work
 
-- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain>  		
-	- read access to the AD FS service account   
-	- read/write access to the Azure AD Connect sync AD connector account
+- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain>        
+    - read access to the AD FS service account   
+    - read/write access to the Azure AD Connect sync AD connector account
 - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
 - Container Device Registration Service DKM under the above container
 
 ![Device Registration](images/hybridct/device8.png) 
- 
+
 - object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>  
   - read/write access to the specified AD connector account name on the new object 
 - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
 - object of type msDS-DeviceRegistrationService in the above container
 
->[!div class="nextstepaction"]
-[Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
+> [!div class="nextstepaction"]
+> [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
 
 
                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 9e12ad84ed..4e0e71aa57 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -54,11 +54,11 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 
 > [!IMPORTANT]
 > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
-
+> 
 > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. 
 > **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
-
+> 
 > [!NOTE]
 > Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
   
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 1bf688e4bc..e47893d235 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -64,10 +64,10 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
 > [!div class="checklist"]
 > * Create the KeyCredential Admins Security group (optional)
 > * Create the Windows Hello for Business Users group
-
->[!div class="step-by-step"]
-[< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md)
-[Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md)
+> 
+> [!div class="step-by-step"]
+> [< Configure Windows Hello for Business](hello-hybrid-cert-whfb-settings.md)
+> [Configure Azure AD Connect >](hello-hybrid-cert-whfb-settings-dir-sync.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 4c8e26fb09..d3ab610a58 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -62,11 +62,11 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 > [!div class="checklist"]
 > * Configure the registration authority
 > * Update group memberships for the AD FS service account
-
-
->[!div class="step-by-step"]
-[< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
-[Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
+> 
+> 
+> [!div class="step-by-step"]
+> [< Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
+> [Configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index e3d371c736..cc29823ac9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -56,8 +56,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 1. Open **Active Directory Users and Computers**.
 2. Click the **Users** container in the navigation pane.
->[!IMPORTANT]
-> If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created.
+   >[!IMPORTANT]
+   > If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created.
 
 3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**.
 4. Click the **Members** tab and click **Add**
@@ -69,10 +69,10 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 > [!div class="checklist"]
 > * Configure Permissions for Key Synchronization
 > * Configure group membership for Azure AD Connect
-
->[!div class="step-by-step"]
-[< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
-[Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
+> 
+> [!div class="step-by-step"]
+> [< Configure Active Directory](hello-hybrid-cert-whfb-settings-ad.md)
+> [Configure PKI >](hello-hybrid-cert-whfb-settings-pki.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index e8856e1a93..6e3126b3c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -192,11 +192,11 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 > * Mark the certificate template as Windows Hello for Business sign-in template
 > * Publish Certificate templates to certificate authorities
 > * Unpublish superseded certificate templates
-
-
+> 
+> 
 > [!div class="step-by-step"]
-[< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
-[Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
+> [< Configure Azure AD Connect](hello-hybrid-cert-whfb-settings-dir-sync.md)
+> [Configure AD FS >](hello-hybrid-cert-whfb-settings-adfs.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 9889e04553..bb1beb3d0b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -187,10 +187,10 @@ Users must receive the Windows Hello for Business group policy settings and have
 > * Enable the Use certificate for on-premises authentication policy setting.
 > * Enable user automatic certificate enrollment.
 > * Add users or groups to the Windows Hello for Business group
-
-
+> 
+> 
 > [!div class="nextstepaction"]
-[Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
+> [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index 87defa48f5..7d1b384963 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -37,7 +37,7 @@ The configuration for Windows Hello for Business is grouped in four categories.
 For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration
 
 > [!div class="step-by-step"]
-[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
+> [Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 84651dfe0c..b826287e64 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -111,11 +111,11 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
 
 ### Azure Multi-Factor Authentication (MFA) Cloud ###
 > [!IMPORTANT]
-As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
+> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
 > * Azure Multi-Factor Authentication
 > * Azure Active Directory Premium
 > * Enterprise Mobility + Security
->
+> 
 > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. 
 
 #### Azure MFA Provider #### 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index a9a2e9d7c6..4ecd43dee9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -48,10 +48,10 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
 
 > [!div class="checklist"]
 > * Create the Windows Hello for Business Users group
-
->[!div class="step-by-step"]
-[< Configure Windows Hello for Business](hello-hybrid-key-whfb-settings.md)
-[Configure Azure AD Connect >](hello-hybrid-key-whfb-settings-dir-sync.md)
+> 
+> [!div class="step-by-step"]
+> [< Configure Windows Hello for Business](hello-hybrid-key-whfb-settings.md)
+> [Configure Azure AD Connect >](hello-hybrid-key-whfb-settings-dir-sync.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 6bbcf1dbb1..6f91c36125 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -45,10 +45,10 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 > [!div class="checklist"]
 > * Configure group membership for Azure AD Connect
-
->[!div class="step-by-step"]
-[< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md)
-[Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)
+> 
+> [!div class="step-by-step"]
+> [< Configure Active Directory](hello-hybrid-key-whfb-settings-ad.md)
+> [Configure PKI >](hello-hybrid-key-whfb-settings-pki.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 760f9b52ff..0c6d6de655 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -113,11 +113,11 @@ Sign-in to the certificate authority or management workstation with _Enterprise
 > * Configure superseded domain controller certificate templates
 > * Publish Certificate templates to certificate authorities
 > * Unpublish superseded certificate templates
-
-
+> 
+> 
 > [!div class="step-by-step"]
-[< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md)
-[Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md)
+> [< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md)
+> [Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index f374cb1432..969530cb43 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -158,10 +158,10 @@ Users must receive the Windows Hello for Business group policy settings and have
 > * Create Windows Hello for Business Group Policy object.
 > * Enable the Use Windows Hello for Business policy setting.
 > * Add users or groups to the Windows Hello for Business group
-
-
+> 
+> 
 > [!div class="nextstepaction"]
-[Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+> [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index ea6b3908dd..db581c1ffb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -38,7 +38,7 @@ The configuration for Windows Hello for Business is grouped in four categories.
 For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration
 
 > [!div class="step-by-step"]
-[Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md)
+> [Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md)
 
 

                                                                                  
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index 62bb63adb9..fd1a237822 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -412,11 +412,11 @@ Sign in the User Portal server with _local administrator_ equivalent credentials
 ### Edit MFA User Portal config file
 
 Sign in the User Portal server with _local administrator_ equivalent credentials.
-1.	Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
-2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
-3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
-4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file.
+2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
 
 ### Create a DNS entry for the User Portal web site
 
@@ -497,11 +497,11 @@ Follow [Install a standalone instance of the AD FS adapter by using the Web Serv
 ### Edit the MFA AD FS Adapter config file on all ADFS Servers
 
 Sign in the primary AD FS server with _local administrator_ equivalent credentials.
-1.	Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
-2.	Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
-3.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
-4.	Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5.	Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file.
+2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. 
+3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. 
+4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
 
 ### Edit the AD FS Adapter Windows PowerShell cmdlet
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 4ccfa6f212..c154697610 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -31,7 +31,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
 >Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
 >
 >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
- 
+ 
 ## Group Policy settings for Windows Hello for Business
 
 The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
@@ -114,7 +114,7 @@ The following table lists the Group Policy settings that you can configure for W
 History
 
 
                                                                                  Not configured: Previous PINs are not stored.
                                                                                  
-
                                                                                  Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.
                                                                                  
+
                                                                                  Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.
                                                                                  
 
                                                                                  Disabled: Previous PINs are not stored.
                                                                                  
 
                                                                                  Note  Current PIN is included in PIN history.
                                                                                  
 
                                                                                   
                                                                                  
@@ -137,7 +137,7 @@ The following table lists the Group Policy settings that you can configure for W
 
 
 
->Phone Sign-in
+>Phone Sign-in
 
 
                                                                                  Use Phone Sign-in
                                                                                  
 
@@ -296,7 +296,7 @@ The following table lists the MDM policy settings that you can configure for Win
 
 >[!NOTE]  
 > If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
- 
+ 
 
 ## How to use Windows Hello for Business with Azure Active Directory
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index d24fbbf8e1..cca50b7fcd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -153,13 +153,13 @@ If your organization does not have on-premises resources, write **Cloud Only** i
 If your organization is federated with Azure or uses any online service, such as Office365 or OneDrive, or your users' access cloud and on-premises resources, write **Hybrid** in box **1a** on your planning worksheet.
 
 If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet.
->[!NOTE]
->If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.  
->```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
->* If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS.  Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**.  If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
->* If the command returns a value, compare that value with the values below.  The value indicates the deployment model you should implement
->    * If the value begins with **azureADName:**  – write **Hybrid** in box **1a**on your planning worksheet.
- >   * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet.
+> [!NOTE]
+> If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results.  
+> ```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords```
+> * If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS.  Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**.  If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type.
+> * If the command returns a value, compare that value with the values below.  The value indicates the deployment model you should implement
+>   * If the value begins with **azureADName:**  – write **Hybrid** in box **1a**on your planning worksheet.
+>     * If the value begins with **enterpriseDrsName:** – write **On-Premises** in box **1a** on your planning worksheet.
 
 ### Trust type
 
@@ -254,7 +254,7 @@ Write **1511 or later** in box **3a** on your planning worksheet if any of the f
 * Box **2a** on your planning worksheet read **modern management**. 
     * Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
 * Box **1a** on your planning worksheet reads **hybrid**, box **1b** reads **key trust**, and box **2a** reads **GP**.
-    *Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
+    Optionally, you may write **1511 or later* in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
 
 Write **1703 or later** in box **3a** on your planning worksheet if any of the following are true.
 * Box **1a** on your planning worksheet reads **on-premises**.  
diff --git a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
index 3730c57c8b..c4d3f73cb4 100644
--- a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
@@ -47,7 +47,7 @@ The Windows 10 Mobile certificate installer supports .cer, .p7b, .pem, and .pfx
 Windows 10 Mobile supports root, CA, and client certificate to be configured via MDM. Using MDM, an administrator can directly add, delete, or query root and CA certificates, and configure the device to enroll a client certificate with a certificate enrollment server that supports Simple Certificate Enrollment Protocol (SCEP). SCEP enrolled client certificates are used by Wi-Fi, VPN, email, and browser for certificate-based client authentication. An MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
 >[!WARNING]
 >Do not use SCEP for encryption certificates for S/MIME. You must use a PFX certificate profile to support S/MIME on Windows 10 Mobile. For instructions on creating a PFX certificate profile in Microsoft Intune, see [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=718216).
- 
+ 
 **Process of installing certificates using MDM**
 
 1.  The MDM server generates the initial cert enroll request including challenge password, SCEP server URL, and other enrollment related parameters.
@@ -64,13 +64,13 @@ Windows 10 Mobile supports root, CA, and client certificate to be configured vi
     >- A certificate is successfully received from the server
     >- The server returns an error
     >- The number of retries reaches the preconfigured limit
-     
+     
 8.  The cert is installed in the device. Browser, Wi-Fi, VPN, email, and other first party applications have access to this certificate.
 
     >[!NOTE]
     >If MDM requested private key stored in Trusted Process Module (TPM) (configured during enrollment request), the private key will be saved in TPM. Note that SCEP enrolled cert protected by TPM isn’t guarded by a PIN. However, if the certificate is imported to the Windows Hello for Business Key Storage Provider (KSP), it is guarded by the Hello PIN.
-     
+     
 ## Related topics
 
 [Configure S/MIME](configure-s-mime.md)
- 
+ 
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 8bdec1c9de..df25b0e70c 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -52,16 +52,18 @@ Use the following table to compare different Remote Desktop connection security
 
                                                                                  
 
                                                                                  
 
-|**Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** |
-|---|---|---|---|
-| **Protection benefits**  | Credentials on the server are not protected from Pass-the-Hash attacks.  |User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server|
-| **Version support** | The remote computer can run any Windows operating system|Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**.|The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. 

                                                                                  For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx).
-|**Helps prevent**                        |      N/A         |
                                                                                  •  Pass-the-Hash
                                                                                    •  
                                                                                  • Use of a credential after disconnection 
                                                                                  |
                                                                                  •  Pass-the-Hash
                                                                                    •  
                                                                                  • Use of domain identity during connection 
                                                                                  |
-|**Credentials supported from the remote desktop client device**|
                                                                                  • **Signed on** credentials 
                                                                                  •  **Supplied** credentials
                                                                                  •  **Saved** credentials 
                                                                                  |
                                                                                  •  **Signed on** credentials only | 
                                                                                    • **Signed on** credentials
                                                                                    • **Supplied** credentials
                                                                                    • **Saved** credentials
                                                                                    
-|**Access**|**Users allowed**, that is, members of Remote Desktop Users group of remote host.|**Users allowed**, that is, members of Remote Desktop Users of remote host.|**Administrators only**, that is, only members of Administrators group of remote host.
-|**Network identity**|Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. |Remote Desktop session **connects to other resources as remote host’s identity**.|
-|**Multi-hop**|From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**.|Not allowed for user as the session is running as a local host account|
-|**Supported authentication** |Any negotiable protocol.| Kerberos only.|Any negotiable protocol|
+
+|                                                       **Feature**                                                        |                                                           **Remote Desktop**                                                           |                                      **Windows Defender Remote Credential Guard**                                      |                                                                                                                                             **Restricted Admin mode**                                                                                                                                             |
+|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server                                                                                   |
+|                                                   **Version support**                                                    |                                        The remote computer can run any Windows operating system                                        | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. 

                                                                                    For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
+| **Helps prevent**                        |                                  N/A                                       |                   
                                                                                    •  Pass-the-Hash
                                                                                      •  
                                                                                    • Use of a credential after disconnection 
                                                                                                       |                                                                                                                
                                                                                    •  Pass-the-Hash
                                                                                      •  
                                                                                    • Use of domain identity during connection 
                                                                                                                                                                                                    |
+|                             **Credentials supported from the remote desktop client device**                              | 
                                                                                    • Signed on credentials 
                                                                                    •  Supplied credentials
                                                                                    •  Saved credentials 
                                                                                     |                                  
                                                                                    •  Signed on credentials only                                  |                                                                                        
                                                                                      • Signed on credentials
                                                                                      • Supplied credentials
                                                                                      • Saved credentials
                                                                                                                                                                               |
+|                                                        **Access**                                                        |                           **Users allowed**, that is, members of Remote Desktop Users group of remote host.                            |                      **Users allowed**, that is, members of Remote Desktop Users of remote host.                       |                                                                                                              **Administrators only**, that is, only members of Administrators group of remote host.                                                                                                               |
+|                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host’s identity**.                                                                                                                 |
+|                                                      **Multi-hop**                                                       |                        From the remote desktop, **you can connect through Remote Desktop to another computer**                         |                From the remote desktop, you **can connect through Remote Desktop to another computer**.                |                                                                                                                      Not allowed for user as the session is running as a local host account                                                                                                                       |
+|                                               **Supported authentication**                                               |                                                        Any negotiable protocol.                                                        |                                                     Kerberos only.                                                     |                                                                                                                                              Any negotiable protocol                                                                                                                                              |
+
 
                                                                                      
 
 For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index ba0a4cede3..cd06dda9a5 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -34,7 +34,7 @@ When a smart card is inserted, the following steps are performed.
 
 4.  The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
 
-5.  Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
+5.  Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
 
 6.  If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
 
@@ -54,7 +54,7 @@ When a smart card is inserted, the following steps are performed.
 
     Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
 
-    > **Note**  These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
+    > **Note**  These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
 
 9.  The process then chooses a certificate, and the PIN is entered.
 
@@ -64,7 +64,7 @@ When a smart card is inserted, the following steps are performed.
 
 ## About Certificate support for compatibility
 
-Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are:
+Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are:
 
 -   Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the enhanced key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional.
 
@@ -95,45 +95,45 @@ The following diagram illustrates how smart card sign-in works in the supported
 
 Following are the steps that are performed during a smart card sign-in:
 
-1.  Winlogon requests the sign-in UI credential information.
+1. Winlogon requests the sign-in UI credential information.
 
-2.  Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+2. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
 
-    1.  Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+   1.  Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
 
-    2.  Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+   2.  Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
 
-    3.  Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+   3.  Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
 
-    > **Note**  Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+   > **Note**  Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
 
-    4.  Notifies the sign-in UI that it has new credentials.
+   4. Notifies the sign-in UI that it has new credentials.
 
-3.  The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
+3. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
 
-4.  The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
+4. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
 
-5.  The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
+5. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
 
-6.  The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
+6. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
 
-7.  Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
+7. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
 
-8.  LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
+8. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
 
-    If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
                                                                                      If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
+   If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.
                                                                                      If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
 
-9.  To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
+9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
 
-10.  The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
+10. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
 
-11.  The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
+11. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
 
-12.  The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
+12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
 
-13.  The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT’s authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
+13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT’s authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
 
-14.  The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
+14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
 
     > **Note**  The KRB\_AS\_REP packet consists of:
     >- Privilege attribute certificate (PAC)
@@ -144,21 +144,21 @@ Following are the steps that are performed during a smart card sign-in:
 
     TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
 
-15.  The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
 
-16.  Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
+16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
 
-17.  With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
+17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
 
-18.  After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
+18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
 
-19.  CSP to smart card resource manager communication happens on the LRPC Channel.
+19. CSP to smart card resource manager communication happens on the LRPC Channel.
 
-20.  On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
+20. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
 
-21.  When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
+21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
 
-> **Note**  A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
+> **Note**  A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
 
 For more information about the Kerberos protocol, see [Microsoft Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747(v=vs.85).aspx).
 
@@ -184,18 +184,19 @@ Certificate requirements are listed by versions of the Windows operating system.
 
 The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
 
-| **Component**     | **Requirements for Windows 8.1, Windows 8, Windows 7, and Windows Vista**          | **Requirements for Windows XP**  |
-|--------------------------------------|--------------------------------|------|
-| CRL distribution point location      | Not required              | The location must be specified, online, and available, for example:
                                                                                      \[1\]CRL Distribution Point
                                                                                      Distribution Point Name:
                                                                                      Full Name:
                                                                                      URL=http://server1.contoso.com/CertEnroll/caname.crl                   |
-| Key usage         | Digital signature         | Digital signature                |
-| Basic constraints | Not required              | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional)    |
-| Enhanced key usage (EKU)             | The smart card sign-in object identifier is not required.

                                                                                      **Note**  If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | -   Client Authentication (1.3.6.1.5.5.7.3.2)
                                                                                      The client authentication object identifier is required only if a certificate is used for SSL authentication.

                                                                                      - Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2)   |
-| Subject alternative name             | E-mail ID is not required for smart card sign-in.               | Other Name: Principal Name=(UPN), for example:
                                                                                      UPN=user1@contoso.com
                                                                                      The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3.
                                                                                      The UPN OtherName value must be an ASN1-encoded UTF8 string.                |
-| Subject           | Not required              | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.                  |
-| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) | Not required  |
-| CRL               | Not required              | Not required  |
-| UPN               | Not required              | Not required  |
-| Notes             | You can enable any certificate to be visible for the smart card credential provider.                  | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
+
+|            **Component**             |                                                                **Requirements for Windows 8.1, Windows 8, Windows 7, and Windows Vista**                                                                 |                                                                                                **Requirements for Windows XP**                                                                                                 |
+|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|   CRL distribution point location    |                                                                                               Not required                                                                                               |             The location must be specified, online, and available, for example:
                                                                                      \[1\]CRL Distribution Point
                                                                                      Distribution Point Name:
                                                                                      Full Name:
                                                                                      URL=             |
+|              Key usage               |                                                                                            Digital signature                                                                                             |                                                                                                       Digital signature                                                                                                        |
+|          Basic constraints           |                                                                                               Not required                                                                                               |                                                                              \[Subject Type=End Entity, Path Length Constraint=None\] (Optional)                                                                               |
+|       Enhanced key usage (EKU)       | The smart card sign-in object identifier is not required.

                                                                                      **Note**  If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |      -   Client Authentication (1.3.6.1.5.5.7.3.2)
                                                                                      The client authentication object identifier is required only if a certificate is used for SSL authentication.

                                                                                      - Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2)       |
+|       Subject alternative name       |                                                                            E-mail ID is not required for smart card sign-in.                                                                             |           Other Name: Principal Name=(UPN), for example:
                                                                                      UPN=user1@contoso.com
                                                                                      The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3.
                                                                                      The UPN OtherName value must be an ASN1-encoded UTF8 string.            |
+|               Subject                |                                                                                               Not required                                                                                               |                                                         Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.                                                         |
+| Key exchange (AT\_KEYEXCHANGE field) |                               Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.)                                |                                                                                                          Not required                                                                                                          |
+|                 CRL                  |                                                                                               Not required                                                                                               |                                                                                                          Not required                                                                                                          |
+|                 UPN                  |                                                                                               Not required                                                                                               |                                                                                                          Not required                                                                                                          |
+|                Notes                 |                                                           You can enable any certificate to be visible for the smart card credential provider.                                                           | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
 
 ### Client certificate mappings
 
@@ -269,7 +270,7 @@ For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Cert
 
 ## Smart card sign-in across forests
 
-For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as *user@contoso.com*.
+For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as user@contoso.com.
 
 > **Note**  For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
 
@@ -285,19 +286,19 @@ Windows client computers attempt to request the OCSP responses and use them in t
 
 For sign-in to work in a smart card-based domain, the smart card certificate must meet the following conditions:
 
--   The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate.
+- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate.
 
--   The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate.
+- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate.
 
--   The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty.
+- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty.
 
--   The smart card certificate must contain one of the following:
+- The smart card certificate must contain one of the following:
 
-    -   A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail.
+  - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail.
 
-    -   A UPN where the domain name resolves to the actual domain. For example, if the domain name is Engineering.Corp.Contoso, the UPN is username@engineering.corp.contoso.com. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain.
+  - A UPN where the domain name resolves to the actual domain. For example, if the domain name is Engineering.Corp.Contoso, the UPN is username@engineering.corp.contoso.com. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain.
 
-Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
+Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
 
 1.  Enable HTTP CRL distribution points on the CA.
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index c2fe95b6f9..9013c10df6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -62,9 +62,9 @@ Windows software trace preprocessor (WPP) simplifies tracing the operation of th
 
 Using WPP, use one of the following commands to enable tracing:
 
--   **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
+- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
 
--   **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>***.etl -mode 0x00080000**
+- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000*
 
 You can use the parameters in the following table.
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index f6d7204bd3..dd70a1c7c6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -95,7 +95,7 @@ This policy setting allows certificates without an enhanced key usage (EKU) set
 
 > **Note**  Enhanced key usage certificate attribute is also known as extended key usage.
 
-In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
+In versions of Windows prior to Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
 
 When this policy setting is enabled, certificates with the following attributes can also be used to sign in with a smart card:
 
@@ -127,7 +127,7 @@ This policy setting allows you to control whether elliptic curve cryptography (E
 
 ### Allow Integrated Unblock screen to be displayed at the time of logon
 
-This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
+This policy setting lets you determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
 
 When this setting is enabled, the integrated unblock feature is available. When this setting is disabled or not configured, the feature is not available.
 
@@ -153,7 +153,7 @@ This policy setting lets you allow signature key-based certificates to be enumer
 
 This policy setting permits those certificates that are expired or not yet valid to be displayed for sign-in.
 
-Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
+Prior to Windows Vista, certificates were required to contain a valid time and to not expire. To be used, the certificate must be accepted by the domain controller. This policy setting only controls which certificates are displayed on the client computer.
 
 When this setting is enabled, certificates are listed on the sign-in screen whether they have an invalid time or their time validity has expired. When this setting is disabled or not configured, certificates that are expired or not yet valid are not listed on the sign-in screen.
 
@@ -218,7 +218,7 @@ This policy setting is applied to the computer after the [Allow time invalid cer
 | Registry key      | FilterDuplicateCerts          |
 | Default values    | No changes per operating system versions
                                                                                      Disabled and not configured are equivalent                  |
 | Policy management | Restart requirement: None
                                                                                      Sign off requirement: None
                                                                                      Policy conflicts: None  |
-| Notes and resources                  | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
+| Notes and resources                  | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
 
 ### Force the reading of all certificates from the smart card
 
@@ -355,8 +355,8 @@ The following smart card-related Group Policy settings are located in Computer C
 
 | Group Policy Setting and Registry Key    |  Default   | Description   |
 |------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card

                                                                                      scforceoption          |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.

                                                                                      **Enabled**  Users can only sign in to the computer by using a smart card.
                                                                                      **Disabled**  Users can sign in to the computer by using any method.         |
-| Interactive logon: Smart card removal behavior

                                                                                      scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
                                                                                      **No Action**
                                                                                      **Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
                                                                                      **Force Logoff**: The user is automatically signed out when the smart card is removed.
                                                                                      **Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.

                                                                                      **Note**  Remote Desktop Services was called Terminal Services in previous versions of Windows Server.  |
+| Interactive logon: Require smart card

                                                                                      scforceoption          |  Disabled        | This security policy setting requires users to sign in to a computer by using a smart card.

                                                                                      **Enabled**  Users can only sign in to the computer by using a smart card.
                                                                                      **Disabled**  Users can sign in to the computer by using any method.         |
+| Interactive logon: Smart card removal behavior

                                                                                      scremoveoption | This policy setting is not defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are:
                                                                                      **No Action**
                                                                                      **Lock Workstation**: The workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
                                                                                      **Force Logoff**: The user is automatically signed out when the smart card is removed.
                                                                                      **Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. This allows the user to reinsert the smart card and resume the session later, or at another computer that is equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.

                                                                                      **Note**  Remote Desktop Services was called Terminal Services in previous versions of Windows Server.  |
 
 From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
 
@@ -368,11 +368,12 @@ Registry keys are located in HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Contro
 
 **Credential delegation policy settings**
 
-| Group Policy Setting and Registry Key  | Default   | Description |
-|----------------------------------------|-----------|-------------|
-| **Allow Delegating Fresh Credentials**

                                                                                      AllowFreshCredentials     | Not Configured | This policy setting applies: 
                                                                                      When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
                                                                                      To applications that use the CredSSP component (for example, Remote Desktop Services).

                                                                                      **Enabled**: You can specify the servers where the user's fresh credentials can be delegated. 
                                                                                      **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
                                                                                      **Disabled**: Delegation of fresh credentials to any computer is not permitted.

                                                                                      **Note**  This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
                                                                                      Use *TERMSRV/\** for Remote Desktop Session Host (RD Session Host) running on any computer. 
                                                                                      Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
                                                                                      Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com  |
-| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**

                                                                                      AllowFreshCredentialsWhenNTLMOnly | Not Configured | This policy setting applies:
                                                                                      When server authentication was achieved by using NTLM.
                                                                                      To applications that use the CredSSP component (for example, Remote Desktop).

                                                                                      **Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
                                                                                      **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
                                                                                      **Disabled**: Delegation of fresh credentials is not permitted to any computer.

                                                                                      **Note**  This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
                                                                                      See the **Allow Delegating Fresh Credentials** policy setting description for examples.             |
-| **Deny Delegating Fresh Credentials**

                                                                                      DenyFreshCredentials | Not Configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).

                                                                                      **Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated.
                                                                                      **Disabled** or **Not Configured**: A server is not specified.

                                                                                      **Note**  This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
                                                                                      See the **Allow Delegating Fresh Credentials** policy setting description for examples.          |
+
+|                                        Group Policy Setting and Registry Key                                         |    Default     |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+|----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                         **Allow Delegating Fresh Credentials**

                                                                                      AllowFreshCredentials                          | Not Configured | This policy setting applies: 
                                                                                      When server authentication was achieved through a trusted X509 certificate or Kerberos protocol.
                                                                                      To applications that use the CredSSP component (for example, Remote Desktop Services).

                                                                                      **Enabled**: You can specify the servers where the user's fresh credentials can be delegated. 
                                                                                      **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer.
                                                                                      **Disabled**: Delegation of fresh credentials to any computer is not permitted.

                                                                                      **Note**  This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example:
                                                                                      Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. 
                                                                                      Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer.
                                                                                      Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| **Allow Delegating Fresh Credentials with NTLM-only Server Authentication**

                                                                                      AllowFreshCredentialsWhenNTLMOnly | Not Configured |                                                                                                                                                                            This policy setting applies:
                                                                                      When server authentication was achieved by using NTLM.
                                                                                      To applications that use the CredSSP component (for example, Remote Desktop).

                                                                                      **Enabled**: You can specify the servers where the user's fresh credentials can be delegated.
                                                                                      **Not Configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*).
                                                                                      **Disabled**: Delegation of fresh credentials is not permitted to any computer.

                                                                                      **Note**  This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
                                                                                      See the **Allow Delegating Fresh Credentials** policy setting description for examples.                                                                                                                                                                            |
+|                          **Deny Delegating Fresh Credentials**

                                                                                      DenyFreshCredentials                           | Not Configured |                                                                                                                                                                                                                                                                                                 This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).

                                                                                      **Enabled**: You can specify the servers where the user's fresh credentials cannot be delegated.
                                                                                      **Disabled** or **Not Configured**: A server is not specified.

                                                                                      **Note**  This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials cannot be delegated. A single wildcard character (\*) is permitted when specifying the SPN.
                                                                                      See the **Allow Delegating Fresh Credentials** policy setting description for examples.                                                                                                                                                                                                                                                                                                 |
 
 If you are using Remote Desktop Services with smart card logon, you cannot delegate default and saved credentials. The registry keys in the following table, which are located at HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults, and the corresponding Group Policy settings are ignored.
 
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 0a51f10bb6..32d9213cda 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -147,7 +147,7 @@ To better understand each component, review the table below:
 
                                                                                      Application Information service
                                                                                      
 
 
-
                                                                                      A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.
                                                                                      
+
                                                                                      A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.
                                                                                      
 
 
 
@@ -210,7 +210,7 @@ To better understand each component, review the table below:
 
                                                                                      If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
                                                                                      
 
                                                                                      • 
 
                                                                                    • 
-
                                                                                      If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.
                                                                                      
+
                                                                                      If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.
                                                                                      
 
                                                                                      • 
 
                                                                                    
 
@@ -244,7 +244,7 @@ To better understand each component, review the table below:
 
                                                                                    Installer detection
                                                                                    
 
 
-
                                                                                    Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.
                                                                                    
+
                                                                                    Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.
                                                                                    
 
 
 
@@ -269,17 +269,17 @@ To better understand each component, review the table below:
 
 
 
- 
-The slider will never turn UAC completely off. If you set it to **Never notify**, it will:
+ 
+The slider will never turn UAC completely off. If you set it to Never notify, it will:
 
 -   Keep the UAC service running.
 -   Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
 -   Automatically deny all elevation requests for standard users.
 
->**Important:**  In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
- 
->**Warning:**  Universal Windows apps will not work when UAC is disabled.
- 
+> **Important:**  In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
+> 
+> **Warning:**  Universal Windows apps will not work when UAC is disabled.
+ 
 ### Virtualization
 
 Because system administrators in enterprise environments attempt to secure systems, many line-of-business (LOB) applications are designed to use only a standard user access token. As a result, you do not need to replace the majority of apps when UAC is turned on.
@@ -319,6 +319,6 @@ Before a 32-bit process is created, the following attributes are checked to dete
 -   Key attributes in the resource script data are linked in the executable file.
 -   There are targeted sequences of bytes within the executable file.
 
->**Note:**  The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
- 
->**Note:**  The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
+> **Note:**  The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+> 
+> **Note:**  The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 1664015fc0..ad92df7445 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -21,7 +21,7 @@ ms.date: 07/27/2017
 # User Account Control
 
 **Applies to**
-- Windows 10
+- Windows 10
 - Windows Server 2016
 
 User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
@@ -38,11 +38,12 @@ Admin Approval Mode in UAC helps prevent malware from silently installing withou
 
 
 ## In this section
+
 | Topic | Description |
 | - | - |
 | [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
 | [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
 | [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC. |
- 
- 
- 
+
+
+
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 7bbdc0d2c3..fd93a5fd19 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -58,65 +58,65 @@ On your domain server, you need to create a template for the certificate that yo
 
 ### To create the certificate template
 
-1.  On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**.
+1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**.
 
-2.  Click **File**, and then click **Add/Remove Snap-in**.
+2. Click **File**, and then click **Add/Remove Snap-in**.
 
-    ![Add or remove snap-in](images/vsc-02-mmc-add-snap-in.png)
+   ![Add or remove snap-in](images/vsc-02-mmc-add-snap-in.png)
 
-3.  In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
+3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
 
-    ![Add Certificate Templates snap-in](images/vsc-03-add-certificate-templates-snap-in.png)
+   ![Add Certificate Templates snap-in](images/vsc-03-add-certificate-templates-snap-in.png)
 
-4.  Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
+4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
 
-5.  Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
+5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
 
-    ![Duplicating the Smartcard Logon template](images/vsc-04-right-click-smartcard-logon-template.png)
+   ![Duplicating the Smartcard Logon template](images/vsc-04-right-click-smartcard-logon-template.png)
 
-6.  On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
+6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
 
-    ![Compatibility tab, certification authority setting](images/vsc-05-certificate-template-compatibility.png)
+   ![Compatibility tab, certification authority setting](images/vsc-05-certificate-template-compatibility.png)
 
-7.  On the **General** tab:
+7. On the **General** tab:
 
-    1.  Specify a name, such as **TPM Virtual Smart Card Logon**.
+   1.  Specify a name, such as **TPM Virtual Smart Card Logon**.
 
-    2.  Set the validity period to the desired value.
+   2.  Set the validity period to the desired value.
 
-8.  On the **Request Handling** tab:
+8. On the **Request Handling** tab:
 
-    1.  Set the **Purpose** to **Signature and smartcard logon**.
+   1.  Set the **Purpose** to **Signature and smartcard logon**.
 
-    2.  Click **Prompt the user during enrollment**.
+   2.  Click **Prompt the user during enrollment**.
 
-9.  On the **Cryptography** tab:
+9. On the **Cryptography** tab:
 
-    1.  Set the minimum key size to 2048.
+   1.  Set the minimum key size to 2048.
 
-    2.  Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
+   2.  Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
 
-10.  On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
+10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
 
-11.  Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
+11. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
 
-12.  Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
+12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
 
     ![Add Certification Authority snap-in](images/vsc-06-add-certification-authority-snap-in.png)
 
-13.  In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
+13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
 
-14.  Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
+14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
 
     ![Right-click menu for Certificate Templates](images/vsc-07-right-click-certificate-templates.png)
 
-15.  From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
+15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
 
     > **Note**  It can take some time for your template to replicate to all servers and become available in this list.
 
     ![Selecting a certificate template](images/vsc-08-enable-certificate-template.png)
 
-16.  After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
+16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 
     ![Stopping and starting the service](images/vsc-09-stop-service-start-service.png)
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index 6e562918c4..26fd5e8431 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -41,7 +41,7 @@ The BitLocker Windows Management Instrumentation (WMI) interface does allow admi
 
 > [!IMPORTANT]  
 > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
- 
+ 
 ## Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
 
 Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index fab2b48fd4..8029b9b1b9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -31,7 +31,7 @@ BitLocker provides full volume encryption (FVE) for operating system volumes, as
 In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
 
 > **Note:**  For more info about using this tool, see [Bdehdcfg](https://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
- 
+ 
 BitLocker encryption can be done using the following methods:
 
 -   BitLocker control panel
@@ -92,7 +92,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
 
 
 
- 
+ 
 Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
 Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.
 
@@ -106,7 +106,7 @@ When the recovery key has been properly stored, the BitLocker Drive Encryption W
 It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
 
 > **Note:**  Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
- 
+ 
 Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
 
 After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
@@ -371,13 +371,13 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
 
 
 
- 
+ 
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
-A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
+Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
 
 > **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
- 
+ 
 `Get-BitLockerVolume C: | fl`
 
 If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
@@ -392,7 +392,7 @@ Using this information, we can then remove the key protector for a specific volu
 Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
 ```
 > **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
- 
+ 
 ### Operating system volume
 
 Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
@@ -420,7 +420,7 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
 
 >**Warning:**  The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
- 
+ 
 To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
 
 ``` syntax
@@ -432,16 +432,16 @@ For users who wish to use the SID for the account or group, the first step is to
 get-aduser -filter {samaccountname -eq "administrator"}
 ```
 > **Note:**  Use of this command requires the RSAT-AD-PowerShell feature.
- 
+> 
 > **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
- 
+ 
 In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
 
 ``` syntax
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
 ```
 > **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
- 
+ 
 ##  Checking BitLocker status
 
 To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
@@ -456,7 +456,7 @@ Checking BitLocker status with the control panel is the most common method used
 | **Off**| BitLocker is not enabled for the volume |
 | **Suspended** | BitLocker is suspended and not actively protecting the volume |
 | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
- 
+ 
 If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on volume E. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
 Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
 The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
@@ -473,7 +473,7 @@ To check the status of a volume using manage-bde, use the following command:
 manage-bde -status 
 ```
 > **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status.
- 
+ 
 ### Checking BitLocker status with Windows PowerShell
 
 Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
@@ -534,5 +534,5 @@ Disable-BitLocker -MountPoint E:,F:,G:
 - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
 - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
 - [BitLocker overview](bitlocker-overview.md)
- 
- 
+ 
+ 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 47d33507af..2af7ccc7a9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -31,7 +31,7 @@ BitLocker helps mitigate unauthorized data access on lost or stolen computers be
 
 - **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
 - **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
- 
+ 
 The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 10, Windows 8.1, and Windows 8.
 
 For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index cc0dbe2b84..2a808c73fa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -20,14 +20,14 @@ ms.date: 04/17/2019
 # BitLocker Group Policy settings
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
 
 To control what drive encryption tasks the user can perform from the Windows Control Panel or to modify other configuration options, you can use Group Policy administrative templates or local computer policy settings. How you configure these policy settings depends on how you implement BitLocker and what level of user interaction will be allowed.
 
->**Note:**  A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
- 
+>**Note:**  A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
+
 BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**.
 Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer is not compliant with existing Group Policy settings, BitLocker may not be turned on or modified until the computer is in a compliant state. When a drive is out of compliance with Group Policy settings (for example, if a Group Policy setting was changed after the initial BitLocker deployment in your organization, and then the setting was applied to previously encrypted drives), no change can be made to the BitLocker configuration of that drive except a change that will bring it into compliance.
 
@@ -48,7 +48,7 @@ The following policy settings can be used to determine how a BitLocker-protected
 -   [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
 -   [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
 -   [Configure use of passwords for operating system drives](#bkmk-ospw)
--   [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
+-   [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
 -   [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5)
 -   [Configure use of passwords on fixed data drives](#bkmk-unlockpol6)
 -   [Configure use of smart cards on removable data drives](#bkmk-unlockpol7)
@@ -75,8 +75,8 @@ The following policy settings determine the encryption methods and encryption ty
 The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
 
 -   [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1)
--   [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2)
--   [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3)
+-   [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2)
+-   [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3)
 -   [Choose default folder for recovery password](#bkmk-rec4)
 -   [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6)
 -   [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7)
@@ -88,7 +88,7 @@ The following policies are used to support customized deployment scenarios in yo
 -   [Provide the unique identifiers for your organization](#bkmk-depopt1)
 -   [Prevent memory overwrite on restart](#bkmk-depopt2)
 -   [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios)
--   [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3)
+-   [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3)
 -   [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi)
 -   [Reset platform validation data after BitLocker recovery](#bkmk-resetrec)
 -   [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd)
@@ -123,7 +123,7 @@ This policy setting allows users on devices that are compliant with Modern Stand
 
 
 
                                                                                    Conflicts
                                                                                    
-
                                                                                    This setting overrides the Require startup PIN with TPM option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.
+
                                                                                    This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware.
 
 
                                                                                    
 
@@ -133,12 +133,12 @@ This policy setting allows users on devices that are compliant with Modern Stand
 
 
 
                                                                                    When disabled or not configured
                                                                                    
-
                                                                                    The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.
                                                                                    
+
                                                                                    The options of the Require additional authentication at startup policy apply.
                                                                                    
 
 
 
- 
-**Reference**
+
+Reference
 
 The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby.
 But visually impaired users have no audible way to know when to enter a PIN.
@@ -185,13 +185,13 @@ This policy is used in addition to the BitLocker Drive Encryption Network Unlock
 
 
 
- 
-**Reference**
+
+Reference
 
 To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock.
 
->**Note:**  For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.
- 
+>**Note:**  For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or cannot connect to the domain controller at startup.
+
 For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
 
 ### Require additional authentication at startup
@@ -210,7 +210,7 @@ This policy setting is used to control which unlock options are available for op
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -236,8 +236,8 @@ This policy setting is used to control which unlock options are available for op
 
 
 
- 
-**Reference**
+
+Reference
 
 If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
 
@@ -245,7 +245,7 @@ On a computer with a compatible TPM, additional authentication methods can be us
 
 -   only the TPM
 -   insertion of a USB flash drive containing the startup key
--   the entry of a 4-digit to 20-digit personal identification number (PIN)
+-   the entry of a 4-digit to 20-digit personal identification number (PIN)
 -   a combination of the PIN and the USB flash drive
 
 There are four options for TPM-enabled computers or devices:
@@ -287,7 +287,7 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -311,14 +311,14 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth
 
 
 
- 
+
 
 **Reference**
 
 Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when you turn on BitLocker.
 
->**Important:**  Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
- 
+>**Important:**  Not all computers support enhanced PIN characters in the preboot environment. It is strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+
 ### Configure minimum PIN length for startup
 
 This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
@@ -331,11 +331,11 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 
 
 
                                                                                    Policy description
                                                                                    
-
                                                                                    With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.
                                                                                    
+
                                                                                    With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.
                                                                                    
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -355,15 +355,15 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
 
 
 
                                                                                    When disabled or not configured
                                                                                    
-
                                                                                    Users can configure a startup PIN of any length between 6 and 20 digits.
                                                                                    
+
                                                                                    Users can configure a startup PIN of any length between 6 and 20 digits.
                                                                                    
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
-The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
 
 Originally, BitLocker allowed from 4 to 20 characters for a PIN.
 Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
@@ -442,7 +442,7 @@ This policy setting allows you to configure whether standard users are allowed t
 
 
 
- 
+
 
 **Reference**
 
@@ -478,11 +478,10 @@ This policy controls how non-TPM based systems utilize the password protector. U
 
                                                                                    Conflicts
                                                                                    
 
                                                                                    Passwords cannot be used if FIPS-compliance is enabled.
                                                                                    
 
                                                                                    
-Note  
-
                                                                                    The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
                                                                                    
+Note
                                                                                    The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
                                                                                    
 
                                                                                    
 
                                                                                    
- 
+
 
                                                                                    
 
 
@@ -495,14 +494,14 @@ This policy controls how non-TPM based systems utilize the password protector. U
 
 
 
- 
+
 
 **Reference**
 
 If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
 
->**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
- 
+>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
 When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
 Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
 
@@ -512,9 +511,9 @@ When this policy setting is enabled, you can set the option **Configure password
 -   Do not allow password complexity
 -   Require password complexity
 
-### Require additional authentication at startup (Windows Server 2008 and Windows Vista)
+### Require additional authentication at startup (Windows Server 2008 and Windows Vista)
 
-This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
+This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
 
 @@ -524,15 +523,15 @@ This policy setting is used to control what unlock options are available for com
 
-
+
-
+
-
+
@@ -552,10 +551,10 @@ This policy setting is used to control what unlock options are available for com
 
                                                                                    
 

 
                                                                                    
 
                                                                                    Policy description
                                                                                    With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.
                                                                                    With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Introduced
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Drive type
                                                                                    Operating system drives (Windows Server 2008 and Windows Vista)
                                                                                    Operating system drives (Windows Server 2008 and Windows Vista)
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Policy path
                                                                                    
                                                                                     
 
                                                                                    
- 
-**Reference**
 
-On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
+Reference
+
+On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
 
 A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive.
 
@@ -592,7 +591,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -620,11 +619,11 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
 
 
 
- 
-**Reference**
 
->**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
- 
+Reference
+
+>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
+
 ### Configure use of passwords on fixed data drives
 
 This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.
@@ -641,7 +640,7 @@ This policy setting is used to require, allow, or deny the use of passwords with
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -669,8 +668,8 @@ This policy setting is used to require, allow, or deny the use of passwords with
 
 
 
- 
-**Reference**
+
+Reference
 
 When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
 
@@ -680,15 +679,15 @@ When set to **Do not allow complexity**, no password complexity validation is pe
 
 Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
 
->**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
- 
+>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
 For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements** must also be enabled.
 This policy setting is configured on a per-computer basis. This means that it applies to local user accounts and domain user accounts. Because the password filter that is used to validate password complexity is located on the domain controllers, local user accounts cannot access the password filter because they are not authenticated for domain access. When this policy setting is enabled, if you sign in with a local user account, and you attempt to encrypt a drive or change a password on an existing BitLocker-protected drive, an "Access denied" error message is displayed. In this situation, the password key protector cannot be added to the drive.
 
 Enabling this policy setting requires that connectivity to a domain be established before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they cannot connect to the domain should be made aware of this requirement so that they can schedule a time when they will be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
 
->**Important:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
- 
+>**Important:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+
 ### Configure use of smart cards on removable data drives
 
 This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.
@@ -705,7 +704,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -733,11 +732,11 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
 
 
 
- 
-**Reference**
 
->**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
- 
+Reference
+
+>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
 ### Configure use of passwords on removable data drives
 
 This policy setting is used to require, allow, or deny the use of passwords with removable data drives.
@@ -754,7 +753,7 @@ This policy setting is used to require, allow, or deny the use of passwords with
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -782,14 +781,14 @@ This policy setting is used to require, allow, or deny the use of passwords with
 
 
 
- 
-**Reference**
+
+Reference
 
 If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at
 **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled.
 
->**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
- 
+>**Note:**  These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
 Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
 
 When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password.
@@ -798,8 +797,8 @@ When set to **Allow complexity**, a connection to a domain controller will be at
 
 When set to **Do not allow complexity**, no password complexity validation will be done.
 
->**Note:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
- 
+>**Note:**  Passwords cannot be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled.
+
 For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://technet.microsoft.com/library/jj852211.aspx).
 
 ### Validate smart card certificate usage rule compliance
@@ -818,7 +817,7 @@ This policy setting is used to determine what certificate to use with BitLocker.
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -842,8 +841,8 @@ This policy setting is used to determine what certificate to use with BitLocker.
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
 
@@ -851,8 +850,8 @@ The object identifier is specified in the enhanced key usage (EKU) of a certific
 
 The default object identifier is 1.3.6.1.4.1.311.67.1.1.
 
->**Note:**  BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
- 
+>**Note:**  BitLocker does not require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
+
 ### Enable use of BitLocker authentication requiring preboot keyboard input on slates
 
 This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability.
@@ -893,8 +892,8 @@ This policy setting allows users to enable authentication options that require u
 
 
 
- 
-**Reference**
+
+Reference
 
 The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
 
@@ -924,7 +923,7 @@ This policy setting is used to require encryption of fixed drives prior to grant
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -948,8 +947,8 @@ This policy setting is used to require encryption of fixed drives prior to grant
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
 
@@ -979,7 +978,7 @@ This policy setting is used to require that removable drives are encrypted prior
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1003,13 +1002,13 @@ This policy setting is used to require that removable drives are encrypted prior
 
 
 
- 
-**Reference**
+
+Reference
 
 If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
 
->**Note:**  You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
- 
+>**Note:**  You can override this policy setting with the policy settings under **User Configuration\\Administrative Templates\\System\\Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
+
 Conflict considerations include:
 
 1.  Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
@@ -1032,7 +1031,7 @@ This policy setting is used to prevent users from turning BitLocker on or off on
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1060,8 +1059,8 @@ This policy setting is used to prevent users from turning BitLocker on or off on
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
 
@@ -1069,8 +1068,8 @@ For information about suspending BitLocker protection, see [BitLocker Basic Depl
 
 The options for choosing property settings that control how users can configure BitLocker are:
 
--   **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive.
--   **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
+-   **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive.
+-   **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
 
 ### Choose drive encryption method and cipher strength
 
@@ -1112,8 +1111,8 @@ This policy setting is used to control the encryption method and cipher strength
 
 
 
- 
-**Reference**
+
+Reference
 
 The values of this policy determine the strength of the cipher that BitLocker uses for encryption.
 Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
@@ -1124,8 +1123,8 @@ For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the d
 
 Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
 
->**Warning:**  This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
- 
+>**Warning:**  This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
+
 When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script.
 
 ### Configure use of hardware-based encryption for fixed data drives
@@ -1173,15 +1172,15 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
 
 
 
- 
-**Reference**
 
->**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
- 
+Reference
+
+>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+
 The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
 
--   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
--   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
 
 ### Configure use of hardware-based encryption for operating system drives
 
@@ -1227,17 +1226,17 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
 
 
 
- 
-**Reference**
+
+Reference
 
 If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
 
->**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
- 
+>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+
 The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
 
--   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
--   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
 
 ### Configure use of hardware-based encryption for removable data drives
 
@@ -1283,17 +1282,17 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
 
 
 
- 
-**Reference**
+
+Reference
 
 If hardware-based encryption is not available, BitLocker software-based encryption is used instead.
 
->**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
- 
+>**Note:**  The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption.
+
 The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive is not available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
 
--   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
--   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
 
 ### Enforce drive encryption type on fixed data drives
 
@@ -1335,13 +1334,13 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
->**Note:**  This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
- 
+>**Note:**  This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+
 For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
 
 ### Enforce drive encryption type on operating system drives
@@ -1384,13 +1383,13 @@ This policy controls whether operating system drives utilize Full encryption or
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
->**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
- 
+>**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+
 For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
 
 ### Enforce drive encryption type on removable data drives
@@ -1433,13 +1432,13 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
 
->**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
- 
+>**Note:**  This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: **manage-bde -w**. If the volume is shrunk, no action is taken for the new free space.
+
 For more information about the tool to manage BitLocker, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
 
 ### Choose how BitLocker-protected operating system drives can be recovered
@@ -1458,7 +1457,7 @@ This policy setting is used to configure recovery methods for operating system d
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1479,12 +1478,12 @@ This policy setting is used to configure recovery methods for operating system d
 
 
 
                                                                                    When disabled or not configured
                                                                                    
-
                                                                                    The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
                                                                                    
+
                                                                                    The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
                                                                                    
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
 
@@ -1497,15 +1496,15 @@ In **Configure user storage of BitLocker recovery information**, select whether
 Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for
 the drive are determined by the policy setting.
 
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS.
 
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
 
->**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
- 
-### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
+>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
 
-This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista.
+### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
+
+This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista.
 
 @@ -1519,11 +1518,11 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
 
-
+
-
+
@@ -1531,7 +1530,7 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
 
-
+
@@ -1543,23 +1542,23 @@ This policy setting is used to configure recovery methods for BitLocker-protecte
 
                                                                                    
 

 
                                                                                    
 
                                                                                    Introduced
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Drive type
                                                                                    Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista
                                                                                    Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Policy path
                                                                                    
 
                                                                                    
 
                                                                                    Conflicts
                                                                                    This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.
                                                                                    This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    When enabled
                                                                                    
                                                                                     
 
                                                                                    
- 
-**Reference**
 
-This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
+Reference
 
-Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key.
+This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.
 
-Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
+Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key.
 
->**Important:**  If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
-The 48-digit recovery password is not available in FIPS-compliance mode.
- 
->**Important:**  To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
- 
-### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
+Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
 
-This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
+> **Important:**  If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
+> The 48-digit recovery password is not available in FIPS-compliance mode.
+> 
+> **Important:**  To prevent data loss, you must have a way to recover BitLocker encryption keys. If you do not allow both recovery options, you must enable the backup of BitLocker recovery information to AD DS. Otherwise, a policy error occurs.
+
+### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
+
+This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
 
 @@ -1569,15 +1568,15 @@ This policy setting is used to configure the storage of BitLocker recovery infor
 
-
+
-
+
-
+
@@ -1589,28 +1588,28 @@ This policy setting is used to configure the storage of BitLocker recovery infor
 
-
+
-
+
                                                                                    
 

 
                                                                                    
 
                                                                                    Policy description
                                                                                    With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.
                                                                                    With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Introduced
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Drive type
                                                                                    Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.
                                                                                    Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Policy path
                                                                                    
 
                                                                                    
 
                                                                                    When enabled
                                                                                    BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.
                                                                                    BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    When disabled or not configured
                                                                                    BitLocker recovery information is not backed up to AD DS.
                                                                                    BitLocker recovery information is not backed up to AD DS.
                                                                                    		
 
                                                                                    
                                                                                     
 
                                                                                    
- 
-**Reference**
 
-This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
+Reference
+
+This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
 
 This policy setting is applied when you turn on BitLocker.
 
 BitLocker recovery information includes the recovery password and unique identifier data. You can also include a package that contains an encryption key for a BitLocker-protected drive. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted.
 
-If you select **Require BitLocker backup to AD DS**, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.
+If you select **Require BitLocker backup to AD DS**, BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.
 
 A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.
 
-If the **Require BitLocker backup to AD DS** option is not selected, AD DS backup is attempted, but network or other backup failures do not prevent the BitLocker setup. The Backup process is not automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup.
+If the **Require BitLocker backup to AD DS** option is not selected, AD DS backup is attempted, but network or other backup failures do not prevent the BitLocker setup. The Backup process is not automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup.
 TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up.
 
 For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
@@ -1631,7 +1630,7 @@ This policy setting is used to configure the default folder for recovery passwor
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Vista
                                                                                    
+
                                                                                    Windows Vista
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1647,21 +1646,21 @@ This policy setting is used to configure the default folder for recovery passwor
 
 
 
                                                                                    When enabled
                                                                                    
-
                                                                                    You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.
                                                                                    
+
                                                                                    You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.
                                                                                    
 
 
 
                                                                                    When disabled or not configured
                                                                                    
-
                                                                                    The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.
                                                                                    
+
                                                                                    The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.
                                                                                    
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
 
->**Note:**  This policy setting does not prevent the user from saving the recovery password in another folder.
- 
+>**Note:**  This policy setting does not prevent the user from saving the recovery password in another folder.
+
 ### Choose how BitLocker-protected fixed drives can be recovered
 
 This policy setting is used to configure recovery methods for fixed data drives.
@@ -1678,7 +1677,7 @@ This policy setting is used to configure recovery methods for fixed data drives.
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1699,30 +1698,30 @@ This policy setting is used to configure recovery methods for fixed data drives.
 
 
 
                                                                                    When disabled or not configured
                                                                                    
-
                                                                                    The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
                                                                                    
+
                                                                                    The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
                                                                                    
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
 
 The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
 
-In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
+In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
 
 Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
 
-In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
-Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Doman Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS.
+Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
 
 For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx).
 
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
 
->**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
- 
 ### Choose how BitLocker-protected removable drives can be recovered
 
 This policy setting is used to configure recovery methods for removable data drives.
@@ -1739,7 +1738,7 @@ This policy setting is used to configure recovery methods for removable data dri
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1760,12 +1759,12 @@ This policy setting is used to configure recovery methods for removable data dri
 
 
 
                                                                                    When disabled or not configured
                                                                                    
-
                                                                                    The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
                                                                                    
+
                                                                                    The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.
                                                                                    
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker.
 
@@ -1775,12 +1774,12 @@ In **Configure user storage of BitLocker recovery information**, select whether
 
 Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you cannot specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting.
 
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
+In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS.
 
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+
+>**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
 
->**Note:**  If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
- 
 ### Configure the pre-boot recovery message and URL
 
 This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked.
@@ -1797,7 +1796,7 @@ This policy setting is used to configure the entire recovery message and to repl
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows 10
                                                                                    
+
                                                                                    Windows 10
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1821,8 +1820,8 @@ This policy setting is used to configure the entire recovery message and to repl
 
 
 
- 
-**Reference**
+
+Reference
 
 Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key.
 
@@ -1832,10 +1831,10 @@ Once you enable the setting you have three options:
 -   If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
 -   If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen.
 
->**Important:**  Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
- 
->**Important:**  Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
- 
+> **Important:**  Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
+> 
+> **Important:**  Because you can alter the BCDEdit commands manually before you have set Group Policy settings, you cannot return the policy setting to the default setting by selecting the **Not Configured** option after you have configured this policy setting. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
+
 ### Allow Secure Boot for integrity validation
 
 This policy controls how BitLocker-enabled system volumes are handled in conjunction with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
@@ -1864,8 +1863,8 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
 
 
 
                                                                                    Conflicts
                                                                                    
-
                                                                                    If you enable **Allow Secure Boot for integrity validation**, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
                                                                                    
-
                                                                                    For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.
                                                                                    
+
                                                                                    If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
                                                                                    
+
                                                                                    For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.
                                                                                    
 
 
 
                                                                                    When enabled or not configured
                                                                                    
@@ -1877,14 +1876,14 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc
 
 
 
- 
-**Reference**
+
+Reference
 
 Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
 When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
 
->**Warning:**  Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
- 
+>**Warning:**  Enabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates.
+
 ### Provide the unique identifiers for your organization
 
 This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
@@ -1901,7 +1900,7 @@ This policy setting is used to establish an identifier that is applied to all dr
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1925,8 +1924,8 @@ This policy setting is used to establish an identifier that is applied to all dr
 
 
 
- 
-**Reference**
+
+Reference
 
 These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool.
 
@@ -1940,7 +1939,7 @@ You can configure the identification fields on existing drives by using the [Man
 
 When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization.
 
-Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
+Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters.
 
 ### Prevent memory overwrite on restart
 
@@ -1958,7 +1957,7 @@ This policy setting is used to control whether the computer's memory will be ove
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Vista
                                                                                    
+
                                                                                    Windows Vista
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -1982,8 +1981,8 @@ This policy setting is used to control whether the computer's memory will be ove
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
 
@@ -1999,7 +1998,7 @@ This policy setting determines what values the TPM measures when it validates ea
 
 
 
                                                                                    Policy description
                                                                                    
-
                                                                                    With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.
                                                                                    
+
                                                                                    With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.
                                                                                    
 
 
 
                                                                                    Introduced
                                                                                    
@@ -2027,30 +2026,30 @@ This policy setting determines what values the TPM measures when it validates ea
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.
 
->**Important:**  This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
- 
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
+>**Important:**  This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
+
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
 
 -   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
--   Option ROM Code (PCR 2)
+-   Option ROM Code (PCR 2)
 -   Master Boot Record (MBR) Code (PCR 4)
 -   NTFS Boot Sector (PCR 8)
 -   NTFS Boot Block (PCR 9)
 -   Boot Manager (PCR 10)
 -   BitLocker Access Control (PCR 11)
 
->**Note:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
- 
+>**Note:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+
 The following list identifies all of the PCRs available:
 
 -   PCR 0: Core root-of-trust for measurement, BIOS, and Platform extensions
 -   PCR 1: Platform and motherboard configuration and data.
--   PCR 2: Option ROM code
+-   PCR 2: Option ROM code
 -   PCR 3: Option ROM data and configuration
 -   PCR 4: Master Boot Record (MBR) code
 -   PCR 5: Master Boot Record (MBR) partition table
@@ -2062,9 +2061,9 @@ The following list identifies all of the PCRs available:
 -   PCR 11: BitLocker access control
 -   PCR 12-23: Reserved for future use
 
-### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
+### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
 
-This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
+This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
 
 @@ -2074,11 +2073,11 @@ This policy setting determines what values the TPM measures when it validates ea
 
-
+
-
+
@@ -2102,28 +2101,28 @@ This policy setting determines what values the TPM measures when it validates ea
 
                                                                                    
 

 
                                                                                    
 
                                                                                    Policy description
                                                                                    With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.
                                                                                    With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Introduced
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    Windows Server 2008 and Windows Vista
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    Drive type
                                                                                    
                                                                                     
 
                                                                                    
- 
-**Reference**
+
+Reference
 
 This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
 
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:
 
 -   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
--   Option ROM Code (PCR 2)
+-   Option ROM Code (PCR 2)
 -   Master Boot Record (MBR) Code (PCR 4)
 -   NTFS Boot Sector (PCR 8)
 -   NTFS Boot Block (PCR 9)
 -   Boot Manager (PCR 10)
 -   BitLocker Access Control (PCR 11)
 
->**Note:**  The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
- 
+>**Note:**  The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
+
 The following list identifies all of the PCRs available:
 
 -   PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
 -   PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
--   PCR 2: Option ROM code
+-   PCR 2: Option ROM code
 -   PCR 3: Option ROM data and configuration
 -   PCR 4: Master Boot Record (MBR) code or code from other boot devices
 -   PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
@@ -2133,10 +2132,10 @@ The following list identifies all of the PCRs available:
 -   PCR 9: NTFS boot block
 -   PCR 10: Boot manager
 -   PCR 11: BitLocker access control
--   PCR 12 - 23: Reserved for future use
+-   PCR 12 - 23: Reserved for future use
+
+>**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
 
->**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
- 
 ### Configure TPM platform validation profile for native UEFI firmware configurations
 
 This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
@@ -2149,7 +2148,7 @@ This policy setting determines what values the TPM measures when it validates ea
 
 
 
                                                                                    Policy description
                                                                                    
-
                                                                                    With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.
                                                                                    
+
                                                                                    With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.
                                                                                    
 
 
 
                                                                                    Introduced
                                                                                    
@@ -2167,7 +2166,7 @@ This policy setting determines what values the TPM measures when it validates ea
 
                                                                                    Conflicts
                                                                                    
 
                                                                                    Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
                                                                                    
 
                                                                                    If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
                                                                                    
-
                                                                                    For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.
                                                                                    
+
                                                                                    For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.
                                                                                    
 
 
 
                                                                                    When enabled
                                                                                    
@@ -2179,20 +2178,20 @@ This policy setting determines what values the TPM measures when it validates ea
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection.
 
->**Important:**  This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
- 
-A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
+>**Important:**  This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
+
+A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
 
 The following list identifies all of the PCRs available:
 
 -   PCR 0: Core System Firmware executable code
 -   PCR 1: Core System Firmware data
--   PCR 2: Extended or pluggable executable code
+-   PCR 2: Extended or pluggable executable code
 -   PCR 3: Extended or pluggable firmware data
 -   PCR 4: Boot Manager
 -   PCR 5: GPT/Partition Table
@@ -2208,13 +2207,13 @@ The following list identifies all of the PCRs available:
 -   PCR 12: Data events and highly volatile events
 -   PCR 13: Boot Module Details
 -   PCR 14: Boot Authorities
--   PCR 15 – 23: Reserved for future use
+-   PCR 15 – 23: Reserved for future use
+
+>**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
 
->**Warning:**  Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
- 
 ### Reset platform validation data after BitLocker recovery
 
-This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
+This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
 
 @@ -2256,14 +2255,14 @@ This policy setting determines if you want platform validation data to refresh w
 
                                                                                    
 

 
 
                                                                                    
- 
-**Reference**
+
+Reference
 
 For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
 
 ### Use enhanced Boot Configuration Data validation profile
 
-This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
+This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
 
 @@ -2297,7 +2296,7 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
 
-
+
@@ -2305,11 +2304,11 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t
 
                                                                                    
 

 
                                                                                    
 
                                                                                    When disabled
                                                                                    The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.
                                                                                    The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.
                                                                                    		
 
                                                                                    
 
                                                                                    
 
                                                                                    When not configured
                                                                                    
                                                                                     
 
                                                                                    
- 
-**Reference**
 
->**Note:**  The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
- 
+Reference
+
+>**Note:**  The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list.
+
 ### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
 
 This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive.
@@ -2326,7 +2325,7 @@ This policy setting is used to control whether access to drives is allowed by us
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -2350,12 +2349,12 @@ This policy setting is used to control whether access to drives is allowed by us
 
 
 
- 
-**Reference**
 
->**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.
- 
-When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
+Reference
+
+>**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.
+
+When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
 
 ### Allow access to BitLocker-protected removable data drives from earlier versions of Windows
 
@@ -2373,7 +2372,7 @@ This policy setting controls access to removable data drives that are using the
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
+
                                                                                    Windows Server 2008 R2 and Windows 7
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -2397,12 +2396,12 @@ This policy setting controls access to removable data drives that are using the
 
 
 
- 
-**Reference**
 
->**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.
- 
-When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.
+Reference
+
+>**Note:**  This policy setting does not apply to drives that are formatted with the NTFS file system.
+
+When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box is not selected, BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go Reader installed.
 
 ## FIPS setting
 
@@ -2420,7 +2419,7 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
 
 
 
                                                                                    Introduced
                                                                                    
-
                                                                                    Windows Server 2003 with SP1
                                                                                    
+
                                                                                    Windows Server 2003 with SP1
                                                                                    
 
 
 
                                                                                    Drive type
                                                                                    
@@ -2436,7 +2435,7 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
 
 
 
                                                                                    When enabled
                                                                                    
-
                                                                                    Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup izard to create a recovery password.
                                                                                    
+
                                                                                    Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup izard to create a recovery password.
                                                                                    
 
 
 
                                                                                    When disabled or not configured
                                                                                    
@@ -2444,12 +2443,12 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
 
 
 
- 
-**Reference**
+
+Reference
 
 This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
 
-You can save the optional recovery key to a USB drive. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
+You can save the optional recovery key to a USB drive. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
 
 You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) or by editing the Windows registry. You must be an administrator to perform these procedures.
 
@@ -2468,7 +2467,7 @@ You can use disable the following Group Policy settings, which are located in **
 
 ## About the Platform Configuration Register (PCR)
 
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system.
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system.
 
 Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index f68cb99959..a5e58c1e6b 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -58,7 +58,7 @@ The network stack must be enabled to use the Network Unlock feature. Equipment m
 >**Note:**  To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
 
 For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
- 
+ 
 The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
 
 Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server.
@@ -244,7 +244,7 @@ The following steps describe how to enable the Group Policy setting that is a re
 The following steps describe how to deploy the required Group Policy setting:
 
 >**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
- 
+ 
 1.  Copy the .cer file created for Network Unlock to the domain controller.
 2.  On the domain controller, launch Group Policy Management Console (gpmc.msc).
 3.  Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting.
@@ -257,8 +257,8 @@ The following steps describe how to deploy the required Group Policy setting:
 >**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
 
 5. Reboot the clients after deploying the group policy.
->**Note:** The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
- 
+   >**Note:** The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
+ 
 ### Subnet policy configuration files on WDS Server (Optional)
 
 By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock.
@@ -276,7 +276,7 @@ The subnet policy configuration file must use a “\[SUBNETS\]” section to ide
     Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
 
     >**Note:**  When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
-     
+     
     Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
     Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
     [‎2158a767e1c14e88e27a4c0aee111d2de2eafe60]
@@ -293,7 +293,7 @@ To disallow the use of a certificate altogether, its subnet list may contain the
 To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
 
 >**Note:**  Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
- 
+ 
 ## Update Network Unlock certificates
 
 To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
@@ -302,19 +302,19 @@ To update the certificates used by Network Unlock, administrators need to import
 
 Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include:
 
--   Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
--   All required roles and services are installed and started
--   Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
--   Group policy for Network Unlock is enabled and linked to the appropriate domains.
--   Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
--   Verify the clients were rebooted after applying the policy.
--   Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
+- Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode.
+- All required roles and services are installed and started
+- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer.
+- Group policy for Network Unlock is enabled and linked to the appropriate domains.
+- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
+- Verify the clients were rebooted after applying the policy.
+- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer:
 
-    ``` syntax
-    manage-bde –protectors –get C:
-    ```
->**Note:**  Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
- 
+  ``` syntax
+  manage-bde –protectors –get C:
+  ```
+  >**Note:**  Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
+ 
 Files to gather when troubleshooting BitLocker Network Unlock include:
 
 1.  The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log
diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
index 5800a3cbf3..349af8295f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.md
@@ -60,7 +60,7 @@ BitLocker is designed to make the encrypted drive unrecoverable without the requ
 
 > [!IMPORTANT]  
 > Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
- 
+ 
 ## Can the USB flash drive that is used as the startup key also be used to store the recovery key?
 
 While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
index 548d76a9ff..054d1aedf7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md
@@ -42,7 +42,7 @@ For requirements, see [System requirements](bitlocker-overview.md#system-require
 
 > [!NOTE]  
 > Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
- 
+ 
 ## Why are two partitions required? Why does the system drive have to be so large?
 
 Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index b4574f870b..f21beec5e9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -64,7 +64,7 @@ The following list provides examples of specific events that will cause BitLocke
 -   Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
 
     >**Note:**  Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
-     
+     
 -   Moving the BitLocker-protected drive into a new computer.
 -   Upgrading the motherboard to a new one with a new TPM.
 -   Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
@@ -73,20 +73,20 @@ The following list provides examples of specific events that will cause BitLocke
 -   Changing the usage authorization for the storage root key of the TPM to a non-zero value.
 
     >**Note:**  The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
-     
+     
 -   Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
 -   Pressing the F8 or F10 key during the boot process.
 -   Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
 -   Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
 
 >**Note:**  Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
- 
+ 
 For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
 
 >**Note:**  If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
 
 If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
- 
+ 
 Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
 
 ## Testing recovery
@@ -107,7 +107,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
     `manage-bde. -ComputerName  -forcerecovery `
 
 > **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
- 
+ 
 ## Planning your recovery process
 
 When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
@@ -143,7 +143,7 @@ In each of these policies, select **Save BitLocker recovery information to Activ
 DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
 
 >**Note:**  If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
- 
+ 
 The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
 
 You can use the following list as a template for creating your own recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
@@ -183,7 +183,7 @@ Before you give the user the recovery password, you should gather any informatio
 Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
 
 >**Note:**  Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
- 
+ 
 ### Post-recovery analysis
 
 When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption
@@ -218,11 +218,11 @@ After you have identified what caused recovery, you can reset BitLocker protecti
 The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
 
 >**Note:**  You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
- 
--   [Unknown PIN](#bkmk-unknownpin)
--   [Lost startup key](#bkmk-loststartup)
--   [Changes to boot files](#bkmk-changebootknown)
-### Unknown PIN
+ 
+- [Unknown PIN](#bkmk-unknownpin)
+- [Lost startup key](#bkmk-loststartup)
+- [Changes to boot files](#bkmk-changebootknown)
+  ### Unknown PIN
 
 If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
 
@@ -262,7 +262,7 @@ Besides the 48-digit BitLocker recovery password, other types of recovery inform
 If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
 
 >**Note:**  You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
- 
+ 
 The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
 
 ## Resetting recovery passwords
@@ -301,7 +301,7 @@ You can reset the recovery password in two ways:
     Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
     ```
     >**Warning:**  You must include the braces in the ID string.
-     
+     
 **To run the sample recovery password script**
 
 1.  Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
@@ -309,10 +309,10 @@ You can reset the recovery password in two ways:
 
     **cscript ResetPassword.vbs**
 
->**Important:**  This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
- 
+> **Important:**  This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
+> 
 > **Note:**  To manage a remote computer, you can specify the remote computer name rather than the local computer name.
- 
+ 
 You can use the following sample script to create a VBScript file to reset the recovery passwords.
 
 ``` syntax
@@ -732,5 +732,5 @@ End Function
 ## See also
 
 -   [BitLocker overview](bitlocker-overview.md)
- 
- 
+ 
+ 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
index 4d265652da..0a3788fac9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.md
@@ -41,4 +41,4 @@ Most operating systems use a shared memory space and rely on the operating syste
 
 > [!NOTE]  
 > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.
- 
+ 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
index c203a3038f..db58b1db22 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.md
@@ -42,4 +42,4 @@ Users need to suspend BitLocker for Non-Microsoft software updates, such as:
 
 > [!NOTE]  
 > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
- 
+ 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index 775641bd28..30fea18843 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -61,7 +61,7 @@ manage-bde -on C:
 ```
 
 >**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
- 
+ 
 An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:
 
 ``` syntax
@@ -99,7 +99,7 @@ You may experience a problem that damages an area of a hard disk on which BitLoc
 The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
 
 >**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
- 
+ 
 The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true:
 
 1.  You have encrypted the drive by using BitLocker Drive Encryption.
@@ -107,7 +107,7 @@ The Repair-bde command-line tool is intended for use when the operating system d
 3.  You do not have a copy of the data that is contained on the encrypted drive.
 
 >**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
- 
+ 
 The following limitations exist for Repair-bde:
 
 -   The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
@@ -245,14 +245,14 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
 
 
 
- 
+ 
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
-A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLockerVolume` cmdlet.
-The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status and other details.
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet.
+The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status and other details.
 
 >**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
 `Get-BitLockerVolume C: | fl`
- 
+ 
 If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
 
 A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
@@ -271,7 +271,7 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
 ```
 
 >**Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
- 
+ 
 ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
 
 Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
@@ -303,7 +303,7 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster.
 
 >**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
- 
+ 
 To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
 
 ``` syntax
@@ -313,13 +313,13 @@ Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Adminis
 For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
 
 >**Note:**  Use of this command requires the RSAT-AD-PowerShell feature.
- 
+ 
 ``` syntax
 get-aduser -filter {samaccountname -eq "administrator"}
 ```
 
 >**Tip:**  In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
- 
+ 
 The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
 
 ``` syntax
@@ -327,7 +327,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-
 ```
 
 >**Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
- 
+ 
 ## More information
 
 - [BitLocker overview](bitlocker-overview.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index f11f253520..a8069a69e9 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -80,7 +80,7 @@ Both fixed and removable data drives can be locked by using the Manage-bde comma
 
 > [!NOTE]  
 > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
- 
+ 
 The syntax of this command is:
 
 manage-bde driveletter -lock
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 6b87ab3d0a..2f53662c16 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -72,7 +72,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
 | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
 | Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.|
 | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
- 
+ 
 ### BitLocker authentication methods
 
 | Authentication method | Requires user interaction | Description |
@@ -82,7 +82,7 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
 | TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
 | TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
 | Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.|
- 
+ 
 **Will you support computers without TPM version 1.2 or higher?**
 
 Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication.
@@ -185,7 +185,7 @@ The following recovery data is saved for each computer object:
 Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.
 
 >**Note:**  The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm. 
- 
+ 
 Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249).
 
 But on computers running these supported systems with BitLocker enabled:
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index 2bfdbc799e..e19f192e4c 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -33,14 +33,14 @@ BitLocker can protect both physical disk resources and cluster shared volumes ve
 BitLocker on volumes within a cluster are managed based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a storage area network (SAN) or network attached storage (NAS).
 
 >**Important**  SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](https://msdn.microsoft.com/library/windows/hardware/dn930814.aspx).
- 
+ 
 Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on 
 BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
 
 Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
 
 >**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
- 
+ 
 For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
 
 ### Active Directory-based protector
@@ -57,7 +57,7 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote
 4.  Registry-based auto-unlock key
 
 >**Note:**  A Windows Server 2012 or later domain controller is required for this feature to work properly.
- 
+ 
 ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
 
 BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following:
@@ -77,7 +77,7 @@ BitLocker encryption is available for disks before or after addition to a cluste
     ```
 
     >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
-     
+     
 5.  Repeat the preceding steps for each disk in the cluster.
 6.  Add the volume(s) to the cluster.
 
@@ -110,7 +110,7 @@ When the cluster service owns a disk resource already, it needs to be set into m
     Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
     ```
     >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster.
-     
+     
 6.  Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode:
 
     ``` syntax
@@ -191,7 +191,7 @@ The following table contains information about both Physical Disk Resources (i.e
 
 
                                                                                    Manage-bde Pause/Resume
                                                                                    
 
                                                                                    Blocked
                                                                                    
-
                                                                                    Blocked**
                                                                                    
+
                                                                                    Blocked
                                                                                    
 
                                                                                    Blocked
                                                                                    
 
                                                                                    Allowed
                                                                                    
 
@@ -260,9 +260,9 @@ The following table contains information about both Physical Disk Resources (i.e
 
 
 
- 
->**Note:**  Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
- 
+ 
+>                                                                                    Note:**  Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
+ 
 In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.
 
 ### Other considerations when using BitLocker on CSV2.0
diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md
index 8f371a81d8..aa97e1a83e 100644
--- a/windows/security/information-protection/encrypted-hard-drive.md
+++ b/windows/security/information-protection/encrypted-hard-drive.md
@@ -43,7 +43,7 @@ Encrypted Hard Drives are supported natively in the operating system through the
 
 >[!WARNING]  
 >Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
- 
+ 
 If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](https://msdn.microsoft.com/library/windows/hardware/dn653989.aspx).
 
 ## System Requirements
@@ -65,7 +65,7 @@ For an Encrypted Hard Drive used as a **startup drive**:
 
 >[!WARNING]  
 >All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
- 
+ 
 ## Technical overview
 
 Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk.
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index c5d676a798..8e25014ef9 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -131,17 +131,17 @@ If you want to stop using the services that are provided by the TPM, you can use
 
 **To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)**
 
-1.  Open the TPM MMC (tpm.msc).
+1. Open the TPM MMC (tpm.msc).
 
-2.  In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
+2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
 
-3.  In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
+3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
 
-  -   If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
+   -   If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
 
-  -   If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
+   -   If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
 
-  -   If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
+   -   If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
   
 ## Use the TPM cmdlets
 
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
index f7441169d2..05dbc34f16 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -50,18 +50,18 @@ The following procedure explains the steps to reset the TPM lockout by using the
 
 **To reset the TPM lockout**
 
-1.  Open the TPM MMC (tpm.msc).
+1. Open the TPM MMC (tpm.msc).
 
-2.  In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
+2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
 
-3.  Choose one of the following methods to enter the TPM owner password:
+3. Choose one of the following methods to enter the TPM owner password:
 
-  -   If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
+   -   If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
 
-  -   If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
+   -   If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
 
-    > [!NOTE]
-    > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
+   > [!NOTE]
+   > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
 
 ## Use Group Policy to manage TPM lockout settings
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 323333ab6b..1fc294342f 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -123,9 +123,9 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
 
 > [!IMPORTANT]
 > Setting this policy will take effect only if:  
--   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
--   The system has a TPM 2.0. 
-
+> -   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
+> -   The system has a TPM 2.0. 
+> 
 > [!NOTE]
 > Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either:
 > -  Disable it from group policy
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index da9857782f..d251a04493 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -189,9 +189,9 @@ Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary
 >[!NOTE]
 >Replace  &  received from step 5. In installation parameters, don't place  &  in quotes ("" or '').
 
-6.  After the agent is deployed, data will be received within approximately 10 minutes.
+6. After the agent is deployed, data will be received within approximately 10 minutes.
 
-7.  To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search.
+7. To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search.
 
 ***Example***
 ```
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
index c0d07f877a..bd212a95e3 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
@@ -21,8 +21,8 @@ ms.date: 05/13/2019
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
 **Applies to:**
 
-- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
 - System Center Configuration Manager
 
 System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
@@ -74,107 +74,107 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the **
 
 **To add a store app**
 
-1.	From the **App rules** area, click **Add**.
-    
+1.  From the **App rules** area, click **Add**.
+
     The **Add app rule** box appears.
 
     ![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png)
 
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
 
-3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
 
     Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
 
-4.	Pick **Store App** from the **Rule template** drop-down list.
+4.  Pick **Store App** from the **Rule template** drop-down list.
 
     The box changes to show the store app rule options.
 
-5.	Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+5.  Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
 
 If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
 
 **To find the Publisher and Product Name values for Store apps without installing them**
 
-1.	Go to the [Microsoft Store for Business](https://businessstore.microsoft.com/store) website, and find your app. For example, Microsoft OneNote.
+1. Go to the [Microsoft Store for Business](https://businessstore.microsoft.com/store) website, and find your app. For example, Microsoft OneNote.
 
-    >[!NOTE]
+   > [!NOTE]
+   > 
+   > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
 
-    >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
 
-2.	Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
 
-3.	In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+   The API runs and opens a text editor with the app details.
 
-    The API runs and opens a text editor with the app details.
+   ``` json
+       {
+       "packageIdentityName": "Microsoft.Office.OneNote",
+       "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+       }
+   ```
 
-    ``` json
-        {
-        "packageIdentityName": "Microsoft.Office.OneNote",
-        "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
-        }
-    ```
+4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
 
-4.  Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
-    >[!IMPORTANT]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
                                                                                    For example:
                                                                                    
-    ```json
-        {
-            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-        }
-    ```
+   > [!IMPORTANT]
+   > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
                                                                                    For example:
                                                                                    
+   > ```json
+   >     {
+   >         "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+   >     }
+   > ```
 
 **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
-1.	If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
-    >[!NOTE]
-    >Your PC and phone must be on the same wireless network.
+   >[!NOTE]
+   >Your PC and phone must be on the same wireless network.
 
-2.	On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
-3.	On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
 
-4.	Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
 
-5.	In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
 
-6.	On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
 
-7.	Start the app for which you're looking for the publisher and product name values.
+7. Start the app for which you're looking for the publisher and product name values.
 
-8.	Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
 
-    >[!IMPORTANT]
-    >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
-    >For example:
                                                                                    
-    ```json
-        {
-            "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
-        }
-    ```
+   > [!IMPORTANT]
+   > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+   > For example:
                                                                                    
+   > ```json
+   >     {
+   >         "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+   >     }
+   > ```
 
 ### Add a desktop app rule to your policy
 For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
 
 **To add a desktop app to your policy**
-1.	From the **App rules** area, click **Add**.
-    
+1.  From the **App rules** area, click **Add**.
+
     The **Add app rule** box appears.
 
     ![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png)
 
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
 
-3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
 
     Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
 
-4.	Pick **Desktop App** from the **Rule template** drop-down list.
+4.  Pick **Desktop App** from the **Rule template** drop-down list.
 
     The box changes to show the desktop app rule options.
 
-5.	Pick the options you want to include for the app rule (see table), and then click **OK**.
+5.  Pick the options you want to include for the app rule (see table), and then click **OK**.
 
     
@@ -231,13 +231,13 @@ Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the
 For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
 
 **To create an app rule and xml file using the AppLocker tool**
-1.	Open the Local Security Policy snap-in (SecPol.msc).
-    
-2.	In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+1.  Open the Local Security Policy snap-in (SecPol.msc).
+
+2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
 
     ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
 
-3.	Right-click in the right-hand pane, and then click **Create New Rule**.
+3.  Right-click in the right-hand pane, and then click **Create New Rule**.
 
     The **Create Packaged app Rules** wizard appears.
 
@@ -249,7 +249,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
 
     ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
 
-6.	On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+6.  On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
 
     ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
 
@@ -265,13 +265,13 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
 
     ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
 
-10.	In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
 
     The **Export policy** box opens, letting you export and save your new policy as XML.
 
     ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
 
-11.	In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
 
     The policy is saved and you’ll see a message that says 1 rule was exported from the policy.
 
@@ -293,24 +293,24 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
                 
-	
+    
     ```
 12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager.
 
 **To import your Applocker policy file app rule using System Center Configuration Manager**
-1.	From the **App rules** area, click **Add**.
-    
+1.  From the **App rules** area, click **Add**.
+
     The **Add app rule** box appears.
 
     ![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png)
 
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.
 
-3.	Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3.  Click **Allow** from the **Windows Information Protection mode** drop-down list.
 
     Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
 
-4.	Pick the **AppLocker policy file** from the **Rule template** drop-down list.
+4.  Pick the **AppLocker policy file** from the **Rule template** drop-down list.
 
     The box changes to let you import your AppLocker XML policy file.
 
@@ -323,17 +323,17 @@ If you're running into compatibility issues where your app is incompatible with
 
 **To exempt a store app, a desktop app, or an AppLocker policy file app rule**
 
-1.	From the **App rules** area, click **Add**.
-    
+1.  From the **App rules** area, click **Add**.
+
     The **Add app rule** box appears.
 
-2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
+2.  Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*.
 
-3.	Click **Exempt** from the **Windows Information Protection mode** drop-down list.
+3.  Click **Exempt** from the **Windows Information Protection mode** drop-down list.
 
     Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
 
-4.	Fill out the rest of the app rule info, based on the type of rule you’re adding:
+4.  Fill out the rest of the app rule info, based on the type of rule you’re adding:
 
     - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
 
@@ -341,7 +341,7 @@ If you're running into compatibility issues where your app is incompatible with
 
     - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
 
-5.	Click **OK**.
+5.  Click **OK**.
 
 ## Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
@@ -386,74 +386,72 @@ There are no default locations included with WIP, you must add each of your netw
 
     The **Add or edit corporate network definition** box appears.
 
-2.	Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
 
-    ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png)
-    
-    
                                                                                    
         
                                                                                    
             
         
                                                                                    
-        
-            
-            
-            
-        
-        
-            
-            
-            
-        
-        
-            
-            
-            
-        
-        
-            
-            
-            
-        
-        
-            
-            
-                       
-        
-        
-            
-            
-            
-        
-        
-            
-            
-            
-        
-        
-            
-            
-            
-                   
-    
                                                                                    Network location typeFormatDescription
                                                                                    Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
                                                                                    contoso.visualstudio.com,contoso.internalproxy2.com
                                                                                    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
                                                                                    		Specify the cloud resources to be treated as corporate and protected by WIP.
                                                                                    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
                                                                                    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
                                                                                    Important
                                                                                    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
                                                                                    Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
                                                                                    This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
                                                                                    If you have multiple resources, you must separate them using the "," delimiter.
                                                                                    Proxy serversproxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

                                                                                    This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

                                                                                    If you have multiple resources, you must separate them using the ";" delimiter.
                                                                                    Internal proxy serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

                                                                                    This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

                                                                                    If you have multiple resources, you must separate them using the ";" delimiter.
                                                                                    Enterprise IPv4 Range (Required)**Starting IPv4 Address:** 3.4.0.1
                                                                                    **Ending IPv4 Address:** 3.4.255.254
                                                                                    **Custom URI:** 3.4.0.1-3.4.255.254,
                                                                                    10.0.0.1-10.255.255.254                                                                                    		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
                                                                                    If you have multiple ranges, you must separate them using the "," delimiter.
                                                                                    Enterprise IPv6 Range**Starting IPv6 Address:** 2a01:110::
                                                                                    **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
                                                                                    **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
                                                                                    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff                                                                                    		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
                                                                                    If you have multiple ranges, you must separate them using the "," delimiter.
                                                                                    Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.
                                                                                    These locations are considered enterprise or personal, based on the context of the connection before the redirection.
                                                                                    If you have multiple resources, you must separate them using the "," delimiter.
                                                                                    
+   ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png)
 
-3.	Add as many locations as you need, and then click **OK**.
+   
+       
+           
+           
+           
+       
+       
+           
+           
+           
+       
+       
+           
+           
+           
+       
+       
+           
+           
+           
+       
+       
+           
+           
+           
                                                                                    
+       
+           
+           
+           
+       
+       
+           
+           
+           
+       
+       
+           
+           
+           
+       
                                                                                    Network location typeFormatDescription
                                                                                    Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
                                                                                    contoso.visualstudio.com,contoso.internalproxy2.com
                                                                                    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com
                                                                                    		Specify the cloud resources to be treated as corporate and protected by WIP.
                                                                                    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
                                                                                    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.
                                                                                    Important
                                                                                    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
                                                                                    Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
                                                                                    This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
                                                                                    If you have multiple resources, you must separate them using the "," delimiter.
                                                                                    Proxy serversproxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

                                                                                    This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

                                                                                    If you have multiple resources, you must separate them using the ";" delimiter.
                                                                                    Internal proxy serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

                                                                                    This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

                                                                                    If you have multiple resources, you must separate them using the ";" delimiter.                                                                                    		    
                                                                                    Enterprise IPv4 Range (Required)Starting IPv4 Address: 3.4.0.1
                                                                                    Ending IPv4 Address: 3.4.255.254
                                                                                    Custom URI: 3.4.0.1-3.4.255.254,
                                                                                    10.0.0.1-10.255.255.254                                                                                    		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
                                                                                    If you have multiple ranges, you must separate them using the "," delimiter.
                                                                                    Enterprise IPv6 RangeStarting IPv6 Address: 2a01:110::
                                                                                    Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
                                                                                    Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
                                                                                    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff                                                                                    		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
                                                                                    If you have multiple ranges, you must separate them using the "," delimiter.
                                                                                    Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.
                                                                                    These locations are considered enterprise or personal, based on the context of the connection before the redirection.
                                                                                    If you have multiple resources, you must separate them using the "," delimiter.
                                                                                    
 
-    The **Add or edit corporate network definition** box closes.
+3. Add as many locations as you need, and then click **OK**.
 
-4.	Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
+   The **Add or edit corporate network definition** box closes.
 
-    ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
+4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
 
-    - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
+   ![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
 
-    - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
+   - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
 
-    - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
+   - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
 
-5.	In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
-    
-    ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png)
+   - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
 
-    After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
-    
-    For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png)
+
+   After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
+
+   For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
 
 ## Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
@@ -461,24 +459,24 @@ After you've decided where your protected apps can access enterprise data on you
 ![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png)
 
 **To set your optional settings**
-1.	Choose to set any or all of the optional settings:
+1.  Choose to set any or all of the optional settings:
 
     - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
-	
+
         - **Yes (recommended).** Turns on the feature and provides the additional protection.
-	
+
         - **No, or not configured.**  Doesn't enable this feature.
 
     - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
 
-	    - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+        - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
 
-	    - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+        - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
 
     - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
 
         - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-        
+
         - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
 
     - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
@@ -492,7 +490,7 @@ After you've finished configuring your policy, you can review all of your info o
 - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
 
     ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png)
- 
+
     A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
 
 ## Deploy the WIP policy
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 555d14d86c..af4c35b94e 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -82,28 +82,28 @@ Microsoft still has apps that are unenlightened, but which have been tested and
 ## Adding enlightened Microsoft apps to the allowed apps list
 You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
 
-|Product name |App info |
-|-------------|---------|
-|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.MicrosoftEdge
                                                                                    **App Type:** Universal app |
-|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.People
                                                                                    **App Type:** Universal app |
-|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.Word
                                                                                    **App Type:** Universal app |
-|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.Excel
                                                                                    **App Type:** Universal app |
-|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.PowerPoint
                                                                                    **App Type:** Universal app |
-|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.OneNote
                                                                                    **App Type:** Universal app |
-|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** microsoft.windowscommunicationsapps
                                                                                    **App Type:** Universal app |
-|Office 365 ProPlus and Office 2019 Professional Plus |Office 365 ProPlus and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
                                                                                    We don't recommend setting up Office by using individual paths or publisher rules.|
-|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Windows.Photos
                                                                                    **App Type:** Universal app |
-|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.ZuneMusic
                                                                                    **App Type:** Universal app |
-|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.ZuneVideo
                                                                                    **App Type:** Universal app |
-|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Messaging
                                                                                    **App Type:** Universal app |
-|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** iexplore.exe
                                                                                    **App Type:** Desktop app |
-|OneDrive Sync Client|**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** onedrive.exe
                                                                                    **App Type:** Desktop app|
-|OneDrive app|**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Microsoftskydrive
                                                                                    **Product Version:**Product version: 17.21.0.0 (and later)
                                                                                    **App Type:** Universal app |
-|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** notepad.exe
                                                                                    **App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** mspaint.exe
                                                                                    **App Type:** Desktop app |
-|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** mstsc.exe
                                                                                    **App Type:** Desktop app |
-|Microsoft MAPI Repair Tool |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** fixmapi.exe
                                                                                    **App Type:** Desktop app |
 
+|                     Product name                     |                                                                                                                                                                                                                        App info                                                                                                                                                                                                                        |
+|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                    Microsoft Edge                    |                                                                                                                                     **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.MicrosoftEdge
                                                                                    **App Type:** Universal app                                                                                                                                      |
+|                   Microsoft People                   |                                                                                                                                         **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.People
                                                                                    **App Type:** Universal app                                                                                                                                         |
+|                     Word Mobile                      |                                                                                                                                      **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.Word
                                                                                    **App Type:** Universal app                                                                                                                                       |
+|                     Excel Mobile                     |                                                                                                                                      **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.Excel
                                                                                    **App Type:** Universal app                                                                                                                                      |
+|                  PowerPoint Mobile                   |                                                                                                                                   **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.PowerPoint
                                                                                    **App Type:** Universal app                                                                                                                                    |
+|                       OneNote                        |                                                                                                                                     **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Office.OneNote
                                                                                    **App Type:** Universal app                                                                                                                                     |
+|              Outlook Mail and Calendar               |                                                                                                                               **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** microsoft.windowscommunicationsapps
                                                                                    **App Type:** Universal app                                                                                                                                |
+| Office 365 ProPlus and Office 2019 Professional Plus | Office 365 ProPlus and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
                                                                                    We don't recommend setting up Office by using individual paths or publisher rules. |
+|                   Microsoft Photos                   |                                                                                                                                     **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Windows.Photos
                                                                                    **App Type:** Universal app                                                                                                                                     |
+|                     Groove Music                     |                                                                                                                                       **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.ZuneMusic
                                                                                    **App Type:** Universal app                                                                                                                                        |
+|                Microsoft Movies & TV                 |                                                                                                                                       **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.ZuneVideo
                                                                                    **App Type:** Universal app                                                                                                                                        |
+|                 Microsoft Messaging                  |                                                                                                                                       **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Messaging
                                                                                    **App Type:** Universal app                                                                                                                                        |
+|                         IE11                         |                                                                                                                                                         **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** iexplore.exe
                                                                                    **App Type:** Desktop app                                                                                                                                                          |
+|                 OneDrive Sync Client                 |                                                                                                                                                         **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** onedrive.exe
                                                                                    **App Type:** Desktop app                                                                                                                                                          |
+|                     OneDrive app                     |                                                                                              **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Product Name:** Microsoft.Microsoftskydrive
                                                                                    Product Version:Product version: 17.21.0.0 (and later)
                                                                                    **App Type:** Universal app                                                                                              |
+|                       Notepad                        |                                                                                                                                                          **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** notepad.exe
                                                                                    **App Type:** Desktop app                                                                                                                                                          |
+|                   Microsoft Paint                    |                                                                                                                                                          **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** mspaint.exe
                                                                                    **App Type:** Desktop app                                                                                                                                                          |
+|               Microsoft Remote Desktop               |                                                                                                                                                           **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** mstsc.exe
                                                                                    **App Type:** Desktop app                                                                                                                                                           |
+|              Microsoft MAPI Repair Tool              |                                                                                                                                                          **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                                                                                    **Binary Name:** fixmapi.exe
                                                                                    **App Type:** Desktop app                                                                                                                                                          |
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 8956fb9a6d..e9ee801003 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -20,8 +20,8 @@ ms.localizationpriority: medium
 # Limitations while using Windows Information Protection (WIP)
 
 **Applies to:**
--   Windows 10, version 1607 and later
--   Windows 10 Mobile, version 1607 and later
+-   Windows 10, version 1607 and later
+-   Windows 10 Mobile, version 1607 and later
 
 This table provides info about the most common problems you might encounter while running WIP in your organization.
 
@@ -33,7 +33,7 @@ This table provides info about the most common problems you might encounter whil
     
     
         Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
-        If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

                                                                                    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
+        If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

                                                                                    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
         Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

                                                                                    We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
     
     
@@ -49,7 +49,7 @@ This table provides info about the most common problems you might encounter whil
     
         Cortana can potentially allow data leakage if it’s on the allowed apps list.
         If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
-        We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
+        We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
     
     
         WIP is designed for use by a single user per device.
@@ -74,7 +74,7 @@ This table provides info about the most common problems you might encounter whil
     
         Redirected folders with Client Side Caching are not compatible with WIP.
         Apps might encounter access errors while attempting to read a cached, offline file.
-        Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

                                                                                    Note
                                                                                    For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).
+        Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

                                                                                    Note
                                                                                    For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection.
     
     
         An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
@@ -82,17 +82,17 @@ This table provides info about the most common problems you might encounter whil
         Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
     
     
-        You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
-        A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal.
+        You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
+        A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal.
         Open File Explorer and change the file ownership to Personal before you upload.
     
     
         ActiveX controls should be used with caution.
         Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
-        We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

                                                                                    For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
+        We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

                                                                                    For more info, see Out-of-date ActiveX control blocking.
     
     
-         Resilient File System (ReFS) isn't currently supported with WIP.
+         Resilient File System (ReFS) isn't currently supported with WIP.
         Trying to save or transfer WIP files to ReFS will fail.
         Format drive for NTFS, or use a different drive.
     
@@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
             
                                                                                  
         
         WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager.
-        Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

                                                                                  If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
+        Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

                                                                                  If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
         
     
     
@@ -126,8 +126,7 @@ This table provides info about the most common problems you might encounter whil
         
     
     
-        By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.  
-        
+        By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.
                                                                                          
         Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. 
         
         If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 08b0e55777..08af5d2456 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -21,8 +21,8 @@ ms.date: 03/05/2019
 # Testing scenarios for Windows Information Protection (WIP)
 **Applies to:**
 
-- Windows 10, version 1607 and later
-- Windows 10 Mobile, version 1607 and later
+- Windows 10, version 1607 and later
+- Windows 10 Mobile, version 1607 and later
 
 We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
 
@@ -48,7 +48,7 @@ You can try any of the processes included in these scenarios, but you should foc
             
                                                                                    
                 
                                                                                  1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
                                                                                    2. 
                 
                                                                                  2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
                                                                                    Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
                                                                                    3. 
-                
                                                                                  3. Select the same file, click File ownership from the drop down menu, and then click Personal.
                                                                                    Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                                                                                    4. 
+                
                                                                                  4. Select the same file, click File ownership from the drop down menu, and then click Personal.
                                                                                    Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                                                                                    5. 
             
                                                                                  
         
     
@@ -56,21 +56,20 @@ You can try any of the processes included in these scenarios, but you should foc
         Create work documents in enterprise-allowed apps.
         For desktop:

                                                                                  
             
                                                                                    
-                
                                                                                  • Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
                                                                                    Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.

                                                                                    Important
                                                                                    Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.

                                                                                    For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.
                                                                                    • 
+                
                                                                                  • Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
                                                                                    Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.

                                                                                    Important
                                                                                    Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.

                                                                                    For more info about your Enterprise Identity and adding apps to your allowed apps list, see either Create a Windows Information Protection (WIP) policy using Microsoft Intune or Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager, based on your deployment system.
                                                                                    • 
             
                                                                                  
             For mobile:

                                                                                  
             
                                                                                    
                 
                                                                                  1. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
                                                                                    Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
                                                                                    2. 
                 
                                                                                  2. Open the same document and attempt to save it to a non-work-related location.
                                                                                    WIP should stop you from saving the file to this location.
                                                                                    3. 
-                
                                                                                  3. Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
                                                                                    Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                                                                                    4. 
+                
                                                                                  4. Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
                                                                                    Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                                                                                    5. 
             
                                                                                  
-                
-    
+        
                                                                                      
     
         Block enterprise data from non-enterprise apps.
         
             
                                                                                    
-                
                                                                                  1. Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
                                                                                    The app shouldn't be able to access the file.
                                                                                    2. 
+                
                                                                                  2. Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
                                                                                    The app shouldn't be able to access the file.
                                                                                    3. 
                 
                                                                                  3. Try double-clicking or tapping on the work-encrypted file.
                                                                                    If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
                                                                                    4. 
             
                                                                                  
         
@@ -79,8 +78,8 @@ You can try any of the processes included in these scenarios, but you should foc
         Copy and paste from enterprise apps to non-enterprise apps.
         
             
                                                                                    
-                
                                                                                  1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
                                                                                    You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
                                                                                    2. 
-                
                                                                                  2. Click Keep at work.
                                                                                    The content isn't pasted into the non-enterprise app.
                                                                                    3. 
+                
                                                                                  3. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
                                                                                    You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
                                                                                    4. 
+                
                                                                                  4. Click Keep at work.
                                                                                    The content isn't pasted into the non-enterprise app.
                                                                                    5. 
                 
                                                                                  5. Repeat Step 1, but this time click Change to personal, and try to paste the content again.
                                                                                    The content is pasted into the non-enterprise app.
                                                                                    6. 
                 
                                                                                  6. Try copying and pasting content between apps on your allowed apps list.
                                                                                    The content should copy and paste between apps without any warning messages.
                                                                                    7. 
             
                                                                                  
@@ -90,8 +89,8 @@ You can try any of the processes included in these scenarios, but you should foc
         Drag and drop from enterprise apps to non-enterprise apps.
         
             
                                                                                    
-                
                                                                                  1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
                                                                                    You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                                                                                    2. 
-                
                                                                                  2. Click Keep at work.
                                                                                    The content isn't dropped into the non-enterprise app.
                                                                                    3. 
+                
                                                                                  3. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
                                                                                    You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                                                                                    4. 
+                
                                                                                  4. Click Keep at work.
                                                                                    The content isn't dropped into the non-enterprise app.
                                                                                    5. 
                 
                                                                                  5. Repeat Step 1, but this time click Change to personal, and try to drop the content again.
                                                                                    The content is dropped into the non-enterprise app.
                                                                                    6. 
                 
                                                                                  6. Try dragging and dropping content between apps on your allowed apps list.
                                                                                    The content should move between the apps without any warning messages.
                                                                                    7. 
             
                                                                                  
@@ -101,8 +100,8 @@ You can try any of the processes included in these scenarios, but you should foc
         Share between enterprise apps and non-enterprise apps.
         
             
                                                                                    
-                
                                                                                  1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
                                                                                    You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                                                                                    2. 
-                
                                                                                  2. Click Keep at work.
                                                                                    The content isn't shared into Facebook.
                                                                                    3. 
+                
                                                                                  3. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
                                                                                    You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                                                                                    4. 
+                
                                                                                  4. Click Keep at work.
                                                                                    The content isn't shared into Facebook.
                                                                                    5. 
                 
                                                                                  5. Repeat Step 1, but this time click Change to personal, and try to share the content again.
                                                                                    The content is shared into Facebook.
                                                                                    6. 
                 
                                                                                  6. Try sharing content between apps on your allowed apps list.
                                                                                    The content should share between the apps without any warning messages.
                                                                                    7. 
             
                                                                                  
@@ -114,7 +113,7 @@ You can try any of the processes included in these scenarios, but you should foc
             
                                                                                    
                 
                                                                                  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
                                                                                    Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
                                                                                    2. 
                 
                                                                                  2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
                                                                                    3. 
-                
                                                                                  3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

                                                                                    Note
                                                                                    Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

                                                                                    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
                                                                                    4. 
+                
                                                                                  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

                                                                                    Note
                                                                                    Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

                                                                                    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
                                                                                    5. 
             
                                                                                  
         
     
@@ -133,7 +132,7 @@ You can try any of the processes included in these scenarios, but you should foc
             
                                                                                    
                 
                                                                                  1. Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
                                                                                    2. 
                 
                                                                                  2. Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
                                                                                    3. 
-                
                                                                                  3. Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
                                                                                    The app shouldn't be able to access the file share.
                                                                                    4. 
+                
                                                                                  4. Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
                                                                                    The app shouldn't be able to access the file share.
                                                                                    5. 
             
                                                                                  
         
     
@@ -142,8 +141,8 @@ You can try any of the processes included in these scenarios, but you should foc
         
             
                                                                                    
                 
                                                                                  1. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
                                                                                    2. 
-                
                                                                                  2. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
                                                                                    Both browsers should respect the enterprise and personal boundary.
                                                                                    3. 
-                
                                                                                  3. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
                                                                                    IE11 shouldn't be able to access the sites.

                                                                                    Note
                                                                                    Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
                                                                                    4. 
+                
                                                                                  4. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
                                                                                    Both browsers should respect the enterprise and personal boundary.
                                                                                    5. 
+                
                                                                                  5. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
                                                                                    IE11 shouldn't be able to access the sites.

                                                                                    Note
                                                                                    Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
                                                                                    6. 
             
                                                                                  
         
     
@@ -151,9 +150,9 @@ You can try any of the processes included in these scenarios, but you should foc
         Verify your Virtual Private Network (VPN) can be auto-triggered.
         
             
                                                                                    
-                
                                                                                  1. Set up your VPN network to start based on the WIPModeID setting.
                                                                                    For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md) topic.
                                                                                    2. 
+                
                                                                                  2. Set up your VPN network to start based on the WIPModeID setting.
                                                                                    For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
                                                                                    3. 
                 
                                                                                  3. Start an app from your allowed apps list.
                                                                                    The VPN network should automatically start.
                                                                                    4. 
-                
                                                                                  4. Disconnect from your network and then start an app that isn't on your allowed apps list.
                                                                                    The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
                                                                                    5. 
+                
                                                                                  5. Disconnect from your network and then start an app that isn't on your allowed apps list.
                                                                                    The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
                                                                                    6. 
             
                                                                                  
         
     
@@ -161,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc
         Unenroll client devices from WIP.
         
             
                                                                                    
-                
                                                                                  • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
                                                                                    The device should be removed and all of the enterprise content for that managed account should be gone.

                                                                                    Important
                                                                                    On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
                                                                                    • 
+                
                                                                                  • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
                                                                                    The device should be removed and all of the enterprise content for that managed account should be gone.

                                                                                    Important
                                                                                    On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
                                                                                    • 
             
                                                                                  
         
     
@@ -169,7 +168,7 @@ You can try any of the processes included in these scenarios, but you should foc
         Verify that app content is protected when a Windows 10 Mobile phone is locked.
         
             
                                                                                    
-                
                                                                                  • Check that protected app data doesn't appear on the Lock screen of a Windows 10 Mobile phone.
                                                                                    • 
+                
                                                                                  • Check that protected app data doesn't appear on the Lock screen of a Windows 10 Mobile phone.
                                                                                    • 
             
                                                                                  
         
     
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 846cc9148c..1a252befcc 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -59,13 +59,13 @@ The security audit policy settings in this category can be used to monitor chang
 
 Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. This category includes the following subcategories:
 
--   [Audit DPAPI Activity](audit-dpapi-activity.md)
--   [Audit PNP activity](audit-pnp-activity.md)
--   [Audit Process Creation](audit-process-creation.md)
--   [Audit Process Termination](audit-process-termination.md)
--   [Audit RPC Events](audit-rpc-events.md)
--   [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation)
-> **Note:**  For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/)
+- [Audit DPAPI Activity](audit-dpapi-activity.md)
+- [Audit PNP activity](audit-pnp-activity.md)
+- [Audit Process Creation](audit-process-creation.md)
+- [Audit Process Termination](audit-process-termination.md)
+- [Audit RPC Events](audit-rpc-events.md)
+- [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation)
+  > **Note:**  For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/)
 
 ## DS Access
 
@@ -153,7 +153,7 @@ Resource SACLs are also useful for diagnostic scenarios. For example, setting th
 
 > **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object 
 Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
- 
+ 
 This category includes the following subcategories:
 -   [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
 -   [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index d2bf7b48d5..d09135ef91 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -47,9 +47,9 @@ You can configure this security setting by opening the appropriate policy under
 | 681          | Logon failure. A domain account logon was attempted. This event is not generated in Windows XP or in the Windows Server 2003 family. |
 | 682          | A user has reconnected to a disconnected terminal server session.                                                                    |
 | 683          | A user disconnected a terminal server session without logging off.                                                                   |
- 
+ 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 6cadbd0467..a9c1e83493 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
 # Audit account management
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Determines whether to audit each event of account management on a device.
 
@@ -42,54 +42,55 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol
 
 You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
 
-| Account management events | Description |
-| - | - |
-| 624 | A user account was created.| 
-| 627 | A user password was changed.| 
-| 628 | A user password was set. |
-| 630 | A user account was deleted.| 
-| 631 | A global group was created. |
-| 632 | A member was added to a global group.| 
-| 633 | A member was removed from a global group.| 
-| 634 | A global group was deleted. |
-| 635 | A new local group was created.| 
-| 636 | A member was added to a local group.| 
-| 637 | A member was removed from a local group.| 
-| 638 | A local group was deleted. |
-| 639 | A local group account was changed.| 
-| 641 | A global group account was changed.| 
-| 642 | A user account was changed. |
-| 643 | A domain policy was modified. | 
-| 644 | A user account was auto locked. | 
-| 645 | A computer account was created.  |
-| 646 | A computer account was changed.  |
-| 647 | A computer account was deleted.  |
-| 648 | A local security group with security disabled was created.
                                                                                  **Note:**  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | |
-| 649 | A local security group with security disabled was changed.  |
-| 650 | A member was added to a security-disabled local security group. | 
-| 651 | A member was removed from a security-disabled local security group. | 
-| 652 | A security-disabled local group was deleted. | 
-| 653 | A security-disabled global group was created.  |
-| 645 | A security-disabled global group was changed.  |
-| 655 | A member was added to a security-disabled global group. | 
-| 656 | A member was removed from a security-disabled global group. | 
-| 657 | A security-disabled global group was deleted. | 
-| 658 | A security-enabled universal group was created.  |
-| 659 | A security-enabled universal group was changed. | 
-| 660 | A member was added to a security-enabled universal group. | 
-| 661 | A member was removed from a security-enabled universal group. | 
-| 662 | A security-enabled universal group was deleted. | 
-| 663 | A security-disabled universal group was created. | 
-| 664 | A security-disabled universal group was changed. | 
-| 665 | A member was added to a security-disabled universal group. | 
-| 666 | A member was removed from a security-disabled universal group. | 
-| 667 | A security-disabled universal group was deleted. | 
-| 668 | A group type was changed. | 
-| 684 | Set the security descriptor of members of administrative groups. | 
-| 685 | Set the security descriptor of members of administrative groups.
                                                                                  **Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.|
- 
+
+| Account management events |                                                                                                                                                       Description                                                                                                                                                       |
+|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|            624            |                                                                                                                                               A user account was created.                                                                                                                                               |
+|            627            |                                                                                                                                              A user password was changed.                                                                                                                                               |
+|            628            |                                                                                                                                                A user password was set.                                                                                                                                                 |
+|            630            |                                                                                                                                               A user account was deleted.                                                                                                                                               |
+|            631            |                                                                                                                                               A global group was created.                                                                                                                                               |
+|            632            |                                                                                                                                          A member was added to a global group.                                                                                                                                          |
+|            633            |                                                                                                                                        A member was removed from a global group.                                                                                                                                        |
+|            634            |                                                                                                                                               A global group was deleted.                                                                                                                                               |
+|            635            |                                                                                                                                             A new local group was created.                                                                                                                                              |
+|            636            |                                                                                                                                          A member was added to a local group.                                                                                                                                           |
+|            637            |                                                                                                                                        A member was removed from a local group.                                                                                                                                         |
+|            638            |                                                                                                                                               A local group was deleted.                                                                                                                                                |
+|            639            |                                                                                                                                           A local group account was changed.                                                                                                                                            |
+|            641            |                                                                                                                                           A global group account was changed.                                                                                                                                           |
+|            642            |                                                                                                                                               A user account was changed.                                                                                                                                               |
+|            643            |                                                                                                                                              A domain policy was modified.                                                                                                                                              |
+|            644            |                                                                                                                                             A user account was auto locked.                                                                                                                                             |
+|            645            |                                                                                                                                             A computer account was created.                                                                                                                                             |
+|            646            |                                                                                                                                             A computer account was changed.                                                                                                                                             |
+|            647            |                                                                                                                                             A computer account was deleted.                                                                                                                                             |
+|            648            |                                                                A local security group with security disabled was created.
                                                                                  **Note:**  SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks.                                                                |
+|            649            |                                                                                                                               A local security group with security disabled was changed.                                                                                                                                |
+|            650            |                                                                                                                             A member was added to a security-disabled local security group.                                                                                                                             |
+|            651            |                                                                                                                           A member was removed from a security-disabled local security group.                                                                                                                           |
+|            652            |                                                                                                                                      A security-disabled local group was deleted.                                                                                                                                       |
+|            653            |                                                                                                                                      A security-disabled global group was created.                                                                                                                                      |
+|            645            |                                                                                                                                      A security-disabled global group was changed.                                                                                                                                      |
+|            655            |                                                                                                                                 A member was added to a security-disabled global group.                                                                                                                                 |
+|            656            |                                                                                                                               A member was removed from a security-disabled global group.                                                                                                                               |
+|            657            |                                                                                                                                      A security-disabled global group was deleted.                                                                                                                                      |
+|            658            |                                                                                                                                     A security-enabled universal group was created.                                                                                                                                     |
+|            659            |                                                                                                                                     A security-enabled universal group was changed.                                                                                                                                     |
+|            660            |                                                                                                                                A member was added to a security-enabled universal group.                                                                                                                                |
+|            661            |                                                                                                                              A member was removed from a security-enabled universal group.                                                                                                                              |
+|            662            |                                                                                                                                     A security-enabled universal group was deleted.                                                                                                                                     |
+|            663            |                                                                                                                                    A security-disabled universal group was created.                                                                                                                                     |
+|            664            |                                                                                                                                    A security-disabled universal group was changed.                                                                                                                                     |
+|            665            |                                                                                                                               A member was added to a security-disabled universal group.                                                                                                                                |
+|            666            |                                                                                                                             A member was removed from a security-disabled universal group.                                                                                                                              |
+|            667            |                                                                                                                                    A security-disabled universal group was deleted.                                                                                                                                     |
+|            668            |                                                                                                                                                A group type was changed.                                                                                                                                                |
+|            684            |                                                                                                                            Set the security descriptor of members of administrative groups.                                                                                                                             |
+|            685            | Set the security descriptor of members of administrative groups.
                                                                                  **Note:**  Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. |
+
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index c963a15582..a1744341ec 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -28,7 +28,7 @@ By default, this value is set to no auditing in the Default Domain Controller Gr
 
 If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an Active Directory object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an Active Directory object that has a SACL specified. To set this value to **No auditing,** in the **Properties** dialog box for this policy setting, select the **Define these policy settings** check box and clear the **Success** and **Failure** check boxes.
 > **Note:**  You can set a SACL on an Active Directory object by using the **Security** tab in that object's **Properties** dialog box. This is the same as Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
- 
+ 
 **Default:**
 
 -   Success on domain controllers.
@@ -43,9 +43,9 @@ There is only one directory service access event, which is identical to the Obje
 | Directory service access events | Description                            |
 |---------------------------------|----------------------------------------|
 | 566                             | A generic object operation took place. |
- 
+ 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index add06e6d3b..01df735d39 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -65,7 +65,7 @@ You can configure this security setting by opening the appropriate policy under
 | 552          | A user successfully logged on to a computer using explicit credentials while already logged on as a different user.                                                                                             |
 | 682          | A user has reconnected to a disconnected terminal server session.                                                                                                                                               |
 | 683          | A user disconnected a terminal server session without logging off.                                                                                                                                              |
- 
+ 
 
 When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
 
@@ -80,9 +80,9 @@ When event 528 is logged, a logon type is also listed in the event log. The foll
 | 9          | NewCredentials    | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.|
 | 10         | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop.|
 | 11         | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.|
- 
+ 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 5bd4f5cfbc..26e2122845 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
 # Audit object access
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
 
@@ -28,60 +28,61 @@ If you define this policy setting, you can specify whether to audit successes, a
 
 To set this value to **No auditing**, in the **Properties** dialog box for this policy setting, select the Define these policy settings check box and clear the **Success** and **Failure** check boxes.
 
-> **Note:**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
- 
+> **Note:**  You can set a SACL on a file system object using the **Security** tab in that object's **Properties** dialog box.
+
 **Default:** No auditing.
 
 ## Configure this audit setting
 
 You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
 
-| Object access events | Description |
-| - | - |
-| 560 | Access was granted to an already existing object.| 
-| 562 | A handle to an object was closed. |
-| 563 | An attempt was made to open an object with the intent to delete it.
                                                                                  **Note: **  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().||
-| 564 | A protected object was deleted. |
-| 565 | Access was granted to an already existing object type.| 
-| 567 | A permission associated with a handle was used.
                                                                                  **Note: **  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used.|
-| 568 | An attempt was made to create a hard link to a file that is being audited. |
-| 569 | The resource manager in Authorization Manager attempted to create a client context.| 
-| 570 | A client attempted to access an object.
                                                                                  **Note:**  An event will be generated for every attempted operation on the object.|
-| 571 | The client context was deleted by the Authorization Manager application. |
-| 572 | The administrator manager initialized the application. |
-| 772 | The certificate manager denied a pending certificate request.| 
-| 773 | Certificate Services received a resubmitted certificate request.| 
-| 774 | Certificate Services revoked a certificate.|
-| 775 | Certificate Services received a request to publish the certificate revocation list (CRL).| 
-| 776 | Certificate Services published the certificate revocation list (CRL). |
-| 777 | A certificate request extension was made. |
-| 778 | One or more certificate request attributes changed.| 
-| 779 | Certificate Services received a request to shutdown.| 
-| 780 | Certificate Services backup started. |
-| 781 | Certificate Services backup completed |
-| 782 | Certificate Services restore started. |
-| 783 | Certificate Services restore completed.| 
-| 784 | Certificate Services started. |
-| 785 | Certificate Services stopped. |
-| 786 | The security permissions for Certificate Services changed.| 
-| 787 | Certificate Services retrieved an archived key. |
-| 788 | Certificate Services imported a certificate into its database.| 
-| 789 | The audit filter for Certificate Services changed. |
-| 790 | Certificate Services received a certificate request.| 
-| 791 | Certificate Services approved a certificate request and issued a certificate.| 
-| 792 | Certificate Services denied a certificate request. |
-| 793 | Certificate Services set the status of a certificate request to pending.| 
-| 794 | The certificate manager settings for Certificate Services changed. |
-| 795 | A configuration entry changed in Certificate Services. |
-| 796 | A property of Certificate Services changed. |
-| 797 | Certificate Services archived a key. |
-| 798 | Certificate Services imported and archived a key.| 
-| 799 | Certificate Services published the CA certificate to Active Directory.| 
-| 800 | One or more rows have been deleted from the certificate database. |
-| 801 | Role separation enabled. |
+
+| Object access events |                                                                                                                    Description                                                                                                                     |
+|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|         560          |                                                                                                 Access was granted to an already existing object.                                                                                                  |
+|         562          |                                                                                                         A handle to an object was closed.                                                                                                          |
+|         563          |                                An attempt was made to open an object with the intent to delete it.
                                                                                  \*\*Note: \*\*  This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().                                |
+|         564          |                                                                                                          A protected object was deleted.                                                                                                           |
+|         565          |                                                                                               Access was granted to an already existing object type.                                                                                               |
+|         567          | A permission associated with a handle was used.
                                                                                  \*\*Note: \*\*  A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
+|         568          |                                                                                     An attempt was made to create a hard link to a file that is being audited.                                                                                     |
+|         569          |                                                                                The resource manager in Authorization Manager attempted to create a client context.                                                                                 |
+|         570          |                                                           A client attempted to access an object.
                                                                                  **Note:**  An event will be generated for every attempted operation on the object.                                                            |
+|         571          |                                                                                      The client context was deleted by the Authorization Manager application.                                                                                      |
+|         572          |                                                                                               The administrator manager initialized the application.                                                                                               |
+|         772          |                                                                                           The certificate manager denied a pending certificate request.                                                                                            |
+|         773          |                                                                                          Certificate Services received a resubmitted certificate request.                                                                                          |
+|         774          |                                                                                                    Certificate Services revoked a certificate.                                                                                                     |
+|         775          |                                                                             Certificate Services received a request to publish the certificate revocation list (CRL).                                                                              |
+|         776          |                                                                                       Certificate Services published the certificate revocation list (CRL).                                                                                        |
+|         777          |                                                                                                     A certificate request extension was made.                                                                                                      |
+|         778          |                                                                                                One or more certificate request attributes changed.                                                                                                 |
+|         779          |                                                                                                Certificate Services received a request to shutdown.                                                                                                |
+|         780          |                                                                                                        Certificate Services backup started.                                                                                                        |
+|         781          |                                                                                                       Certificate Services backup completed                                                                                                        |
+|         782          |                                                                                                       Certificate Services restore started.                                                                                                        |
+|         783          |                                                                                                      Certificate Services restore completed.                                                                                                       |
+|         784          |                                                                                                           Certificate Services started.                                                                                                            |
+|         785          |                                                                                                           Certificate Services stopped.                                                                                                            |
+|         786          |                                                                                             The security permissions for Certificate Services changed.                                                                                             |
+|         787          |                                                                                                  Certificate Services retrieved an archived key.                                                                                                   |
+|         788          |                                                                                           Certificate Services imported a certificate into its database.                                                                                           |
+|         789          |                                                                                                 The audit filter for Certificate Services changed.                                                                                                 |
+|         790          |                                                                                                Certificate Services received a certificate request.                                                                                                |
+|         791          |                                                                                   Certificate Services approved a certificate request and issued a certificate.                                                                                    |
+|         792          |                                                                                                 Certificate Services denied a certificate request.                                                                                                 |
+|         793          |                                                                                      Certificate Services set the status of a certificate request to pending.                                                                                      |
+|         794          |                                                                                         The certificate manager settings for Certificate Services changed.                                                                                         |
+|         795          |                                                                                               A configuration entry changed in Certificate Services.                                                                                               |
+|         796          |                                                                                                    A property of Certificate Services changed.                                                                                                     |
+|         797          |                                                                                                        Certificate Services archived a key.                                                                                                        |
+|         798          |                                                                                                 Certificate Services imported and archived a key.                                                                                                  |
+|         799          |                                                                                       Certificate Services published the CA certificate to Active Directory.                                                                                       |
+|         800          |                                                                                         One or more rows have been deleted from the certificate database.                                                                                          |
+|         801          |                                                                                                              Role separation enabled.                                                                                                              |
 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+
+
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index 7aa1349449..391acd4cfb 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -60,9 +60,9 @@ You can configure this security setting under Computer Configuration\\Windows Se
 | 770 | Trusted forest information was deleted.
                                                                                  **Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
 | 771 | Trusted forest information was modified.
                                                                                  **Note:**  This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry. If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID. This allows you to determine that the multiple generated event messages are the result of a single operation. Not all parameters are valid for each entry type. For example, parameters such as DNS name, NetBIOS name and SID are not valid for an entry of type "TopLevelName".|
 | 805 | The event log service read the security log configuration for a session. 
- 
+ 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 9b18780002..3482f78df0 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -49,9 +49,9 @@ You can configure this security setting under Computer Configuration\\Windows Se
 | 576 | Specified privileges were added to a user's access token.
                                                                                  **Note:**  This event is generated when the user logs on.|
 | 577 | A user attempted to perform a privileged system service operation. |
 | 578 | Privileges were used on an already open handle to a protected object. | 
- 
+ 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index 73759977d6..cb8dcae793 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -47,9 +47,9 @@ You can configure this security setting under Computer Configuration\\Windows Se
 | 600 | A process was assigned a primary token.| 
 | 601 | A user attempted to install a service. |
 | 602 | A scheduler job was created. |
- 
+ 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index bfa4caac33..ce8988ec09 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -46,5 +46,5 @@ If you choose to audit access to objects as part of your audit policy, you must
 | [Apply a basic audit policy on a file or folder](apply-a-basic-audit-policy-on-a-file-or-folder.md) | You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. | 
 | [View the security event log](view-the-security-event-log.md) | The security log records each event as defined by the audit policies you set on each object.| 
 | [Basic security audit policy settings](basic-security-audit-policy-settings.md) | Basic security audit policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.|
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 4020fa5c16..a630363f60 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -37,9 +37,9 @@ Basic security audit policy settings are found under Computer Configuration\\Win
 | [Audit privilege use](basic-audit-privilege-use.md) | Determines whether to audit each instance of a user exercising a user right. |
 | [Audit process tracking](basic-audit-process-tracking.md) | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.| 
 | [Audit system events](basic-audit-system-events.md) | Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. |
- 
+ 
 ## Related topics
 
 - [Basic security audit policy settings](basic-security-audit-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index d9fc64ad2b..08fcff8219 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -79,7 +79,6 @@ This event generates on domain controllers, member servers, and workstations.
  0 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -167,7 +166,7 @@ This event generates on domain controllers, member servers, and workstations.
 | 0xC0000072              | User logon to account disabled by administrator                                                                                                                  |
 | 0XC00000DC              | Indicates the Sam Server was in the wrong state to perform the desired operation.                                                                                |
 | 0XC0000133              | Clocks between DC and other computer too far out of sync                                                                                                         |
-| 0XC000015B              | The user has not been granted the requested logon type (aka logon right) at this machine                                                                         |
+| 0XC000015B              | The user has not been granted the requested logon type (aka logon right) at this machine                                                                         |
 | 0XC000018C              | The logon request failed because the trust relationship between the primary domain and the trusted domain failed.                                                |
 | 0XC0000192              | An attempt was made to logon, but the N**etlogon** service was not started.                                                                                      |
 | 0xC0000193              | User logon with expired account                                                                                                                                  |
@@ -179,7 +178,7 @@ This event generates on domain controllers, member servers, and workstations.
 | 0x0                     | Status OK.                                                                                                                                                       |
 
 > Table: Windows logon status codes.
-
+> 
 > **Note**  To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
 
 More information: 
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index 00374c59d0..d0474f5941 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -75,7 +75,6 @@ This event generates on the computer to which the logon was performed (target co
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -158,7 +157,7 @@ This event generates on the computer to which the logon was performed (target co
 
     -   “dadmin” – claim value.
 
-**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value**.** For computer accounts this field has device claims listed.
+**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed.
 
 ## Security Monitoring Recommendations
 
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index d1530124ac..13513c1eb8 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -74,7 +74,6 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
  {bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501} 
  
  
-
 ```
 
 ***Required Server Roles:*** For an Active Directory object, the domain controller role is required. For a SAM object, there is no required role.
@@ -136,15 +135,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
     -   SAM\_SERVER - distinguished name of the accessed object.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4662](event-4662.md): An operation was performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index 642c7429a2..31fd7fd716 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -74,7 +74,6 @@ You will get one 4662 for each operation type which was performed.
   
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -128,15 +127,15 @@ You will get one 4662 for each operation type which was performed.
 -   **Object Name** \[Type = UnicodeString\]: distinguished name of the object that was accessed.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4661](event-4661.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index da2b226996..95a2dfe34f 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -70,7 +70,6 @@ Before this event can generate, certain ACEs might need to be set in the object
  C:\\Windows\\System32\\dllhost.exe 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -144,11 +143,11 @@ Before this event can generate, certain ACEs might need to be set in the object
 -   **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below:
 
@@ -271,9 +270,9 @@ For file system and registry objects, the following recommendations apply.
 
 
 
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
 
--   If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
+- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
 
--   If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers**.** For example, you could monitor the **ntds.dit** file on domain controllers.
+- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
 
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index fa86f173f3..1641acbc10 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -22,7 +22,7 @@ ms.author: dansimp
 
 Event 4672 illustration
 
                                                                                  
-***Subcategory:*** [Audit Special Logon](audit-special-logon.md)
+Subcategory: Audit Special Logon
 
 ***Event Description:***
 
@@ -87,7 +87,6 @@ You typically will see many of these events in the event log, because every logo
  SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index 216f4520ca..1caa24d32d 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -67,7 +67,6 @@ Failure event generates when service call attempt fails.
  C:\\Windows\\System32\\lsass.exe 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -134,42 +133,42 @@ Failure event generates when service call attempt fails.
 
 -   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
 
-| **Subcategory of event**          | **Privilege Name: 
                                                                                  User Right Group Policy Name**                                   | **Description**                                                                                                                                                                                                                                                                                                                                                                                           |
-|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege: 
                                                                                  **Bypass traverse checking                              | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. 
                                                                                  With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege: 
                                                                                  **Create global objects                                 | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                  |
-| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege: 
                                                                                  **Create a pagefile                                   | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                               |
-| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege: 
                                                                                  **Create permanent shared objects                    | Required to create a permanent object. 
                                                                                  This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                |
-| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege: 
                                                                                  **Create symbolic links                           | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege: 
                                                                                  **Increase scheduling priority                  | Required to increase the base priority of a process. 
                                                                                  With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                        |
-| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege: 
                                                                                  **Adjust memory quotas for a process                   | Required to increase the quota assigned to a process. 
                                                                                  With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege: 
                                                                                  **Increase a process working set                  | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege: 
                                                                                  **Lock pages in memory                                    | Required to lock physical pages in memory. 
                                                                                  With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                 |
-| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege: 
                                                                                  **Add workstations to domain                          | With this privilege, the user can create a computer account. 
                                                                                  This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                |
-| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege: 
                                                                                  **Perform volume maintenance tasks                      | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege: 
                                                                                  **Profile single process                        | Required to gather profiling information for a single process. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege: 
                                                                                  **Modify an object label                                     | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege: 
                                                                                  **Force shutdown from a remote system                 | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                   |
-| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege: 
                                                                                  **Shut down the system                                      | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                     |
-| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege: 
                                                                                  **Synchronize directory service data                       | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. 
                                                                                  With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.            |
-| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege: 
                                                                                  **Profile system performance                           | Required to gather profiling information for the entire system. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                              |
-| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege: 
                                                                                  **Change the system time                                  | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. 
                                                                                  If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                          |
-| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege: 
                                                                                  **Change the time zone                                      | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege: 
                                                                                  **Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                |
-| Audit Non Sensitive Privilege Use | **SeUndockPrivilege: 
                                                                                  **Remove computer from docking station                        | Required to undock a laptop. 
                                                                                  With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                          |
+|     **Subcategory of event**      |                        **Privilege Name: 
                                                                                  User Right Group Policy Name**                         |                                                                                                                                                                                           **Description**                                                                                                                                                                                           |
+|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Non Sensitive Privilege Use |               SeChangeNotifyPrivilege: 
                                                                                  Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. 
                                                                                  With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use |                 SeCreateGlobalPrivilege: 
                                                                                  Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
+| Audit Non Sensitive Privilege Use |                  SeCreatePagefilePrivilege: 
                                                                                  Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
+| Audit Non Sensitive Privilege Use |          SeCreatePermanentPrivilege: 
                                                                                  Create permanent shared objects           |                                                                Required to create a permanent object. 
                                                                                  This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
+| Audit Non Sensitive Privilege Use |              SeCreateSymbolicLinkPrivilege: 
                                                                                  Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
+| Audit Non Sensitive Privilege Use |         SeIncreaseBasePriorityPrivilege: 
                                                                                  Increase scheduling priority          |                            Required to increase the base priority of a process. 
                                                                                  With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
+| Audit Non Sensitive Privilege Use |          SeIncreaseQuotaPrivilege: 
                                                                                  Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. 
                                                                                  With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
+| Audit Non Sensitive Privilege Use |         SeIncreaseWorkingSetPrivilege: 
                                                                                  Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
+| Audit Non Sensitive Privilege Use |                  SeLockMemoryPrivilege: 
                                                                                  Lock pages in memory                   |                         Required to lock physical pages in memory. 
                                                                                  With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
+| Audit Non Sensitive Privilege Use |             SeMachineAccountPrivilege: 
                                                                                  Add workstations to domain              |                                                                                                                                        With this privilege, the user can create a computer account. 
                                                                                  This privilege is valid only on domain controllers.                                                                                                                                         |
+| Audit Non Sensitive Privilege Use |           SeManageVolumePrivilege: 
                                                                                  Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
+| Audit Non Sensitive Privilege Use |            SeProfileSingleProcessPrivilege: 
                                                                                  Profile single process             |                                                                                                      Required to gather profiling information for a single process. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
+| Audit Non Sensitive Privilege Use |                   SeRelabelPrivilege: 
                                                                                  Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
+| Audit Non Sensitive Privilege Use |         SeRemoteShutdownPrivilege: 
                                                                                  Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
+| Audit Non Sensitive Privilege Use |                   SeShutdownPrivilege: 
                                                                                  Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
+| Audit Non Sensitive Privilege Use |            SeSyncAgentPrivilege: 
                                                                                  Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. 
                                                                                  With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
+| Audit Non Sensitive Privilege Use |              SeSystemProfilePrivilege: 
                                                                                  Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
+| Audit Non Sensitive Privilege Use |                 SeSystemtimePrivilege: 
                                                                                  Change the system time                  |                     Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. 
                                                                                  If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
+| Audit Non Sensitive Privilege Use |                   SeTimeZonePrivilege: 
                                                                                  Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege: 
                                                                                  Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
+| Audit Non Sensitive Privilege Use |            SeUndockPrivilege: 
                                                                                  Remove computer from docking station             |                                                                                                                             Required to undock a laptop. 
                                                                                  With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
 
-| **Subcategory of event**      | **Privilege Name: 
                                                                                  User Right Group Policy Name**                                                | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
-|-------------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege: 
                                                                                  **Replace a process-level token                                | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                    |
-| Audit Sensitive Privilege Use | **SeAuditPrivilege: 
                                                                                  **Generate security audits                                                  | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege: 
                                                                                  **Create a token object                                               | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                  |
-| Audit Sensitive Privilege Use | **SeDebugPrivilege: 
                                                                                  **Debug programs                                                            | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                  |
-| Audit Sensitive Privilege Use | **SeImpersonatePrivilege: 
                                                                                  **Impersonate a client after authentication                           | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege: 
                                                                                  **Load and unload device drivers                                       | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                      |
-| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege: 
                                                                                  **Lock pages in memory                                                 | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                |
-| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege: 
                                                                                  **Modify firmware environment values                            | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| Audit Sensitive Privilege Use | **SeTcbPrivilege: 
                                                                                  **Act as part of the operating system                                         | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                                                                                                                                                                                                                    |
-| Audit Sensitive Privilege Use | **SeEnableDelegationPrivilege: 
                                                                                  **Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
+|   **Subcategory of event**    |                               **Privilege Name: 
                                                                                  User Right Group Policy Name**                               |                                                                                                                                                                                                                                                                                                        **Description**                                                                                                                                                                                                                                                                                                         |
+|-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Sensitive Privilege Use |                SeAssignPrimaryTokenPrivilege: 
                                                                                  Replace a process-level token                 |                                                                                                                                                                     Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                      |
+| Audit Sensitive Privilege Use |                         SeAuditPrivilege: 
                                                                                  Generate security audits                          |                                                                                                                                                                                                                                                                               With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                               |
+| Audit Sensitive Privilege Use |                        SeCreateTokenPrivilege: 
                                                                                  Create a token object                        |                                                                                                                         Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                          |
+| Audit Sensitive Privilege Use |                              SeDebugPrivilege: 
                                                                                  Debug programs                               |                                                                                                 Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.                                                                                                  |
+| Audit Sensitive Privilege Use |              SeImpersonatePrivilege: 
                                                                                  Impersonate a client after authentication              |                                                                                                                                                                                                                                                                                 With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                  |
+| Audit Sensitive Privilege Use |                    SeLoadDriverPrivilege: 
                                                                                  Load and unload device drivers                    |                                                                                                                                                                                                   Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                    |
+| Audit Sensitive Privilege Use |                         SeLockMemoryPrivilege: 
                                                                                  Lock pages in memory                         |                                                                                                                                        Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                         |
+| Audit Sensitive Privilege Use |              SeSystemEnvironmentPrivilege: 
                                                                                  Modify firmware environment values               |                                                                                                                                                                                                                                                       Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                       |
+| Audit Sensitive Privilege Use |                     SeTcbPrivilege: 
                                                                                  Act as part of the operating system                     |                                                                                                                                                                                          This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.                                                                                                                                                                                           |
+| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege: 
                                                                                  Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
 
 ## Security Monitoring Recommendations
 
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 6f15f1ade2..b4146f681a 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -70,7 +70,6 @@ Failure event generates when operation attempt fails.
  C:\\Windows\\System32\\lsass.exe 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -156,44 +155,44 @@ Failure event generates when operation attempt fails.
 
 -   **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
 
-| **Subcategory of event**          | **Privilege Name: 
                                                                                  User Right Group Policy Name**                                   | **Description**                                                                                                                                                                                                                                                                                                                                                                                           |
-|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege: 
                                                                                  **Bypass traverse checking                              | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. 
                                                                                  With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
-| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege: 
                                                                                  **Create global objects                                 | Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                                                                                                                                                                                  |
-| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege: 
                                                                                  **Create a pagefile                                   | With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                                                                                                                                                                                               |
-| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege: 
                                                                                  **Create permanent shared objects                    | Required to create a permanent object. 
                                                                                  This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                                                                                |
-| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege: 
                                                                                  **Create symbolic links                           | Required to create a symbolic link.                                                                                                                                                                                                                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege: 
                                                                                  **Increase scheduling priority                  | Required to increase the base priority of a process.
                                                                                  With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                                                         |
-| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege: 
                                                                                  **Adjust memory quotas for a process                   | Required to increase the quota assigned to a process. 
                                                                                  With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege: 
                                                                                  **Increase a process working set                  | Required to allocate more memory for applications that run in the context of users.                                                                                                                                                                                                                                                                                                                       |
-| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege: 
                                                                                  **Lock pages in memory                                    | Required to lock physical pages in memory. 
                                                                                  With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                 |
-| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege: 
                                                                                  **Add workstations to domain                          | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers.                                                                                                                                                                                                                                                                                          |
-| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege: 
                                                                                  **Perform volume maintenance tasks                      | Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                                                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege: 
                                                                                  **Profile single process                        | Required to gather profiling information for a single process. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege: 
                                                                                  **Modify an object label                                     | Required to modify the mandatory integrity level of an object.                                                                                                                                                                                                                                                                                                                                            |
-| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege: 
                                                                                  **Force shutdown from a remote system                 | Required to shut down a system using a network request.                                                                                                                                                                                                                                                                                                                                                   |
-| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege: 
                                                                                  **Shut down the system                                      | Required to shut down a local system.                                                                                                                                                                                                                                                                                                                                                                     |
-| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege: 
                                                                                  **Synchronize directory service data                       | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. 
                                                                                  With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.            |
-| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege: 
                                                                                  **Profile system performance                           | Required to gather profiling information for the entire system. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                                                                                                                              |
-| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege: 
                                                                                  **Change the system time                                  | Required to modify the system time. 
                                                                                  With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                                          |
-| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege: 
                                                                                  **Change the time zone                                      | Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                                                                                                                                                                                           |
-| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege: 
                                                                                  **Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller.                                                                                                                                                                                                                                                                                                                                                |
-| Audit Non Sensitive Privilege Use | **SeUndockPrivilege: 
                                                                                  **Remove computer from docking station                        | Required to undock a laptop. 
                                                                                  With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                                                                                                                                                          |
+|     **Subcategory of event**      |                        **Privilege Name: 
                                                                                  User Right Group Policy Name**                         |                                                                                                                                                                                           **Description**                                                                                                                                                                                           |
+|-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Non Sensitive Privilege Use |               SeChangeNotifyPrivilege: 
                                                                                  Bypass traverse checking                | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. 
                                                                                  With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
+| Audit Non Sensitive Privilege Use |                 SeCreateGlobalPrivilege: 
                                                                                  Create global objects                 |                                                                                                                                              Required to create named file mapping objects in the global namespace during Terminal Services sessions.                                                                                                                                               |
+| Audit Non Sensitive Privilege Use |                  SeCreatePagefilePrivilege: 
                                                                                  Create a pagefile                  |                                                                                                                                                             With this privilege, the user can create and change the size of a pagefile.                                                                                                                                                             |
+| Audit Non Sensitive Privilege Use |          SeCreatePermanentPrivilege: 
                                                                                  Create permanent shared objects           |                                                                Required to create a permanent object. 
                                                                                  This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege.                                                                 |
+| Audit Non Sensitive Privilege Use |              SeCreateSymbolicLinkPrivilege: 
                                                                                  Create symbolic links              |                                                                                                                                                                                 Required to create a symbolic link.                                                                                                                                                                                 |
+| Audit Non Sensitive Privilege Use |         SeIncreaseBasePriorityPrivilege: 
                                                                                  Increase scheduling priority          |                             Required to increase the base priority of a process.
                                                                                  With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.                             |
+| Audit Non Sensitive Privilege Use |          SeIncreaseQuotaPrivilege: 
                                                                                  Adjust memory quotas for a process          |                                                                                                                      Required to increase the quota assigned to a process. 
                                                                                  With this privilege, the user can change the maximum memory that can be consumed by a process.                                                                                                                       |
+| Audit Non Sensitive Privilege Use |         SeIncreaseWorkingSetPrivilege: 
                                                                                  Increase a process working set          |                                                                                                                                                         Required to allocate more memory for applications that run in the context of users.                                                                                                                                                         |
+| Audit Non Sensitive Privilege Use |                  SeLockMemoryPrivilege: 
                                                                                  Lock pages in memory                   |                         Required to lock physical pages in memory. 
                                                                                  With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                         |
+| Audit Non Sensitive Privilege Use |             SeMachineAccountPrivilege: 
                                                                                  Add workstations to domain              |                                                                                                                                          With this privilege, the user can create a computer account. This privilege is valid only on domain controllers.                                                                                                                                           |
+| Audit Non Sensitive Privilege Use |           SeManageVolumePrivilege: 
                                                                                  Perform volume maintenance tasks            |                                                                                                                                                           Required to run maintenance tasks on a volume, such as remote defragmentation.                                                                                                                                                            |
+| Audit Non Sensitive Privilege Use |            SeProfileSingleProcessPrivilege: 
                                                                                  Profile single process             |                                                                                                      Required to gather profiling information for a single process. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes.                                                                                                      |
+| Audit Non Sensitive Privilege Use |                   SeRelabelPrivilege: 
                                                                                  Modify an object label                   |                                                                                                                                                                   Required to modify the mandatory integrity level of an object.                                                                                                                                                                    |
+| Audit Non Sensitive Privilege Use |         SeRemoteShutdownPrivilege: 
                                                                                  Force shutdown from a remote system         |                                                                                                                                                                       Required to shut down a system using a network request.                                                                                                                                                                       |
+| Audit Non Sensitive Privilege Use |                   SeShutdownPrivilege: 
                                                                                  Shut down the system                    |                                                                                                                                                                                Required to shut down a local system.                                                                                                                                                                                |
+| Audit Non Sensitive Privilege Use |            SeSyncAgentPrivilege: 
                                                                                  Synchronize directory service data            |      This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. 
                                                                                  With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization.       |
+| Audit Non Sensitive Privilege Use |              SeSystemProfilePrivilege: 
                                                                                  Profile system performance              |                                                                                                       Required to gather profiling information for the entire system. 
                                                                                  With this privilege, the user can use performance monitoring tools to monitor the performance of system processes.                                                                                                        |
+| Audit Non Sensitive Privilege Use |                 SeSystemtimePrivilege: 
                                                                                  Change the system time                  |                     Required to modify the system time. 
                                                                                  With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.                      |
+| Audit Non Sensitive Privilege Use |                   SeTimeZonePrivilege: 
                                                                                  Change the time zone                    |                                                                                                                                                           Required to adjust the time zone associated with the computer's internal clock.                                                                                                                                                           |
+| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege: 
                                                                                  Access Credential Manager as a trusted caller |                                                                                                                                                                     Required to access Credential Manager as a trusted caller.                                                                                                                                                                      |
+| Audit Non Sensitive Privilege Use |            SeUndockPrivilege: 
                                                                                  Remove computer from docking station             |                                                                                                                             Required to undock a laptop. 
                                                                                  With this privilege, the user can undock a portable computer from its docking station without logging on.                                                                                                                              |
 
-| **Subcategory of event**      | **Privilege Name: 
                                                                                  User Right Group Policy Name**                       | **Description**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-|-------------------------------|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege: 
                                                                                  **Replace a process-level token       | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. 
                                                                                  With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| Audit Sensitive Privilege Use | **SeAuditPrivilege: 
                                                                                  **Generate security audits                         | With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| Audit Sensitive Privilege Use | **SeBackupPrivilege: 
                                                                                  **Back up files and directories                   | -   Required to perform backup operations. 
                                                                                  With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. 
                                                                                  The following access rights are granted if this privilege is held:
                                                                                  READ\_CONTROL
                                                                                  ACCESS\_SYSTEM\_SECURITY
                                                                                  FILE\_GENERIC\_READ
                                                                                  FILE\_TRAVERSE                                                                                                               |
-| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege: 
                                                                                  **Create a token object                      | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. 
                                                                                  When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
-| Audit Sensitive Privilege Use | **SeDebugPrivilege: 
                                                                                  **Debug programs                                   | Required to debug and adjust the memory of a process owned by another account. 
                                                                                  With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. 
                                                                                  This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| Audit Sensitive Privilege Use | **SeImpersonatePrivilege: 
                                                                                  **Impersonate a client after authentication  | With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege: 
                                                                                  **Load and unload device drivers              | Required to load or unload a device driver. 
                                                                                  With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege: 
                                                                                  **Lock pages in memory                        | Required to lock physical pages in memory. 
                                                                                  With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| Audit Sensitive Privilege Use | **SeRestorePrivilege: 
                                                                                  **Restore files and directories                  | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
                                                                                  WRITE\_DAC
                                                                                  WRITE\_OWNER
                                                                                  ACCESS\_SYSTEM\_SECURITY
                                                                                  FILE\_GENERIC\_WRITE
                                                                                  FILE\_ADD\_FILE
                                                                                  FILE\_ADD\_SUBDIRECTORY
                                                                                  DELETE
                                                                                  With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
-| Audit Sensitive Privilege Use | **SeSecurityPrivilege: 
                                                                                  **Manage auditing and security log              | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. 
                                                                                  With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege: 
                                                                                  **Modify firmware environment values   | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
-| Audit Sensitive Privilege Use | **SeTakeOwnershipPrivilege: 
                                                                                  **Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. 
                                                                                  With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+|   **Subcategory of event**    |                  **Privilege Name: 
                                                                                  User Right Group Policy Name**                   |                                                                                                                                                                                                                                                                                                                                                                                                    **Description**                                                                                                                                                                                                                                                                                                                                                                                                    |
+|-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Audit Sensitive Privilege Use |    SeAssignPrimaryTokenPrivilege: 
                                                                                  Replace a process-level token    |                                                                                                                                                                                                                                                               Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. 
                                                                                  With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.                                                                                                                                                                                                                                                               |
+| Audit Sensitive Privilege Use |             SeAuditPrivilege: 
                                                                                  Generate security audits             |                                                                                                                                                                                                                                                                                                                                                                          With this privilege, the user can add entries to the security log.                                                                                                                                                                                                                                                                                                                                                                           |
+| Audit Sensitive Privilege Use |          SeBackupPrivilege: 
                                                                                  Back up files and directories          |                                                     -   Required to perform backup operations. 
                                                                                  With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. 
                                                                                  The following access rights are granted if this privilege is held:
                                                                                  READ\_CONTROL
                                                                                  ACCESS\_SYSTEM\_SECURITY
                                                                                  FILE\_GENERIC\_READ
                                                                                  FILE\_TRAVERSE                                                     |
+| Audit Sensitive Privilege Use |           SeCreateTokenPrivilege: 
                                                                                  Create a token object            |                                                                                                                                                                                                                   Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. 
                                                                                  When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.                                                                                                                                                                                                                   |
+| Audit Sensitive Privilege Use |                  SeDebugPrivilege: 
                                                                                  Debug programs                  |                                                                                                                                                                                         Required to debug and adjust the memory of a process owned by another account. 
                                                                                  With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. 
                                                                                  This user right provides complete access to sensitive and critical operating system components.                                                                                                                                                                                         |
+| Audit Sensitive Privilege Use | SeImpersonatePrivilege: 
                                                                                  Impersonate a client after authentication  |                                                                                                                                                                                                                                                                                                                                                                             With this privilege, the user can impersonate other accounts.                                                                                                                                                                                                                                                                                                                                                                             |
+| Audit Sensitive Privilege Use |       SeLoadDriverPrivilege: 
                                                                                  Load and unload device drivers        |                                                                                                                                                                                                                                                                                             Required to load or unload a device driver. 
                                                                                  With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.                                                                                                                                                                                                                                                                                             |
+| Audit Sensitive Privilege Use |            SeLockMemoryPrivilege: 
                                                                                  Lock pages in memory             |                                                                                                                                                                                                                                  Required to lock physical pages in memory. 
                                                                                  With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).                                                                                                                                                                                                                                  |
+| Audit Sensitive Privilege Use |         SeRestorePrivilege: 
                                                                                  Restore files and directories          | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
                                                                                  WRITE\_DAC
                                                                                  WRITE\_OWNER
                                                                                  ACCESS\_SYSTEM\_SECURITY
                                                                                  FILE\_GENERIC\_WRITE
                                                                                  FILE\_ADD\_FILE
                                                                                  FILE\_ADD\_SUBDIRECTORY
                                                                                  DELETE
                                                                                  With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
+| Audit Sensitive Privilege Use |       SeSecurityPrivilege: 
                                                                                  Manage auditing and security log        |                                                                                                                                                                                                                        Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. 
                                                                                  With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log.                                                                                                                                                                                                                        |
+| Audit Sensitive Privilege Use |  SeSystemEnvironmentPrivilege: 
                                                                                  Modify firmware environment values  |                                                                                                                                                                                                                                                                                                                                                  Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.                                                                                                                                                                                                                                                                                                                                                   |
+| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege: 
                                                                                  Take ownership of files or other objects |                                                                                                                                                                                            Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. 
                                                                                  With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.                                                                                                                                                                                            |
 
 ## Security Monitoring Recommendations
 
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 2cad2f1249..8e1fe42fab 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -69,7 +69,6 @@ This event generates every time a new process starts.
  S-1-16-8192 
  
 
-
 ```
 
 ***Required Server Roles:*** None.
@@ -199,19 +198,19 @@ For 4688(S): A new process has been created.
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about.                             |
 | **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** for names that don’t comply with naming conventions.                                                                                     |
 
--   If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value.
+- If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value.
 
--   You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
--   If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.”
+- If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.”
 
--   It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
+- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
 
--   Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** Typically this means that UAC is disabled for this account for some reason.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
 
--   Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol**.** This means that a user ran a program using administrative privileges.
+- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges.
 
--   You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
+- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
 
--   If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event.
+- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event.
 
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index f9aba193ee..38d46d5ace 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -62,7 +62,6 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
  D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)S:NO\_ACCESS\_CONTROL 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -102,11 +101,11 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
 -   **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below:
 
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index a59164ac83..fffcee9e09 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -82,7 +82,6 @@ This event generates on domain controllers, member servers, and workstations.
  %%1793 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -133,27 +132,27 @@ This event generates on domain controllers, member servers, and workstations.
 
 **Attributes:**
 
--   **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new user object. For example: ksmith. For local account this field contains the name of new user account.
+- **SAM Account Name** \[Type = UnicodeString\]: logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). The value of **sAMAccountName** attribute of new user object. For example: ksmith. For local account this field contains the name of new user account.
 
--   **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new user object. It is a name displayed in the address book for a particular account .This is usually the combination of the user's first name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. Local accounts contain **Full Name** attribute in this field, but for new local accounts this field typically has value “**<value not set>**”.
+- **Display Name** \[Type = UnicodeString\]: the value of **displayName** attribute of new user object. It is a name displayed in the address book for a particular account .This is usually the combination of the user's first name, middle initial, and last name. For example, Ken Smith. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. Local accounts contain **Full Name** attribute in this field, but for new local accounts this field typically has value “**<value not set>**”.
 
--   **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new user object. For example, ksmith@contoso.local. For local users this field is not applicable and has value “**-**“. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
+- **User Principal Name** \[Type = UnicodeString\]: internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. This parameter contains the value of **userPrincipalName** attribute of new user object. For example, ksmith@contoso.local. For local users this field is not applicable and has value “**-**“. You can change this attribute by using Active Directory Users and Computers, or through a script, for example.
 
--   **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new user object. For new local accounts this field typically has value “**<value not set>**”. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
+- **Home Directory** \[Type = UnicodeString\]: user's home directory. If **homeDrive** attribute is set and specifies a drive letter, **homeDirectory** should be a UNC path. The path must be a network UNC of the form \\\\Server\\Share\\Directory. This parameter contains the value of **homeDirectory** attribute of new user object. For new local accounts this field typically has value “**<value not set>**”. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”.
 
--   **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. This parameter contains the value of **homeDrive** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
+- **Home Drive** \[Type = UnicodeString\]**:** specifies the drive letter to which to map the UNC path specified by **homeDirectory** account’s attribute. The drive letter must be specified in the form “DRIVE\_LETTER:”. For example – “H:”. This parameter contains the value of **homeDrive** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
 
--   **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. This parameter contains the value of **scriptPath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
+- **Script Path** \[Type = UnicodeString\]**:** specifies the path of the account’s logon script. This parameter contains the value of **scriptPath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
 
--   **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
+- **Profile Path** \[Type = UnicodeString\]: specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. This parameter contains the value of **profilePath** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
 
--   **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a user object. This parameter contains the value of **userWorkstations** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For local users this field is not applicable and typically has value “**<value not set>**”.
+- **User Workstations** \[Type = UnicodeString\]: contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the **sAMAccountName** property of a user object. This parameter contains the value of **userWorkstations** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For local users this field is not applicable and typically has value “**<value not set>**”.
 
--   **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. For manually created user account, using Active Directory Users and Computers snap-in, this field typically has value “**<never>”**. This parameter contains the value of **pwdLastSet** attribute of new user object.
+- **Password Last Set** \[Type = UnicodeString\]**:** last time the account’s password was modified. For manually created user account, using Active Directory Users and Computers snap-in, this field typically has value “**<never>”**. This parameter contains the value of **pwdLastSet** attribute of new user object.
 
--   **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For manually created local and domain user accounts this field typically has value “**<never>**”.
+- **Account Expires** \[Type = UnicodeString\]: the date when the account expires. This parameter contains the value of **accountExpires** attribute of new user object. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. This parameter might not be captured in the event, and in that case appears as “-”. For manually created local and domain user accounts this field typically has value “**<never>**”.
 
--   **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of user’s object primary group.
+- **Primary Group ID** \[Type = UnicodeString\]: Relative Identifier (RID) of user’s object primary group.
 
 > **Note**  **Relative identifier (RID)** is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier (SID) that uniquely identifies an account or group within a domain.
 
@@ -229,7 +228,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
 | DONT\_REQ\_PREAUTH                 | 0x400000                          | 4194304                       | This account does not require Kerberos pre-authentication for logging on.
                                                                                  Can be set using “Do not require Kerberos preauthentication” checkbox.                                                                                                                                                                                                                                                                                                                                              | 'Don't Require Preauth' - Disabled
                                                                                  'Don't Require Preauth' - Enabled                                   |
 | PASSWORD\_EXPIRED                  | 0x800000                          | 8388608                       | The user's password has expired.                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Changes of this flag do not show in 4720 events.                                                                |
 | TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000                         | 16777216                      | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
                                                                                  If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed.                                         | 'Trusted To Authenticate For Delegation' - Disabled
                                                                                  'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT          | 0x04000000                        | 67108864                      | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.                                                                                                                                                                                                                                                                                                                                     | No information.                                                                                                 |
+| PARTIAL\_SECRETS\_ACCOUNT          | 0x04000000                        | 67108864                      | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.                                                                                                                                                                                                                                                                                                                                     | No information.                                                                                                 |
 
 For new, manually created, domain or local user accounts typical flags are:
 
@@ -279,7 +278,7 @@ For 4720(S): A user account was created.
 | **Allowed To Delegate To** is not -                                                                                                                                       | Typically this field is **-** for new user accounts. Other values might indicate an anomaly and should be monitored.                                                                                        |
 | **Old UAC Value** is not 0x0                                                                                                                                              | Typically this field is **0x0** for new user accounts. Other values might indicate an anomaly and should be monitored.                                                                                      |
 | **SID History** is not -                                                                                                                                                  | This field will always be set to - unless the account was migrated from another domain.                                                                                                                     |
-| **Logon Hours** value other than **<value not set>** or** “All”**                                                                                                   | This should always be **<value not set>** for new domain user accounts, and **“All”** for new local user accounts.                                                                                    |
+| **Logon Hours** value other than **<value not set>** or** “All”**                                                                                                   | This should always be **<value not set>** for new domain user accounts, and **“All”** for new local user accounts.                                                                                    |
 
 -   Consider whether to track the following user account control flags:
 
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 3b3991c97b..511b73b62c 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -70,7 +70,6 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -110,15 +109,15 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
 -   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if new member is a domain account. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 **Group:**
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index 496e1f3928..e7b90640ec 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -70,7 +70,6 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -110,15 +109,15 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
 -   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if removed member is a domain account. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 **Group:**
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 24ce7ac28f..07ff8c48cf 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -74,7 +74,6 @@ From 4735 event you can get information about changes of **sAMAccountName** and
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -112,7 +111,7 @@ From 4735 event you can get information about changes of **sAMAccountName** and
 -   **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
 
 > **Note**  Sometimes you can see the **Group\\Security ID** field contains an old group name in Event Viewer (as you can see in the event example). That happens because Event Viewer caches names for SIDs that it has already resolved for the current session.
-
+> 
 > **Note**  **Security ID** field has the same value as new group name (**Changed Attributes>SAM Account Name**). That is happens because event is generated after name was changed and SID resolves to the new name. It is always better to use SID instead of group names for queries or filtering of events, because you will know for sure that this the right object you are looking for or want to monitor.
 
 -   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was changed. For example: ServiceDesk
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 763a02336d..ef907d69b0 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -84,7 +84,6 @@ This event generates only on domain controllers.
  HOST/Win81.contoso.local RestrictedKrbHost/Win81.contoso.local HOST/WIN81 RestrictedKrbHost/WIN81 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -231,27 +230,27 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
 | DONT\_REQ\_PREAUTH                                                            | 0x400000                          | 4194304                       | This account does not require Kerberos pre-authentication for logging on.
                                                                                  Can be set using “Do not require Kerberos preauthentication” checkbox.                                                                                                                                                                                                                                                                                                                                              | 'Don't Require Preauth' - Disabled
                                                                                  'Don't Require Preauth' - Enabled                                   |
 | PASSWORD\_EXPIRED                                                             | 0x800000                          | 8388608                       | The user's password has expired.                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Changes of this flag do not show in 4741 events.                                                                |
 | TRUSTED\_TO\_AUTH\_FOR\_DELEGATION                                            | 0x1000000                         | 16777216                      | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
                                                                                  If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed.                                         | 'Trusted To Authenticate For Delegation' - Disabled
                                                                                  'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT                                                     | 0x04000000                        | 67108864                      | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.                                                                                                                                                                                                                                                                                                                                     | No information.                                                                                                 |
+| PARTIAL\_SECRETS\_ACCOUNT                                                     | 0x04000000                        | 67108864                      | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.                                                                                                                                                                                                                                                                                                                                     | No information.                                                                                                 |
 
 > Table 7. User’s or Computer’s account UAC flags.
 
--   **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”.
+- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as “-”.
 
--   **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as “-”.
+- **SID History** \[Type = UnicodeString\]: contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and becomes the objectSID. The previous SID is added to the **sIDHistory** property. This parameter contains the value of **sIDHistory** attribute of new computer object. This parameter might not be captured in the event, and in that case appears as “-”.
 
--   **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see **<value not set>** value for new created computer accounts in event 4741.
+- **Logon Hours** \[Type = UnicodeString\]: hours that the account is allowed to logon to the domain. The value of **logonHours** attribute of new computer object. For computer objects, it is optional, and typically is not set. You can change this attribute by using Active Directory Users and Computers, or through a script, for example. You will see **<value not set>** value for new created computer accounts in event 4741.
 
--   **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
+- **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“.
 
--   **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation**:**
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation:
 
-    HOST/Win81.contoso.local
+  HOST/Win81.contoso.local
 
-    RestrictedKrbHost/Win81.contoso.local
+  RestrictedKrbHost/Win81.contoso.local
 
-    HOST/WIN81
+  HOST/WIN81
 
-    RestrictedKrbHost/WIN81
+  RestrictedKrbHost/WIN81
 
 **Additional Information:**
 
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 4f2720648b..22ae105d96 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -95,7 +95,6 @@ You might see this event without any changes inside, that is, where all **Change
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -242,17 +241,17 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
 
 
 
--   **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
+- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here.
 
-    Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots**:**
+  Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots:
 
-    HOST/Win81.contoso.local
+  HOST/Win81.contoso.local
 
-    RestrictedKrbHost/Win81.contoso.local
+  RestrictedKrbHost/Win81.contoso.local
 
-    HOST/WIN81
+  HOST/WIN81
 
-    RestrictedKrbHost/WIN81
+  RestrictedKrbHost/WIN81
 
 TERMSRV/Win81.contoso.local
 
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index ebb33f0236..7d5ba9d12e 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -74,7 +74,6 @@ From 4750 event you can get information about changes of **sAMAccountName** and
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -110,7 +109,7 @@ From 4750 event you can get information about changes of **sAMAccountName** and
 -   **Security ID** \[Type = SID\]**:** SID of changed group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event.
 
 > **Note**  Sometimes you can see the **Group\\Security ID** field contains an old group name in Event Viewer (as you can see in the event example). That happens because Event Viewer caches names for SIDs that it has already resolved for the current session.
-
+> 
 > **Note**  **Security ID** field has the same value as new group name (**Changed Attributes>SAM Account Name**). That is happens because event is generated after name was changed and SID resolves to the new name. It is always better to use SID instead of group names for queries or filtering of events, because you will know for sure that this the right object you are looking for or want to monitor.
 
 -   **Group Name** \[Type = UnicodeString\]**:** the name of the group that was changed. For example: ServiceDesk
@@ -128,7 +127,7 @@ From 4750 event you can get information about changes of **sAMAccountName** and
 **Changed Attributes:**
 
 > **Note**  If attribute was not changed it will have “-“ value.
-
+> 
 > **Note**  You might see a 4750 event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4750 event will generate, but all attributes will be “-“.
 
 -   **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk.
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index 8a430717d3..3d070ae403 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -70,7 +70,6 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -114,15 +113,15 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou
 -   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 **Group:**
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index 1dfffe3b2a..63d0425219 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -68,7 +68,6 @@ For every removed member you will get separate 4752 event.
  - 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -106,15 +105,15 @@ For every removed member you will get separate 4752 event.
 -   **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 **Group:**
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index a16b992ce8..41c866e704 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -74,7 +74,6 @@ This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “
  564DFAEE99C71D62ABC553E695BD8DBC46669413 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -186,7 +185,7 @@ The most common values:
 | 31    | Validate                 | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.                                                                                                                                                                                                                                                                                                                                                                                                                                        |
 
 > Table 2. Kerberos ticket flags.
-
+> 
 > **Note**  [KILE](https://msdn.microsoft.com/library/cc233855.aspx) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.
 
 -   **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event.
@@ -256,7 +255,7 @@ The most common values:
 
 -   **Ticket Encryption Type** \[Type = HexInt32\]: the cryptographic suite that was used for issued TGT.
 
- 
+
 
 ## Table 4. Kerberos encryption types
 
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 0ebe226217..199a11849a 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -83,29 +83,29 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
 
 **Account Information:**
 
--   **Account Name** \[Type = UnicodeString\]**:** the user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with **$** character in the user name part. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
+- **Account Name** \[Type = UnicodeString\]**:** the user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with **$** character in the user name part. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
 
-    -   User account example: dadmin@CONTOSO.LOCAL
+  - User account example: dadmin@CONTOSO.LOCAL
 
-    -   Computer account example: WIN81$@CONTOSO.LOCAL
+  - Computer account example: WIN81$@CONTOSO.LOCAL
 
-        > **Note** Although this field is in the UPN format, this is not the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name.
+    > **Note** Although this field is in the UPN format, this is not the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name.
 
-        This parameter in this event is optional and can be empty in some cases.
+    This parameter in this event is optional and can be empty in some cases.
 
--   **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
+- **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
 
-    -   Domain NETBIOS name example: CONTOSO
+  -   Domain NETBIOS name example: CONTOSO
 
-    -   Lowercase full domain name: contoso.local
+  -   Lowercase full domain name: contoso.local
 
-    -   Uppercase full domain name: CONTOSO.LOCAL
+  -   Uppercase full domain name: CONTOSO.LOCAL
 
-        This parameter in this event is optional and can be empty in some cases.
+      This parameter in this event is optional and can be empty in some cases.
 
--   **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same **Logon GUID**. These events are “[4624](event-4624.md): An account was successfully logged on”, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
+- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same **Logon GUID**. These events are “[4624](event-4624.md): An account was successfully logged on”, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
 
-    This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
+  This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
 
 > **Note**  **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
 
@@ -157,32 +157,32 @@ The most common values:
 
 -   0x60810010 - Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
 
-| Bit   | Flag Name                | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-|-------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0     | Reserved                 | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 1     | Forwardable              | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 2     | Forwarded                | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 3     | Proxiable                | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 4     | Proxy                    | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 5     | Allow-postdate           | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 6     | Postdated                | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| 7     | Invalid                  | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 8     | Renewable                | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
-| 9     | Initial                  | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
-| 10    | Pre-authent              | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 11    | Opt-hardware-auth        | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.                                                                                                                                                                                                                                                                                                                                                    |
-| 12    | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 13    | Ok-as-delegate           | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
-| 14    | Request-anonymous        | KILE not use this flag.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| 15    | Name-canonicalize        | In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
-| 16-25 | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 26    | Disable-transited-check  | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
                                                                                  the DISABLE-TRANSITED-CHECK option.
                                                                                  Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
-| 27    | Renewable-ok             | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.                                                                                                                                                                                                                                                                           |
-| 28    | Enc-tkt-in-skey          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 29    | Unused                   | -                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| 30    | Renew                    | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.                                                                                                                                                                                                                                                   |
-| 31    | Validate                 | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.                                                                                                                                                                                                                                                                                                                                    
-## Table 4. Kerberos encryption types                                                                                                    |
+|                  Bit                  |        Flag Name         |                                                                                                                                                                                                                                                                                                                   Description                                                                                                                                                                                                                                                                                                                    |
+|---------------------------------------|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                   0                   |         Reserved         |                                                                                                                                                                                                                                                                                                                        -                                                                                                                                                                                                                                                                                                                         |
+|                   1                   |       Forwardable        |                                                                                                                                                                                                                                        (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.                                                                                                                                                                                                                                         |
+|                   2                   |        Forwarded         |                                                                                                                                                                                                                                                                         Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.                                                                                                                                                                                                                                                                         |
+|                   3                   |        Proxiable         |                                                                                                                                                                                                                                                       (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.                                                                                                                                                                                                                                                       |
+|                   4                   |          Proxy           |                                                                                                                                                                                                                                                                 Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.                                                                                                                                                                                                                                                                 |
+|                   5                   |      Allow-postdate      |                                                                                                                                                                                                                                                  Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                  |
+|                   6                   |        Postdated         |                                                                                                                                                                                                                                                  Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension).                                                                                                                                                                                                                                                  |
+|                   7                   |         Invalid          |                                                                                                                                                                                                                                         This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set.                                                                                                                                                                                                                                          |
+|                   8                   |        Renewable         |                                                                                                                                                                                                                                                     Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.                                                                                                                                                                                                                                                     |
+|                   9                   |         Initial          |                                                                                                                                                                                                                                                                 Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.                                                                                                                                                                                                                                                                 |
+|                  10                   |       Pre-authent        |                                                                                                                                                                                                    Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.                                                                                                                                                                                                    |
+|                  11                   |    Opt-hardware-auth     |                                                                                                                                                                    This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.                                                                                                                                                                     |
+|                  12                   | Transited-policy-checked |                                                                                                                                                                                                                                                        KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.                                                                                                                                                                                                                                                         |
+|                  13                   |      Ok-as-delegate      |                                                                                                                                                                                                                                                                            The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.                                                                                                                                                                                                                                                                            |
+|                  14                   |    Request-anonymous     |                                                                                                                                                                                                                                                                                                             KILE not use this flag.                                                                                                                                                                                                                                                                                                              |
+|                  15                   |    Name-canonicalize     |                                                                                                                                                                                                                                                        In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ.                                                                                                                                                                                                                                                        |
+|                 16-25                 |          Unused          |                                                                                                                                                                                                                                                                                                                        -                                                                                                                                                                                                                                                                                                                         |
+|                  26                   | Disable-transited-check  | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
                                                                                  the DISABLE-TRANSITED-CHECK option.
                                                                                  Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
+|                  27                   |       Renewable-ok       |                                                                                                                                The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.                                                                                                                                |
+|                  28                   |     Enc-tkt-in-skey      |                                                                                                                                                                                                                                                                                                                 No information.                                                                                                                                                                                                                                                                                                                  |
+|                  29                   |          Unused          |                                                                                                                                                                                                                                                                                                                        -                                                                                                                                                                                                                                                                                                                         |
+|                  30                   |          Renew           |                                                                                                                    The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.                                                                                                                    |
+|                  31                   |         Validate         |                         This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.                                                                                                                                                                                                                                                                                                                                                             |
+| ## Table 4. Kerberos encryption types |                          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 
 -   **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
 
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index c95791ec68..0085dcf3ff 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -64,7 +64,6 @@ This event generates only on domain controllers.
  49964 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -77,23 +76,23 @@ This event generates only on domain controllers.
 
 **Account Information:**
 
--   **Account Name** \[Type = UnicodeString\]**:** the User Principal Name (UPN) of the account that requested ticket renewal. Computer account name ends with **$** character in UPN. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
+- **Account Name** \[Type = UnicodeString\]**:** the User Principal Name (UPN) of the account that requested ticket renewal. Computer account name ends with **$** character in UPN. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME.
 
-    -   User account example: dadmin@CONTOSO.LOCAL
+  - User account example: dadmin@CONTOSO.LOCAL
 
-    -   Computer account example: WIN81$@CONTOSO.LOCAL
+  - Computer account example: WIN81$@CONTOSO.LOCAL
 
-        This parameter in this event is optional and can be empty in some cases.
+    This parameter in this event is optional and can be empty in some cases.
 
--   **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
+- **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following:
 
-    -   Domain NETBIOS name example: CONTOSO
+  -   Domain NETBIOS name example: CONTOSO
 
-    -   Lowercase full domain name: contoso.local
+  -   Lowercase full domain name: contoso.local
 
-    -   Uppercase full domain name: CONTOSO.LOCAL
+  -   Uppercase full domain name: CONTOSO.LOCAL
 
-        This parameter in this event is optional and can be empty in some cases.
+      This parameter in this event is optional and can be empty in some cases.
 
 **Service Information:**
 
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 3a123d9b76..10876a5671 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -69,7 +69,6 @@ This event is not generated if “Do not require Kerberos preauthentication” o
   
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index c07d00d0e0..74ffbb09b0 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -65,7 +65,6 @@ Separate events will be generated for “Registry” and “File system” polic
  S:(AU;SA;RC;;;S-1-5-21-3457937927-2839227994-823803824-1104) 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -130,11 +129,11 @@ Separate events will be generated for “Registry” and “File system” polic
 -   **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below:
 
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index 3f7680dabf..f74c140ce4 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -68,7 +68,6 @@ This event doesn't generate for Active Directory objects.
  C:\\Windows\\regedit.exe 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -161,11 +160,11 @@ This event doesn't generate for Active Directory objects.
 -   **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below:
 
@@ -284,7 +283,7 @@ For 4907(S): Auditing settings on object were changed.
 
 
 
--   If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
+- If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
 
--   If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers**.**
+- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
 
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index 3cb42a7dfa..cc73362f36 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -68,7 +68,6 @@ Resource attributes for file or folder can be changed, for example, using Window
  C:\\Windows\\System32\\svchost.exe 
  
 
-
 ```
 
 ***Required Server Roles:*** None.
@@ -154,11 +153,11 @@ Resource attributes for file or folder can be changed, for example, using Window
 -   **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below:
 
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 65b1060970..f8dcd9f29b 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -68,7 +68,6 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi
  C:\\Windows\\System32\\dllhost.exe 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -158,11 +157,11 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi
 -   **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below:
 
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 0eaf1d5a1a..664b36c1ca 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -62,7 +62,6 @@ Failure event generates if an error occurs (**Status Code** != 0).
  0 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -80,15 +79,15 @@ Failure event generates if an error occurs (**Status Code** != 0).
 -   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Source Address** \[Type = UnicodeString\]: DNS record of the server from which information or an update was received.
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index 7640713092..b5a1ba430e 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -62,7 +62,6 @@ Failure event generates if an error occurs (**Status Code** != 0).
  0 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -80,15 +79,15 @@ Failure event generates if an error occurs (**Status Code** != 0).
 -   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Source Address** \[Type = UnicodeString\]: DNS record of the server from which the “remove” request was received.
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index f6fa3c7d3e..f7b993d3a9 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -64,7 +64,6 @@ It is not possible to understand what exactly was modified from this event.
  0 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -82,15 +81,15 @@ It is not possible to understand what exactly was modified from this event.
 -   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name. Typically equals “**-**“ for this event.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Source Address** \[Type = UnicodeString\]: DNS record of computer from which the modification request was received.
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index 6df6fbcd8b..3f02d54421 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -64,7 +64,6 @@ It is not possible to understand what exactly was modified from this event.
  0 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -82,15 +81,15 @@ It is not possible to understand what exactly was modified from this event.
 -   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Destination Address** \[Type = UnicodeString\]: DNS record of computer to which the modification request was sent.
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index b639cdfd1e..615a83328d 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -60,7 +60,6 @@ This event generates every time synchronization of a replica of an Active Direct
  20869 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -78,15 +77,15 @@ This event generates every time synchronization of a replica of an Active Direct
 -   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index c62940073e..b5fbe33942 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -63,7 +63,6 @@ Failure event occurs when synchronization of a replica of an Active Directory na
  1722 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -81,15 +80,15 @@ Failure event occurs when synchronization of a replica of an Active Directory na
 -   **Source DRA** \[Type = UnicodeString\]: source directory replication agent distinguished name.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **Naming Context** \[Type = UnicodeString\]**:** naming context to replicate.
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 690247ef06..a5708a86f6 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -73,7 +73,6 @@ For a change operation you will typically see two 5136 events for one action, wi
  %%14675 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -117,15 +116,15 @@ For a change operation you will typically see two 5136 events for one action, wi
 -   **DN** \[Type = UnicodeString\]: distinguished name of the object that was modified.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
@@ -239,5 +238,5 @@ For 5136(S): A directory service object was modified.
 
 -   If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
 
--   It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
+-   It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
 
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index c2804c8627..8d1d729333 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -67,7 +67,6 @@ This event only generates if the parent object has a particular entry in its [SA
  computer 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -111,15 +110,15 @@ This event only generates if the parent object has a particular entry in its [SA
 -   **DN** \[Type = UnicodeString\]: distinguished name of the object that was created.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index eef9de5862..75cebe45a7 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -68,7 +68,6 @@ This event only generates if the container to which the Active Directory object
  user 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -112,15 +111,15 @@ This event only generates if the container to which the Active Directory object
 -   **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](https://technet.microsoft.com/library/dd392261(v=ws.10).aspx) folder, in case if it was restored from it.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **New DN** \[Type = UnicodeString\]: New distinguished name of undeleted object. The Active Directory container to which the object was restored.
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index 64343845eb..fe3921db6f 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -68,7 +68,6 @@ This event only generates if the destination object has a particular entry in it
  user 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -112,15 +111,15 @@ This event only generates if the destination object has a particular entry in it
 -   **Old DN** \[Type = UnicodeString\]: Old distinguished name of moved object.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **New DN** \[Type = UnicodeString\]: New distinguished name of moved object. The Active Directory container to which the object was moved.
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index 35a2651894..a4f705ba93 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -67,7 +67,6 @@ This event generates once per session, when first access attempt was made.
  %%4416 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -146,13 +145,13 @@ For 5140(S, F): A network share object was accessed.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event**.** For example, you could monitor share **C$** on domain controllers.
+- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers.
 
--   Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
+- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
 
--   Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
+- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
 
--   If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event.
+- If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event.
 
--   If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific shares (“**Share Name**”), monitor this event for the “**Access Type**.”
+- If you need to monitor for specific Access Types (for example, ReadData or WriteData), for all or specific shares (“**Share Name**”), monitor this event for the “**Access Type**.”
 
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index f8327d2286..221a5c56cf 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -68,7 +68,6 @@ This event only generates if the deleted object has a particular entry in its [S
  %%14679 
  
  
-
 ```
 
 ***Required Server Roles:*** Active Directory domain controller.
@@ -112,15 +111,15 @@ This event only generates if the deleted object has a particular entry in its [S
 -   **DN** \[Type = UnicodeString\]: distinguished name of the object that was deleted.
 
 > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
-
+> 
 > An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
-
+> 
 > • DC - domainComponent
-
+> 
 > • CN - commonName
-
+> 
 > • OU - organizationalUnitName
-
+> 
 > • O - organizationName
 
 -   **GUID** \[Type = GUID\]**:** each Active Directory object has globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory. Each object's GUID is stored in its Object-GUID (**objectGUID**) property.
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index 21a2a65c6e..858e4a608f 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -60,7 +60,6 @@ This event generates every time network share object was added.
  C:\\Documents 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -105,7 +104,7 @@ For 5142(S): A network share object was added.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   If you have high-value computers for which you need to monitor creation of new file shares, monitor this event**.** For example, you could monitor domain controllers.
+- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers.
 
--   We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
+- We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information.
 
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index 3fb76796f2..81e6052b16 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -69,7 +69,6 @@ This event generates every time network share object was modified.
  O:BAG:DAD:(D;;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICI;FA;;;WD)(A;OICI;FA;;;BA) 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -143,11 +142,11 @@ This event generates every time network share object was modified.
 -   **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below:
 
@@ -260,5 +259,5 @@ For 5143(S): A network share object was modified.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event**.** For example, you could monitor all changes to the SYSVOL share on domain controllers.
+- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers.
 
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index ad79b3c8f4..4c20a34092 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -60,7 +60,6 @@ This event generates every time a network share object is deleted.
  C:\\Documents 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -105,7 +104,7 @@ For 5144(S): A network share object was deleted.
 
 > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
+- If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.**
 
--   If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers**.** For example, you could monitor file shares on domain controllers.
+- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers.
 
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index e5cddce460..696faaadce 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -69,7 +69,6 @@ This event generates every time network share object (file or folder) was access
  %%1541: %%1801 D:(A;;FA;;;WD) %%4416: %%1801 D:(A;;FA;;;WD) %%4423: %%1801 D:(A;;FA;;;WD) 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
@@ -179,11 +178,11 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
 -   ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access.
 
 > **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
-
+> 
 > Example:
-
+> 
 > *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
-
+> 
 > - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc. 
 > See the list of possible values in the table below.
 
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index e29c2f7e8e..756db4ebbf 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -70,7 +70,6 @@ It typically generates when network adapter connects to new wireless network.
  0x0 
  
  
-
 ```
 
 ***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index 5b972f4eb8..d85599c157 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -64,7 +64,6 @@ It typically generates when network adapter connects to new wired network.
  0x0 
  
 
-
 ```
 
 ***Required Server Roles:*** None.
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 62e0219f91..6251ca7c4f 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -28,7 +28,7 @@ Central access policies and rules determine access permissions for multiple file
 Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
- 
+ 
 **To configure settings to monitor changes to central access policy and rule definitions**
 
 1.  Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index 8c8253cdec..3504ca7a55 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -30,7 +30,7 @@ Use the following procedures to configure settings to monitor changes to claim t
 Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
- 
+ 
 **To configure settings to monitor changes to claim types**
 
 1.  Sign in to your domain controller by using domain administrator credential.
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index 6bb80ffe44..943eff5d1e 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -30,7 +30,7 @@ For information about monitoring changes to the resource attributes that apply t
 Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
- 
+ 
 **To configure settings to monitor changes to resource attributes**
 
 1.  Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index 2f138a439c..75322ba7e9 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -31,7 +31,7 @@ For info about monitoring potential central access policy changes for an entire
 Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
- 
+ 
 **To configure settings to monitor central access policies associated with files or folders**
 
 1.  Sign in to your domain controller by using domain administrator credentials.
@@ -66,7 +66,7 @@ After you configure settings to monitor changes to the central access policies t
 3.  Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**.
 4.  Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice.
     >**Note:**  You must select a setting that is different than your original setting to generate the audit event.
-     
+     
 5.  In Server Manager, click **Tools**, and then click **Event Viewer**.
 6.  Expand **Windows Logs**, and then click **Security**.
 7.  Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index a191f2bc81..9e48a92f25 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -33,7 +33,7 @@ If your organization has a carefully thought out authorization configuration for
 Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx) .
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
- 
+ 
 **To monitor changes to resource attributes on files**
 
 1.  Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 877d76078c..b163b7b6f6 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -29,7 +29,7 @@ If you configure this policy setting, an audit event is generated each time a us
 Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored.
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
- 
+ 
 **To configure settings to monitor removable storage devices**
 
 1.  Sign in to your domain controller by using domain administrator credentials.
@@ -47,7 +47,7 @@ After you configure the settings to monitor removable storage devices, use the f
 1.  Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
 
     >**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-     
+     
 2.  Type **gpupdate /force**, and press ENTER.
 3.  Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
 4.  In Server Manager, click **Tools**, and then click **Event Viewer**.
@@ -57,7 +57,7 @@ After you configure the settings to monitor removable storage devices, use the f
     Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
 
     >**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
-     
+     
 ### Related resource
 
 - [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index 4d446aee17..1964224c17 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -29,7 +29,7 @@ Device claims are associated with the system that is used to access resources th
 Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
 
 >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
- 
+ 
 **To monitor user and device claims in user logon token**
 
 1.  Sign in to your domain controller by using domain administrator credentials.
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index 6bcb5a79a8..fb3c6e1a6f 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -106,7 +106,7 @@ An organization's domain and OU structure provide a fundamental starting point f
 In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats.
 
 >**Important:**  Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results.
- 
+ 
 For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](https://go.microsoft.com/fwlink/p/?LinkId=163432).
 
 ### Data and resources
@@ -124,7 +124,7 @@ The following table provides an example of a resource analysis for an organizati
 | Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1
                                                                                  Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy|
 | Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2
                                                                                  Lab Assistants: Write only on MedRec-2
                                                                                  Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards|
 | Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1
                                                                                  Public: Read only on Web-Ext-1| Low| Public education and corporate image|
- 
+ 
 ### Users
 
 Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate.
@@ -144,7 +144,7 @@ The following table illustrates an analysis of users on a network. Although our
 | Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. |
 | Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. |
 | External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.|
- 
+ 
 ### Computers
 
 Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on:
@@ -153,11 +153,11 @@ Security and auditing requirements and audit event volume can vary considerably
 -   The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager.
 
     >**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
-     
+     
 -   The operating system versions.
 
     >**Note:**  The operating system version determines which auditing options are available and the volume of audit event data.
-     
+     
 -   The business value of the data.
 
 For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network.
@@ -170,7 +170,7 @@ The following table illustrates an analysis of computers in an organization.
 | File servers | Windows Server 2012| Separate resource OUs by department and (in some cases) by location|
 | Portable computers  | Windows Vista and Windows 7| Separate portable computer OUs by department and (in some cases) by location|
 | Web servers | Windows Server 2008 R2 | WebSrv OU|
- 
+ 
 ### Regulatory requirements
 
 Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations.
@@ -197,7 +197,7 @@ following considerations for using Group Policy to apply security audit policy s
     >**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting.
 
     If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
-     
+     
 
 The following are examples of how audit policies can be applied to an organization's OU structure:
 
@@ -234,7 +234,7 @@ Depending on your goals, different sets of audit settings may be of particular v
 -   Network
 
 >**Important:**  Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network.
- 
+ 
 ### Data and resource activity
 
 For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be
@@ -246,14 +246,14 @@ protected against any breach, the following settings can provide extremely valua
     If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored.
 
     >**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md).
-     
+     
 -   Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL.
 
     Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes.
 
 -   **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented.
     >**Important:**  The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category.
-     
+     
 ### User activity
 
 The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources.
@@ -267,7 +267,7 @@ In the majority of cases, these attempts will be legitimate and a network needs
 -   Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated.
 
     >**Note:**  There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated.
-     
+     
 -   Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](https://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base.
 -   Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed.
 -   Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section.
@@ -275,7 +275,7 @@ In the majority of cases, these attempts will be legitimate and a network needs
 -   Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
 
     >**Important:**  On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked.
-     
+     
 -   Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events.
 -   Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made.
 
@@ -287,7 +287,7 @@ The following network activity policy settings allow you to monitor security-rel
 -   Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets.
 
     >**Note:**  **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed.
-     
+     
 -   Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections.
 -   **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers.
 -   Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md), Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md), and Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md). Many networks support large numbers of external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the Internet by enabling network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly.
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index 59b92e7942..512168ee42 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
 # Security auditing
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
 
@@ -29,10 +29,11 @@ Topics in this section are for IT professionals and describes the security audit
 Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
 
 ## In this section
+
 | Topic | Description |
 | - | - |
 |[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. |
 |[Advanced security audit policies](advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. |
- 
- 
- 
+
+
+
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index aab92f0a30..919b779ce8 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -42,9 +42,9 @@ Domain administrators can create and deploy expression-based security audit poli
 | [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md)| This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. |
 | [Monitor the central access policies associated with files and folders](monitor-the-central-access-policies-associated-with-files-and-folders.md)| This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects. |
 | [Monitor claim types](monitor-claim-types.md) | This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.|
- 
+ 
 >**Important:**  This procedure can be configured on computers running any of the supported Windows operating systems. The other monitoring procedures can be configured only as part of a functioning dynamic access control deployment.
- 
+ 
 ## Related topics
 
 - [Security auditing](security-auditing-overview.md)
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index 8c6b6c4ef3..99b2a8e507 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -69,9 +69,9 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m
 **To turn on and use the Blocking Untrusted Fonts feature through the registry**
 To turn this feature on, off, or to use audit mode:
 
-1.  Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
+1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
 
-2.  If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
+2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
 
 3. Right click on the **MitigationOptions** key, and then click **Modify**. 
 
@@ -79,16 +79,16 @@ To turn this feature on, off, or to use audit mode:
 
 4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
 
-    -   **To turn this feature on.** Type **1000000000000**.
+   - **To turn this feature on.** Type **1000000000000**.
 
-    -   **To turn this feature off.** Type **2000000000000**.
+   - **To turn this feature off.** Type **2000000000000**.
 
-    -   **To audit with this feature.** Type **3000000000000**.
+   - **To audit with this feature.** Type **3000000000000**.
 
-    >[!Important]
-    >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
+     >[!Important]
+     >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
 
-4. Restart your computer.
+5. Restart your computer.
 
 ## View the event log
 After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
@@ -141,11 +141,11 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
 
 2.  Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
 
- 
+ 
 ## Related content
 
 - [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)
- 
+ 
 
 
 
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 3507e200b9..39593c240a 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -29,7 +29,7 @@ On this page
 
 Updated: March 2018
 
- 
+ 
 
 ## Introduction
 
@@ -156,31 +156,31 @@ The following list details some of the Microsoft components that use the cryptog
 
 When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are:
 
-  - Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled:
+- Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled:
 
-  -  - TLS\_RSA\_WITH\_RC4\_128\_SHA
-      - TLS\_RSA\_WITH\_RC4\_128\_MD5
-      - SSL\_CK\_RC4\_128\_WITH\_MD5
-      - SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5
-      - TLS\_RSA\_WITH\_NULL\_MD5
-      - TLS\_RSA\_WITH\_NULL\_SHA
+- - TLS\_RSA\_WITH\_RC4\_128\_SHA
+    - TLS\_RSA\_WITH\_RC4\_128\_MD5
+    - SSL\_CK\_RC4\_128\_WITH\_MD5
+    - SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5
+    - TLS\_RSA\_WITH\_NULL\_MD5
+    - TLS\_RSA\_WITH\_NULL\_SHA
 
-  - The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to:
+- The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to:
 
-  -  - CALG\_RSA\_KEYX - RSA public key exchange algorithm
-      - CALG\_3DES - Triple DES encryption algorithm
-      - CALG\_AES\_128 - 128 bit AES
-      - CALG\_AES\_256 - 256 bit AES
-      - CALG\_SHA1 - SHA hashing algorithm
-      - CALG\_SHA\_256 - 256 bit SHA hashing algorithm
-      - CALG\_SHA\_384 - 384 bit SHA hashing algorithm
-      - CALG\_SHA\_512 - 512 bit SHA hashing algorithm
+- - CALG\_RSA\_KEYX - RSA public key exchange algorithm
+    - CALG\_3DES - Triple DES encryption algorithm
+    - CALG\_AES\_128 - 128 bit AES
+    - CALG\_AES\_256 - 256 bit AES
+    - CALG\_SHA1 - SHA hashing algorithm
+    - CALG\_SHA\_256 - 256 bit SHA hashing algorithm
+    - CALG\_SHA\_384 - 384 bit SHA hashing algorithm
+    - CALG\_SHA\_512 - 512 bit SHA hashing algorithm
 
-  - Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception.
+- Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception.
 
-  - Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed.
+- Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed.
 
-  - On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer.
+- On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer.
 
 Please be aware that selection of FIPS mode can limit product functionality (See ).
 
@@ -1979,7 +1979,7 @@ Validated Editions: Server, Storage Server
 
 
 
- 
+ 
 
 ### Cryptographic Algorithms
 
@@ -5819,7 +5819,7 @@ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (30
 
 
                                                                                  FIPS186-4:
                                                                                  
 [RSASSA-PSS]:                                                                                   Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                                                                                  
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                                                                                  
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                                                                                  
 
                                                                                  SHA Val#2373
                                                                                  
 
                                                                                  Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519
                                                                                  
 
                                                                                  Version 6.3.9600
                                                                                  
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
index 5ec1e94d24..2c5d379949 100644
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -81,16 +81,17 @@ Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.asp
 
 **Microsoft Products**
 
-| Name | Details | Security Tools |
-|---|---|---|
-Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
-|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
-|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
-|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
-|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
-|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
-|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+
+|           Name            |                                                                            Details                                                                            |                               Security Tools                                |
+|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
+|   Internet Explorer 11    | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/) |     [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)     |
+|   Internet Explorer 10    |                                                [Technet](https://technet.microsoft.com/library/jj898540.aspx)                                                 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|    Internet Explorer 9    |                                                [Technet](https://technet.microsoft.com/library/hh539027.aspx)                                                 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|    Internet Explorer 8    |                                                [Technet](https://technet.microsoft.com/library/ee712766.aspx)                                                 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|   Exchange Server 2010    |                                                [Technet](https://technet.microsoft.com/library/hh913521.aspx)                                                 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|   Exchange Server 2007    |                                                [Technet](https://technet.microsoft.com/library/hh913520.aspx)                                                 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+|   Microsoft Office 2010   |                                                [Technet](https://technet.microsoft.com/library/gg288965.aspx)                                                 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Microsoft Office 2007 SP2 |                                                [Technet](https://technet.microsoft.com/library/cc500475.aspx)                                                 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
 
 
                                                                                  
 
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index 8dd80a3cf4..56f734dc44 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -28,7 +28,7 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
 Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
 
 > **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
-
+> 
 > **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
 
 ## System requirements
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 909f030359..4744f0f0e3 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -63,6 +63,6 @@ It is also important to keep the following in mind:
 
 Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams:
 
-**www.microsoft.com/reportascam**
+www.microsoft.com/reportascam
 
 You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
index 8ff24aa00a..a09b2f556d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
@@ -37,78 +37,78 @@ For the App registration stage, you must have a Global administrator role in you
 
 ### Step 1 - Create an App in Azure Active Directory
 
-1.	Log on to [Azure](https://portal.azure.com) with your Global administrator user.
+1. Log on to [Azure](https://portal.azure.com) with your Global administrator user.
 
-2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
 
-    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+   ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
 
-3.	In the registration form, enter the following information, then click **Create**.
+3. In the registration form, enter the following information, then click **Create**.
 
-    - **Name:** Choose your own name. 
-    - **Application type:** Web app / API
-    - **Redirect URI:** `https://127.0.0.1`
+   - **Name:** Choose your own name. 
+   - **Application type:** Web app / API
+   - **Redirect URI:** `https://127.0.0.1`
 
-	![Image of Create application window](images/webapp-create.png)
+   ![Image of Create application window](images/webapp-create.png)
 
 4. Allow your App to access Microsoft Defender ATP and assign it 'Read all alerts' permission:
 
-	- Click **Settings** > **Required permissions** > **Add**.
+   - Click **Settings** > **Required permissions** > **Add**.
 
-	![Image of new app in Azure](images/webapp-add-permission.png)
+     ![Image of new app in Azure](images/webapp-add-permission.png)
 
-	- Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+   - Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
 
-	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+     **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
 
-	![Image of API access and API selection](images/webapp-add-permission-2.png)
+     ![Image of API access and API selection](images/webapp-add-permission-2.png)
 
-	- Click **Select permissions** > **Read all alerts** > **Select**.
+   - Click **Select permissions** > **Read all alerts** > **Select**.
 
-	![Image of API access and API selection](images/webapp-add-permission-readalerts.png)
+     ![Image of API access and API selection](images/webapp-add-permission-readalerts.png)
 
-	- Click **Done**
+   - Click **Done**
 
-	![Image of add permissions completion](images/webapp-add-permission-end.png)
+     ![Image of add permissions completion](images/webapp-add-permission-end.png)
 
-	- Click **Grant permissions**
+   - Click **Grant permissions**
 
-	**Note**: Every time you add permission you must click on **Grant permissions**.
+     **Note**: Every time you add permission you must click on **Grant permissions**.
 
-	![Image of Grant permissions](images/webapp-grant-permissions.png)
+     ![Image of Grant permissions](images/webapp-grant-permissions.png)
 
 5. Create a key for your App:
 
-	- Click **Keys**, type a key name and click **Save**.
+   - Click **Keys**, type a key name and click **Save**.
 
-	![Image of create app key](images/webapp-create-key.png)
+     ![Image of create app key](images/webapp-create-key.png)
 
 6. Write down your App ID and your Tenant ID:
 
-	- App ID: 
+   - App ID: 
 
-	![Image of created app id](images/webapp-app-id1.png)
+     ![Image of created app id](images/webapp-app-id1.png)
 
-	- Tenant ID: Navigate to **Azure Active Directory** > **Properties**
+   - Tenant ID: Navigate to **Azure Active Directory** > **Properties**
 
-	![Image of create app key](images/api-tenant-id.png)
+     ![Image of create app key](images/api-tenant-id.png)
 
 
 Done! You have successfully registered an application! 
 
 ### Step 2 - Get a token using the App and use this token to access the API.
 
--	Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**"
--	Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**".
+-   Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**"
+-   Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**".
 
 ```
 # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
 # Paste below your Tenant ID, App ID and App Secret (App key).
- 
+
 $tenantId = '' ### Paste your tenant ID here
 $appId = '' ### Paste your app ID here
 $appSecret = '' ### Paste your app key here
- 
+
 $resourceAppIdUri = 'https://api.securitycenter.windows.com'
 $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
 $authBody = [Ordered] @{
@@ -121,10 +121,9 @@ $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -E
 $token = $authResponse.access_token
 Out-File -FilePath "./Latest-token.txt" -InputObject $token
 return $token
-
 ```
 
--	Sanity Check:
                                                                                  
+-   Sanity Check:
                                                                                  
 Run the script.
                                                                                  
 In your browser go to: https://jwt.ms/ 
                                                                                  
 Copy the token (the content of the Latest-token.txt file).
                                                                                  
@@ -135,13 +134,13 @@ Look for the "roles" section. Find the Alert.Read.All role.
 
 ### Lets get the Alerts!
 
--	The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
+-   The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
 -   Save this script in the same folder you saved the previous script **Get-Token.ps1**. 
--	The script creates two files (json and csv) with the data in the same folder as the scripts.
+-   The script creates two files (json and csv) with the data in the same folder as the scripts.
 
 ```
 # Returns Alerts created in the past 48 hours.
- 
+
 $token = ./Get-Token.ps1       #run the script Get-Token.ps1  - make sure you are running this script from the same folder of Get-Token.ps1
 
 # Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
@@ -150,7 +149,7 @@ $dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")
 # The URL contains the type of query and the time filter we create above
 # Read more about other query options and filters at   Https://TBD- add the documentation link
 $url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
- 
+
 # Set the WebRequest headers
 $headers = @{ 
     'Content-Type' = 'application/json'
@@ -163,24 +162,23 @@ $response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorActi
 
 # Extract the alerts from the results. 
 $alerts =  ($response | ConvertFrom-Json).value | ConvertTo-Json
- 
+
 # Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
 $dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}    
- 
+
 # Save the result as json and as csv
 $outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"     
 $outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
- 
+
 Out-File -FilePath $outputJsonPath -InputObject $alerts
 ($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation 
-
 ```
 
 You’re all done! You have just successfully:
--	Created and registered and application
--	Granted permission for that application to read alerts
--	Connected the API
--	Used a PowerShell script to return alerts created in the past 48 hours
+-   Created and registered and application
+-   Granted permission for that application to read alerts
+-   Connected the API
+-   Used a PowerShell script to return alerts created in the past 48 hours
 
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 04e82ab368..ba81f53c58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -28,7 +28,7 @@ ms.date: 10/16/2017
 
 Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
 
-##	Alert API fields and portal mapping
+##  Alert API fields and portal mapping
 The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
 
 The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the  needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
@@ -36,38 +36,39 @@ The ArcSight field column contains the default mapping between the Microsoft Def
 Field numbers match the numbers in the images below.
 
 > [!div class="mx-tableFixed"]
-| Portal   label   | SIEM field name           | ArcSight field      | Example value                                                                      | Description                                                                                                                                                                    |
-|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 1                | AlertTitle                | name                | A dll was unexpectedly loaded into   a high integrity process without a UAC prompt | Value available for every alert.                                                                                                                                               |
-| 2                | Severity                  | deviceSeverity      | Medium                                                                             | Value available for every alert.                                                                                                                                               |
-| 3                | Category                  | deviceEventCategory | Privilege Escalation                                                               | Value available for every alert.                                                                                                                                               |
-| 4                | Source                    | sourceServiceName   | WindowsDefenderATP                                                                 | Windows Defender Antivirus or   Microsoft Defender ATP. Value available for every alert.                                                                                         |
-| 5                | MachineName               | sourceHostName      | liz-bean                                                                           | Value available for every alert.                                                                                                                                               |
-| 6                | FileName                  | fileName            | Robocopy.exe                                                                       | Available for alerts associated   with a file or process.                                                                                                                      |
-| 7                | FilePath                  | filePath            | C:\Windows\System32\Robocopy.exe                                                   | Available for alerts associated   with a file or process.                                                                                                                     |
-| 8                | UserDomain                | sourceNtDomain      | contoso                                                                            | The domain of the user context   running the activity, available for Microsoft Defender ATP behavioral based   alerts.                                                           |
-| 9                | UserName                  | sourceUserName      | liz-bean                                                                           | The user context running the   activity, available for Microsoft Defender ATP behavioral based alerts.                                                                           |
-| 10               | Sha1                      | fileHash            | 5b4b3985339529be3151d331395f667e1d5b7f35                                           | Available for alerts associated   with a file or process.                                                                                                                      |
-| 11               | Md5                       | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb                                                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
-| 12               | Sha256                    | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
-| 13               | ThreatName                | eviceCustomString1  | Trojan:Win32/Skeeyah.A!bit                                                         | Available for Windows Defender AV   alerts.                                                                                                                                    |
-| 14               | IpAddress                 | sourceAddress       | 218.90.204.141                                                                     | Available for alerts associated   to network events. For example, 'Communication to a malicious network   destination'.                                                        |
-| 15               | Url                       | requestUrl          | down.esales360.cn                                                                  | Available for alerts associated to   network events. For example, 'Communication to a malicious network   destination'.                                                         |
-| 16               | RemediationIsSuccess      | deviceCustomNumber2 | TRUE                                                                               | Available for Windows Defender AV   alerts. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
-| 17               | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE                                                                              | Available for Windows Defender AV   alerts. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
-| 18               | AlertId                   | externalId          | 636210704265059241_673569822                                                       | Value available for every alert.                                                                                                                                               |
-| 19               | LinkToWDATP               | flexString1         | `https://securitycenter.windows.com/alert/636210704265059241_673569822`            | Value available for every alert.                                                                                                                                               |
-| 20               | AlertTime                 | deviceReceiptTime   | 2017-05-07T01:56:59.3191352Z                                                       | The time the activity relevant to   the alert occurred. Value available for every alert.                                                                                       |
-| 21               | MachineDomain             | sourceDnsDomain     | contoso.com                                                                        | Domain name not relevant for AAD   joined machines. Value available for every alert.                                                                                           |
-| 22               | Actor                     | deviceCustomString4 |                                                                                    | Available for alerts related to a   known actor group.                                                                                                                         |
-| 21+5             | ComputerDnsName           | No mapping          | liz-bean.contoso.com                                                               | The machine fully qualified   domain name. Value available for every alert.                                                                                                    |
-|                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For machines on   Windows 10 version 1607, the domain information will not be available. |
-|                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |
-|                  | InternalIPv6List          | No mapping          | fd30:0000:0000:0001:ff4e:003e:0009:000e,   FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces.                                                                                                                                                                               |
-| Internal   field | LastProcessedTimeUtc      | No mapping          | 2017-05-07T01:56:58.9936648Z                                                       | Time when event arrived at the   backend. This field can be used when setting the request parameter for the   range of time that alerts are retrieved.                         |
-|                  | Not part of the schema    | deviceVendor        |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft'.                                                                                                                          |
-|                  | Not part of the schema    | deviceProduct       |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft Defender ATP'.                                                                                                               |
-|                  | Not part of the schema    | deviceVersion       |                                                                                    | Static value in the ArcSight   mapping - '2.0', used to identify the mapping versions.                                                                                         
+> 
+> | Portal   label   | SIEM field name           | ArcSight field      | Example value                                                                      | Description                                                                                                                                                                    |
+> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+> | 1                | AlertTitle                | name                | A dll was unexpectedly loaded into   a high integrity process without a UAC prompt | Value available for every alert.                                                                                                                                               |
+> | 2                | Severity                  | deviceSeverity      | Medium                                                                             | Value available for every alert.                                                                                                                                               |
+> | 3                | Category                  | deviceEventCategory | Privilege Escalation                                                               | Value available for every alert.                                                                                                                                               |
+> | 4                | Source                    | sourceServiceName   | WindowsDefenderATP                                                                 | Windows Defender Antivirus or   Microsoft Defender ATP. Value available for every alert.                                                                                         |
+> | 5                | MachineName               | sourceHostName      | liz-bean                                                                           | Value available for every alert.                                                                                                                                               |
+> | 6                | FileName                  | fileName            | Robocopy.exe                                                                       | Available for alerts associated   with a file or process.                                                                                                                      |
+> | 7                | FilePath                  | filePath            | C:\Windows\System32\Robocopy.exe                                                   | Available for alerts associated   with a file or process.                                                                                                                     |
+> | 8                | UserDomain                | sourceNtDomain      | contoso                                                                            | The domain of the user context   running the activity, available for Microsoft Defender ATP behavioral based   alerts.                                                           |
+> | 9                | UserName                  | sourceUserName      | liz-bean                                                                           | The user context running the   activity, available for Microsoft Defender ATP behavioral based alerts.                                                                           |
+> | 10               | Sha1                      | fileHash            | 5b4b3985339529be3151d331395f667e1d5b7f35                                           | Available for alerts associated   with a file or process.                                                                                                                      |
+> | 11               | Md5                       | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb                                                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 12               | Sha256                    | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 13               | ThreatName                | eviceCustomString1  | Trojan:Win32/Skeeyah.A!bit                                                         | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 14               | IpAddress                 | sourceAddress       | 218.90.204.141                                                                     | Available for alerts associated   to network events. For example, 'Communication to a malicious network   destination'.                                                        |
+> | 15               | Url                       | requestUrl          | down.esales360.cn                                                                  | Available for alerts associated to   network events. For example, 'Communication to a malicious network   destination'.                                                         |
+> | 16               | RemediationIsSuccess      | deviceCustomNumber2 | TRUE                                                                               | Available for Windows Defender AV   alerts. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
+> | 17               | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE                                                                              | Available for Windows Defender AV   alerts. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
+> | 18               | AlertId                   | externalId          | 636210704265059241_673569822                                                       | Value available for every alert.                                                                                                                                               |
+> | 19               | LinkToWDATP               | flexString1         | `https://securitycenter.windows.com/alert/636210704265059241_673569822`            | Value available for every alert.                                                                                                                                               |
+> | 20               | AlertTime                 | deviceReceiptTime   | 2017-05-07T01:56:59.3191352Z                                                       | The time the activity relevant to   the alert occurred. Value available for every alert.                                                                                       |
+> | 21               | MachineDomain             | sourceDnsDomain     | contoso.com                                                                        | Domain name not relevant for AAD   joined machines. Value available for every alert.                                                                                           |
+> | 22               | Actor                     | deviceCustomString4 |                                                                                    | Available for alerts related to a   known actor group.                                                                                                                         |
+> | 21+5             | ComputerDnsName           | No mapping          | liz-bean.contoso.com                                                               | The machine fully qualified   domain name. Value available for every alert.                                                                                                    |
+> |                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For machines on   Windows 10 version 1607, the domain information will not be available. |
+> |                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |
+> |                  | InternalIPv6List          | No mapping          | fd30:0000:0000:0001:ff4e:003e:0009:000e,   FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces.                                                                                                                                                                               |
+> | Internal   field | LastProcessedTimeUtc      | No mapping          | 2017-05-07T01:56:58.9936648Z                                                       | Time when event arrived at the   backend. This field can be used when setting the request parameter for the   range of time that alerts are retrieved.                         |
+> |                  | Not part of the schema    | deviceVendor        |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft'.                                                                                                                          |
+> |                  | Not part of the schema    | deviceProduct       |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft Defender ATP'.                                                                                                               |
+> |                  | Not part of the schema    | deviceVersion       |                                                                                    | Static value in the ArcSight   mapping - '2.0', used to identify the mapping versions.                                                                                         
 
 
 ![Image of alert with numbers](images/atp-alert-page.png)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index a30a6763d0..a550e32f0c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -39,25 +39,25 @@ You can access Microsoft Defender ATP API with **Application Context** or **User
 
 	Steps that need to be taken to access Microsoft Defender ATP API with application context:
 
-	1. Create an AAD Web-Application.
-	2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. 
-	3. Create a key for this Application.
-	4. Get token using the application with its key.
-	5. Use the token to access Microsoft Defender ATP API
+  1. Create an AAD Web-Application.
+  2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. 
+  3. Create a key for this Application.
+  4. Get token using the application with its key.
+  5. Use the token to access Microsoft Defender ATP API
 
-	For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
+     For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
 
 
 - **User Context:** 
                                                                                  
     Used to perform actions in the API on behalf of a user.
 
 	Steps that needs to be taken to access Microsoft Defender ATP API with application context:
-	1. Create AAD Native-Application.
-	2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 
-	3. Get token using the application with user credentials.
-	4. Use the token to access Microsoft Defender ATP API
+  1. Create AAD Native-Application.
+  2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 
+  3. Get token using the application with user credentials.
+  4. Use the token to access Microsoft Defender ATP API
 
-	For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
+     For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
 
 
 ## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
index 06eef64756..f7afee3646 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@@ -33,11 +33,11 @@ Microsoft Defender ATP supports two ways to manage permissions:
 - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
 
 > [!NOTE]
->If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
-
->- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC.  Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC. 
->- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
->- After switching to RBAC, you will not be able to switch back to using basic permissions management.
+> If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
+> 
+> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC.  Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC. 
+> - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
+> - After switching to RBAC, you will not be able to switch back to using basic permissions management.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index 96117063de..ad94b7494d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -42,11 +42,11 @@ Read the walkthrough document provided with each attack scenario. Each document
 
 1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
 
-  - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
+   - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
 
-  - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
+   - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
     
-  - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
+   - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
 
 2. Download and read the corresponding walkthrough document provided with your selected scenario.
 
@@ -54,11 +54,11 @@ Read the walkthrough document provided with each attack scenario. Each document
 
 4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
 
->[!NOTE]
->Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
+> [!NOTE]
+> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
+> 
+> 
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
 
 
 ## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
index 294a775bb9..861f47388c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@@ -58,13 +58,13 @@ Assigning read only access rights requires adding the users to the "Security Rea
 Use the following steps to assign security roles:
 
 - For **read and write** access, assign users to the security administrator role by using the following command:
-```text
-Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
-```
+  ```text
+  Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
+  ```
 - For **read only** access, assign users to the security reader role by using the following command:
-```text
-Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
-```
+  ```text
+  Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
+  ```
 
 For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
index 13d358f5af..2b30dd77ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
@@ -26,8 +26,8 @@ ms.topic: article
 This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation.
 
 ### Before you begin
->[!IMPORTANT] 
-Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
                                                                                  
+> [!IMPORTANT]
+> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
                                                                                  
 
 Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM).   
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index 862e906979..22c9359f44 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -61,88 +61,87 @@ The following steps assume that you have completed all the required steps in [Be
 1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

                                                                                  You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
 
 2. Follow the installation wizard through the following tasks:
-  - Introduction
-  - Choose Install Folder
-  - Choose Install Set
-  - Choose Shortcut Folder
-  - Pre-Installation Summary
-  - Installing...
+   - Introduction
+   - Choose Install Folder
+   - Choose Install Set
+   - Choose Shortcut Folder
+   - Pre-Installation Summary
+   - Installing...
 
-  You can keep the default values for each of these tasks or modify the selection to suit your requirements.
+   You can keep the default values for each of these tasks or modify the selection to suit your requirements.
 
 3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example:
 
-  - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
+   - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
 
-  - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
+   - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
 
-  NOTE:
-  You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
+   NOTE:
+   You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
 
 4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
 
 5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
 
-6.	Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
+6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
 
-  
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
-     
                                                                                  FieldValue
                                                                                  Configuration FileType in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
-     For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
                                                                                  Events URLDepending on the location of your datacenter, select either the EU or the US URL: 

                                                                                   **For EU**:  https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME 
                                                                                  
-  
                                                                                  **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME 
                                                                                   
                                                                                   **For UK**:  https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                                                                                  Authentication TypeOAuth 2
                                                                                  OAuth 2 Client Properties fileBrowse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.
                                                                                  Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. 

                                                                                   For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). 
                                                                                   
                                                                                  **Get your refresh token using the restutil tool:** 
                                                                                   a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. 

                                                                                   b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open. 
                                                                                   
                                                                                  c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. 
                                                                                   
                                                                                  d.	A refresh token is shown in the command prompt. 

                                                                                   e. Copy and paste it into the **Refresh Token** field.
-     
                                                                                    
-7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. 

                                                                                  
-If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. 

                                                                                   If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
+   
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
+    
                                                                                  FieldValue
                                                                                  Configuration FileType in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
+    For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
                                                                                  Events URLDepending on the location of your datacenter, select either the EU or the US URL: 

                                                                                   For EU:  https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME 
                                                                                  
+   
                                                                                  For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME 
                                                                                   
                                                                                   For UK:  https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                                                                                  Authentication TypeOAuth 2
                                                                                  OAuth 2 Client Properties fileBrowse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded.
                                                                                  Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool. 

                                                                                   For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. 
                                                                                   
                                                                                  Get your refresh token using the restutil tool: 
                                                                                   a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. 

                                                                                   b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. 
                                                                                   
                                                                                  c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. 
                                                                                   
                                                                                  d. A refresh token is shown in the command prompt. 

                                                                                   e. Copy and paste it into the Refresh Token field.
+    

                                                                                  7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. 

                                                                                  
+   If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. 

                                                                                   If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
 
-8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
+7. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
 
-9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
+8. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
 
-10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
+9. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
 
-11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
+10. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
 
-11.	The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
+11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
 
 12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
 
 13. Select **Install as a service** and click **Next**.
 
-14.	Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
+14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
 
-13.	Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
+15. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
 
-14. Finish the installation by selecting **Exit** and **Next**.
+16. Finish the installation by selecting **Exit** and **Next**.
 
 ## Install and configure the HP ArcSight console
 1. Follow the installation wizard through the following tasks:
-  - Introduction
-  - License Agreement
-  - Special Notice
-  - Choose ArcSight installation directory
-  - Choose Shortcut Folder
-  - Pre-Installation Summary
+   - Introduction
+   - License Agreement
+   - Special Notice
+   - Choose ArcSight installation directory
+   - Choose Shortcut Folder
+   - Pre-Installation Summary
 
 2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
 
@@ -177,11 +176,11 @@ Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft”
 **Solution:**
 1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
-`reauthenticate=true`.
+   `reauthenticate=true`.
 
 3. Restart the connector by running the following command: `arcsight.bat connectors`.
 
-  A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
+   A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
 
 > [!NOTE]
 > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
index e6023b38fc..0c2d7e763e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@@ -71,10 +71,10 @@ Take the following steps to enable Conditional Access:
 4. In **Platform**, select **Windows 10 and later**.
 5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
 
-  - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
-  - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
-  - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
-  - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
+   - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
+   - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
+   - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
+   - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
 
 6. Select **OK**, and **Create** to save your changes (and create the policy).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index 01b6ee0ef8..88aa16e2cf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -57,7 +57,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
 > [!NOTE]
 > Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
 
-1.	Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
+1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
 
    a. In the navigation pane, select **Settings** > **Offboarding**.
 
@@ -67,7 +67,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
     
    d. Click **Download package**, and save the .zip file.
 
-2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
+2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
 
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
index 249bd676ef..8be4bddd06 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@@ -43,11 +43,11 @@ You'll need to take the following steps to onboard non-Windows machines:
        
      1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
 
-      2. 	In the **Partner Applications** tab, select the partner that supports your non-Windows devices.
+        2. In the **Partner Applications** tab, select the partner that supports your non-Windows devices.
 
-      3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page.
+        3. Select **Open partner page** to open the partner's page. Follow the instructions provided on the page.
 
-      4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it is aligned with the service that you require. 
+        4. After creating an account or subscribing to the partner solution, you should get to a stage where a tenant Global Admin in your organization is asked to accept a permission request from the partner application. Read the permission request carefully to make sure that it is aligned with the service that you require. 
 
         
 2. Run a detection test by following the instructions of the third-party solution.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index 4790139b77..b13eb91164 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -32,7 +32,7 @@ ms.date: 12/11/2018
 
 
 ## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
-System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see [Support for Microsoft Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
+System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Microsoft Defender ATP on machines. For more information, see Support for Microsoft Defender Advanced Threat Protection service.
 
 >[!NOTE]
 > If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
index 9f5da5efb1..75b3616e1c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
@@ -123,8 +123,8 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
 - I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
 - I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
 
- >[!NOTE]
- >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s  Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. 
+  >[!NOTE]
+  >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s  Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response. 
 
 ## Scenario
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 6e843641a1..96a1dc2cc7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -53,8 +53,8 @@ The static proxy is configurable through Group Policy (GP). The group policy can
     - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
     ![Image of Group Policy setting](images/atp-gpo-proxy1.png)
 - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
-    - Configure the proxy:
                                                                                  
-      ![Image of Group Policy setting](images/atp-gpo-proxy2.png)
+  - Configure the proxy:
                                                                                  
+    ![Image of Group Policy setting](images/atp-gpo-proxy2.png)
 
     The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
 
@@ -81,11 +81,11 @@ Use netsh to configure a system-wide static proxy.
 
     b. Right-click **Command prompt** and select **Run as administrator**.
 
-4. Enter the following command and press **Enter**:
-```
-netsh winhttp set proxy :
-```
-For example: netsh winhttp set proxy 10.0.0.6:8080
+2. Enter the following command and press **Enter**:
+   ```
+   netsh winhttp set proxy :
+   ```
+   For example: netsh winhttp set proxy 10.0.0.6:8080
 
 To reset the winhttp proxy, enter the following command and press **Enter**
 ```
@@ -136,7 +136,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
 
 1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Microsoft Defender ATP sensor is running on.
 
-2.  Extract the contents of WDATPConnectivityAnalyzer on the machine.
+2. Extract the contents of WDATPConnectivityAnalyzer on the machine.
 
 3. Open an elevated command-line:
 
@@ -157,15 +157,15 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
 5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
 
 6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. 

                                                                                  
-The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP  services. For example:
-  ```text
-  Testing URL : https://xxx.microsoft.com/xxx
-  1 - Default proxy: Succeeded (200)
-  2 - Proxy auto discovery (WPAD): Succeeded (200)
-  3 - Proxy disabled: Succeeded (200)
-  4 - Named proxy: Doesn't exist
-  5 - Command line proxy: Doesn't exist              
-  ```
+   The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP  services. For example:
+   ```text
+   Testing URL : https://xxx.microsoft.com/xxx
+   1 - Default proxy: Succeeded (200)
+   2 - Proxy auto discovery (WPAD): Succeeded (200)
+   3 - Proxy disabled: Succeeded (200)
+   4 - Named proxy: Doesn't exist
+   5 - Command line proxy: Doesn't exist              
+   ```
 
 If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method. 

                                                                                  
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 017979c7ca..4f8489c0d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -109,7 +109,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
 
 ### Configure server proxy and Internet connectivity settings
  
-- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
+- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.
 - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service:
 
 Agent Resource    |    Ports 
@@ -135,7 +135,7 @@ Supported tools include:
 - System Center Configuration Manager 2012 / 2012 R2  1511 / 1602
 - VDI onboarding scripts for non-persistent machines
 
- For more information, see  [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
+  For more information, see  [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
 
 1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
index 6e5283c7f0..30b66351ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
@@ -51,74 +51,74 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
 
 3. Click **REST** under **Local inputs**.
 
-  NOTE:
-  This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
+   NOTE:
+   This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
 
 4. Click **New**.
 
 5. Type the following values in the required fields, then click **Save**:
 
-  NOTE:
-  All other values in the form are optional and can be left blank.
+   NOTE:
+   All other values in the form are optional and can be left blank.
 
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
-  
                                                                                  FieldValue
                                                                                  Endpoint URLDepending on the location of your datacenter, select any of the following URL: 

                                                                                   **For EU**:  `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`

                                                                                  **For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts` 

                                                                                   **For UK:**` https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts`
-  
                                                                                  HTTP MethodGET
                                                                                  Authentication Typeoauth2
                                                                                  OAuth 2 Access tokenUse the value that you generated when you enabled the SIEM integration feature. 

                                                                                   NOTE: The access token expires after an hour. 
                                                                                  OAuth 2 Refresh TokenUse the value that you generated when you enabled the **SIEM integration** feature.
                                                                                  OAuth 2 Token Refresh URLUse the value from the details file you saved when you enabled the **SIEM integration** feature.
                                                                                  OAuth 2 Client IDUse the value from the details file you saved when you enabled the **SIEM integration** feature.
                                                                                  OAuth 2 Client SecretUse the value from the details file you saved when you enabled the **SIEM integration** feature.
                                                                                  Response typeJson
                                                                                  Response HandlerJSONArrayHandler
                                                                                  Polling IntervalNumber of seconds that Splunk will ping the Microsoft Defender ATP machine. Accepted values are in seconds.
                                                                                  Set sourcetypeManual
                                                                                  Source type\_json
                                                                                  
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
+   
                                                                                  FieldValue
                                                                                  Endpoint URLDepending on the location of your datacenter, select any of the following URL: 

                                                                                   For EU:  https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts

                                                                                  For US:https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts 

                                                                                   For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts
+   
                                                                                  HTTP MethodGET
                                                                                  Authentication Typeoauth2
                                                                                  OAuth 2 Access tokenUse the value that you generated when you enabled the SIEM integration feature. 

                                                                                   NOTE: The access token expires after an hour. 
                                                                                  OAuth 2 Refresh TokenUse the value that you generated when you enabled the SIEM integration feature.
                                                                                  OAuth 2 Token Refresh URLUse the value from the details file you saved when you enabled the SIEM integration feature.
                                                                                  OAuth 2 Client IDUse the value from the details file you saved when you enabled the SIEM integration feature.
                                                                                  OAuth 2 Client SecretUse the value from the details file you saved when you enabled the SIEM integration feature.
                                                                                  Response typeJson
                                                                                  Response HandlerJSONArrayHandler
                                                                                  Polling IntervalNumber of seconds that Splunk will ping the Microsoft Defender ATP machine. Accepted values are in seconds.
                                                                                  Set sourcetypeManual
                                                                                  Source type_json
                                                                                  
 
 After completing these configuration steps, you can go to the Splunk dashboard and run queries.
 
@@ -130,12 +130,12 @@ Use the solution explorer to view alerts in Splunk.
 2. Select **New**.
 
 3. Enter the following details:
-  - Destination app: Select Search & Reporting (search)
-  - Search name: Enter a name for the query
-  - Search: Enter a query, for example:
                                                                                  
-    `source="rest://windows atp alerts"|spath|table*`
+   - Destination app: Select Search & Reporting (search)
+   - Search name: Enter a name for the query
+   - Search: Enter a query, for example:
                                                                                  
+     `source="rest://windows atp alerts"|spath|table*`
 
-    Other values are optional and can be left with the default values.
+     Other values are optional and can be left with the default values.
 4. Click **Save**. The query is saved in the list of searches.
 
 5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 21c04328b2..8f0d992e58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -48,19 +48,19 @@ ms.topic: article
 ## Manage existing custom detection rules
 View existing rules in your network, see the last results of each rule, navigate to view all alerts that were created by each rule. You can also modify existing rules.
 
-1.	In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections  created in the system.
+1. In the navigation pane, select **Settings** > **Custom detections**. You'll see all the detections  created in the system.
 
-2.	Select one of the rules to take any of the following actions:
+2. Select one of the rules to take any of the following actions:
    - Open related alerts - See all the alerts that were raised based to this rule
    - Run - Run the selected detection immediately. 
 
    > [!NOTE]
    > The next run for the query will be in 24 hours after the last run.
     
-  - Edit - Modify the settings of the rule.
-  - Modify query - View and edit the query itself. 
-  - Turn off - Stop the query from running.
-  - Delete
+   - Edit - Modify the settings of the rule.
+   - Modify query - View and edit the query itself. 
+   - Turn off - Stop the query from running.
+   - Delete
 
 
 ## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
index d8c343030c..2601b05b63 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
@@ -35,11 +35,11 @@ Before creating custom alerts, you'll need to enable the threat intelligence app
 ### Use the threat intelligence REST API to create custom threat intelligence alerts
 You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource:
 
--	GET
--	POST
--	PATCH
--	PUT (used for managing entities relations only)
--	DELETE
+-   GET
+-   POST
+-   PATCH
+-   PUT (used for managing entities relations only)
+-   DELETE
 
 All threat intelligence API requests use the following basic URL pattern:
 
@@ -48,12 +48,12 @@ All threat intelligence API requests use the following basic URL pattern:
 ```
 
 For this URL:
--	`https://TI.SecurityCenter.Windows.com` is the threat intelligence API endpoint.
--	`{version}` is the target service version. Currently, the only supported version is: v1.0.
--	`{resource}` is resource segment or path, such as:
-  -	AlertDefinitions (for specific single resource, add: (id))
-  -	IndicatorsOfCompromise (for specific single resource, add: (id))
--	`[query_parameters]` represents additional query parameters such as $filter and $select.
+- `https://TI.SecurityCenter.Windows.com` is the threat intelligence API endpoint.
+- `{version}` is the target service version. Currently, the only supported version is: v1.0.
+- `{resource}` is resource segment or path, such as:
+  - AlertDefinitions (for specific single resource, add: (id))
+  - IndicatorsOfCompromise (for specific single resource, add: (id))
+- `[query_parameters]` represents additional query parameters such as $filter and $select.
 
 **Quotas**
                                                                                  
 Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
@@ -93,7 +93,6 @@ The response will include an access token and expiry information.
   "resource": "https://graph.microsoft.com",
   "access_token": ""
 }
-
 ```
 
 ## Threat intelligence API metadata
@@ -163,7 +162,6 @@ If successful, you should get a 201 CREATED response containing the representati
   "LastModifiedAt": null,
   "LastModifiedBy": null,
   "Enabled": true
-
 ```
 
 ### Create a new indicator of compromise
@@ -331,8 +329,8 @@ Content-Type: application/json;
 Accept: application/json;odata.metadata=none
 
 {
-	"Category": "Backdoor",
-	"Enabled": false
+    "Category": "Backdoor",
+    "Enabled": false
 }
 ```
 
@@ -346,7 +344,7 @@ Authorization : Bearer 
 Content-Type: application/json;
 
 {
-	"@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)"
+    "@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)"
 }
 ```
 
@@ -390,13 +388,13 @@ The Microsoft Defender ATP threat intelligence API  provides several optional qu
 
 Name | Value | Description
 :---|:---|:--
-$select |	string |	Comma-separated list of properties to include in the response.
-$expand |	string |	Comma-separated list of relationships to expand and include in the response.
-$orderby |	string	| Comma-separated list of properties that are used to sort the order of items in the response collection.
-$filter	| string |	Filters the response based on a set of criteria.
-$top |	int |	The number of items to return in a result set.
-$skip |	int	| The number of items to skip in a result set.
-$count |	boolean |	A collection and the number of items in the collection.
+$select |   string |    Comma-separated list of properties to include in the response.
+$expand |   string |    Comma-separated list of relationships to expand and include in the response.
+$orderby |  string  | Comma-separated list of properties that are used to sort the order of items in the response collection.
+$filter | string |  Filters the response based on a set of criteria.
+$top |  int |   The number of items to return in a result set.
+$skip | int | The number of items to skip in a result set.
+$count |    boolean |   A collection and the number of items in the collection.
 
 These parameters are compatible with the [OData V4 query language](http://docs.oasis-open.org/odata/odata/v4.0/errata03/os/complete/part2-url-conventions/odata-v4.0-errata03-os-part2-url-conventions-complete.html#_Toc453752356).
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
index dd05185a91..da3414815c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
@@ -5,7 +5,7 @@ manager: dansimp
 ms.author: mjcaparas
 author: mjcaparas
 ---
->[!WARNING]
-
-
+> [!WARNING]
+> 
+> 
 > This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Microsoft Defender ATP APIs](use-apis.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md
index 3c3803dbe2..754b7d28e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md
@@ -24,24 +24,24 @@ ms.topic: article
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->[!TIP]
->This topic has been deprecated. See [Indicators](ti-indicator.md) for the updated content.
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) 
+> [!TIP]
+> This topic has been deprecated. See [Indicators](ti-indicator.md) for the updated content.
+> 
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink) 
 
 Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Microsoft Defender Security Center.
 
 1. In the navigation pane, select **Settings** >  **Threat intel**.
 
-  ![Image of threat intel API menu](images/atp-threat-intel-api.png)
+   ![Image of threat intel API menu](images/atp-threat-intel-api.png)
 
 2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values.
 
 3. Copy the individual values or select **Save details to file** to download a file that contains all the values.
 
-  >[!WARNING]
-  >The client secret is only displayed once. Make sure you keep a copy of it in a safe place. 
                                                                                  
-  For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti.md#learn-how-to-get-a-new-client-secret).
+   >[!WARNING]
+   >The client secret is only displayed once. Make sure you keep a copy of it in a safe place. 
                                                                                  
+   For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti.md#learn-how-to-get-a-new-client-secret).
 
 4. Select **Generate tokens** to get an access and refresh token.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index 14f0555964..2c9fa62654 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -50,19 +50,19 @@ Enable security information and event management (SIEM) integration so you can p
 
 3. Choose the SIEM type you use in your organization.
 
-  > [!NOTE]
-  > If you select HP ArcSight, you'll need to save these two configuration files:
                                                                                  
-  - WDATP-connector.jsonparser.properties
-  - WDATP-connector.properties 
                                                                                  
+   > [!NOTE]
+   > If you select HP ArcSight, you'll need to save these two configuration files:
                                                                                  
+   > - WDATP-connector.jsonparser.properties
+   > - WDATP-connector.properties 
                                                                                  
 
-  If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
+   If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
 
 4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
 
 5. Select **Generate tokens** to get an access and refresh token.
   
-  > [!NOTE]
-  > You'll need to generate a new Refresh token every 90 days. 
+   > [!NOTE]
+   > You'll need to generate a new Refresh token every 90 days. 
 
 You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Microsoft Defender Security Center.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index cf3bab142d..3ffa588f98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -38,17 +38,17 @@ For example, if machines are not appearing in the **Machines list**, you might n
 
 **Open Event Viewer and find the Microsoft Defender ATP service event log:**
 
-1.  Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
+1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
 
-2.  In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
-    open the log.
+2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
+   open the log.
 
-  a.  You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
+   a.  You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
 
-    > [!NOTE]
-	> SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
+   > [!NOTE]
+   > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
 
-3.  Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
+3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
 
 
@@ -60,7 +60,7 @@ For example, if machines are not appearing in the **Machines list**, you might n
 
-
+
@@ -72,23 +72,23 @@ For example, if machines are not appearing in the **Machines list**, you might n
 
-
+
-
+
-
+
-
+
@@ -96,36 +96,36 @@ The service could not contact the external processing servers at that URL.
+See Onboard Windows 10 machines.
-
+
+See Onboard Windows 10 machines.
-
-
+
-
+
-
-
+
+
+See Onboard Windows 10 machines.
-
+
+See Onboard Windows 10 machines.
@@ -142,24 +142,24 @@ It may take several hours for the machine to appear in the portal.
-
+
-
+
-
+
-
+
-
+See Onboard Windows 10 machines.
@@ -176,61 +176,61 @@ If this error persists after a system restart, ensure all Windows updates have f
 
-
+
-
+
+See Onboard Windows 10 machines.
-
+
+See Onboard Windows 10 machines.
-
+
-
+
-
+See Onboard Windows 10 machines.
-
+
-
+
-
+
-
+
@@ -240,29 +240,29 @@ Ensure real-time antimalware protection is running properly.
-
+
-
+
-
+See Onboard Windows 10 machines.
-
+
-
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 4958ddc0d7..0958ac0a89 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -48,30 +48,30 @@ This page explains how to create an AAD application, get an access token to Micr
 
 ## Create an app
 
-1.	Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role.
+1. Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role.
 
-2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
 
-    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+   ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
 
-3.	In the Create window, enter the following information then click **Create**.
+3. In the Create window, enter the following information then click **Create**.
 
-    ![Image of Create application window](images/nativeapp-create.png)
+   ![Image of Create application window](images/nativeapp-create.png)
 
-    - **Name:** -Your app name-
-    - **Application type:** Native
-    - **Redirect URI:** `https://127.0.0.1`
+   - **Name:** -Your app name-
+   - **Application type:** Native
+   - **Redirect URI:** `https://127.0.0.1`
 
 
-4.	Click **Settings** > **Required permissions** > **Add**.
+4. Click **Settings** > **Required permissions** > **Add**.
 
-    ![Image of new app in Azure](images/nativeapp-add-permission.png)
+   ![Image of new app in Azure](images/nativeapp-add-permission.png)
 
-5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
 	
-	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+   **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
 
-    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+   ![Image of API access and API selection](images/webapp-add-permission-2.png)
 
 6. Click **Select permissions** > **Check the desired permissions** > **Select**.
 	
@@ -79,12 +79,12 @@ This page explains how to create an AAD application, get an access token to Micr
     >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example.
 	For instance,
 
-    - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
-    - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+   - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+   - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
 
-       To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
+      To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
 
-    ![Image of select permissions](images/nativeapp-select-permissions.png)
+     ![Image of select permissions](images/nativeapp-select-permissions.png)
 
 
 7. Click **Done**
@@ -113,7 +113,7 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
 - Copy/Paste the below class in your application.
 - Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
 
-	```
+    ```
 	namespace WindowsDefenderATP
 	{
 		using System.Net.Http;
@@ -149,7 +149,7 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
 			}
 		}
 	}
-	```
+    ```
 
 ## Validate the token
 
@@ -167,7 +167,7 @@ Sanity check to make sure you got a correct token:
 - The Expiration time of the token is 1 hour (you can send more then one request with the same token)
 
 - Example of sending a request to get a list of alerts **using C#** 
-	```
+    ```
 	var httpClient = new HttpClient();
 
 	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
@@ -177,7 +177,7 @@ Sanity check to make sure you got a correct token:
 	var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
 
 	// Do something useful with the response
-	```
+    ```
 
 ## Related topics
 - [Microsoft Defender ATP APIs](exposed-apis-list.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index cb2af76486..ae8e9f68c9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -44,39 +44,39 @@ This page explains how to create an AAD application, get an access token to Micr
 
 1. Log on to [Azure](https://portal.azure.com) with user that has Global Administrator role.
 
-2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
 
-    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+   ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
 
-3.	In the Create window, enter the following information then click **Create**.
+3. In the Create window, enter the following information then click **Create**.
 
-    ![Image of Create application window](images/webapp-create.png)
+   ![Image of Create application window](images/webapp-create.png)
 
-    - **Name:** Choose your own name. 
-    - **Application type:** Web app / API
-    - **Redirect URI:** `https://127.0.0.1`
+   - **Name:** Choose your own name. 
+   - **Application type:** Web app / API
+   - **Redirect URI:** `https://127.0.0.1`
 
-4.	Click **Settings** > **Required permissions** > **Add**.
+4. Click **Settings** > **Required permissions** > **Add**.
 
-    ![Image of new app in Azure](images/webapp-add-permission.png)
+   ![Image of new app in Azure](images/webapp-add-permission.png)
 
-5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
-	
-	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
 
-    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+   **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+   ![Image of API access and API selection](images/webapp-add-permission-2.png)
 
 6. Click **Select permissions** > **Check the desired permissions** > **Select**.
-	
-	**Important note**: You need to select the relevant permissions. 'Run advanced queries' is only an example!
 
-	For instance,
+    **Important note**: You need to select the relevant permissions. 'Run advanced queries' is only an example!
 
-	- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
-	- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
-	- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+    For instance,
 
-    ![Image of select permissions](images/webapp-select-permission.png)
+   - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+   - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+   - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+
+     ![Image of select permissions](images/webapp-select-permission.png)
 
 7. Click **Done**
 
@@ -84,45 +84,45 @@ This page explains how to create an AAD application, get an access token to Micr
 
 8. Click **Grant permissions**
 
-	In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+    In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
 
-	If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+    If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
 
-	![Image of Grant permissions](images/webapp-grant-permissions.png)
+    ![Image of Grant permissions](images/webapp-grant-permissions.png)
 
 9. Click **Keys**, type a key name and click **Save**.
 
-	**Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
+    **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
 
     ![Image of create app key](images/webapp-create-key.png)
 
 10. Write down your application ID.
-    
-	![Image of created app id](images/webapp-app-id1.png)
+
+    ![Image of created app id](images/webapp-app-id1.png)
 
 11. **For Microsoft Defender ATP Partners only** - Set your application to be multi-tenanted
-	
-	This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
 
-	This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)​
+    This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
 
-	Click **Properties** > **Yes** > **Save**.
+    This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)
 
-	![Image of multi tenant](images/webapp-edit-multitenant.png)
+    Click **Properties** > **Yes** > **Save**.
 
-	- Application consent for your multi-tenant App:
-	
-	You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
+    ![Image of multi tenant](images/webapp-edit-multitenant.png)
 
-	You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
+    - Application consent for your multi-tenant App:
 
-	Consent link is of the form: 
+    You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
 
-	```
-	https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
-	```
+    You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
 
-	where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
+    Consent link is of the form: 
+
+    ```
+    https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
+    ```
+
+    where 00000000-0000-0000-0000-000000000000 should be replaced with your Azure application ID
 
 
 - **Done!** You have successfully registered an application! 
@@ -137,11 +137,11 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
 ```
 # That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
 # Paste below your Tenant ID, App ID and App Secret (App key).
- 
+
 $tenantId = '' ### Paste your tenant ID here
 $appId = '' ### Paste your app ID here
 $appSecret = '' ### Paste your app key here
- 
+
 $resourceAppIdUri = 'https://api.securitycenter.windows.com'
 $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
 $authBody = [Ordered] @{
@@ -154,7 +154,6 @@ $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -E
 $token = $authResponse.access_token
 Out-File -FilePath "./Latest-token.txt" -InputObject $token
 return $token
-
 ```
 
 ### Using C#:
@@ -165,25 +164,25 @@ return $token
 - Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
 - Add the below using
 
-	```
-	using Microsoft.IdentityModel.Clients.ActiveDirectory;
-	```
+    ```
+    using Microsoft.IdentityModel.Clients.ActiveDirectory;
+    ```
 
 - Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
 
-	```
-	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
-	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
-	string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! 
+    ```
+    string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+    string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+    string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! 
 
-	const string authority = "https://login.windows.net";
-	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+    const string authority = "https://login.windows.net";
+    const string wdatpResourceId = "https://api.securitycenter.windows.com";
 
-	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
-	ClientCredential clientCredential = new ClientCredential(appId, appSecret);
-	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
-	string token = authenticationResult.AccessToken;
-	```
+    AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
+    ClientCredential clientCredential = new ClientCredential(appId, appSecret);
+    AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
+    string token = authenticationResult.AccessToken;
+    ```
 
 
 ### Using Python
@@ -196,13 +195,13 @@ Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
 > The below procedure supposed Curl for Windows is already installed on your computer
 
 - Open a command window
-- ​Set CLIENT_ID to your Azure application ID
+- Set CLIENT_ID to your Azure application ID
 - Set CLIENT_SECRET to your Azure application secret
 - Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
 - Run the below command:
 
 ```
-curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​
+curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
 ```
 
 You will get an answer of the form:
@@ -227,17 +226,17 @@ Sanity check to make sure you got a correct token:
 - The Expiration time of the token is 1 hour (you can send more then one request with the same token)
 
 - Example of sending a request to get a list of alerts **using C#** 
-	```
-	var httpClient = new HttpClient();
+    ```
+    var httpClient = new HttpClient();
 
-	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+    var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
 
-	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
 
-	var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
+    var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
 
-	// Do something useful with the response
-	```
+    // Do something useful with the response
+    ```
 
 ## Related topics
 - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index 7861f52008..b17168bee0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -36,9 +36,9 @@ In this section we share PowerShell samples to
 
 - Open a PowerShell window.
 - If your policy does not allow you to run the PowerShell commands, you can run the below command:
-```
-Set-ExecutionPolicy -ExecutionPolicy Bypass
-```
+  ```
+  Set-ExecutionPolicy -ExecutionPolicy Bypass
+  ```
 
 >For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
 
@@ -61,10 +61,10 @@ $suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
 $resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
 $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
 $authBody = [Ordered] @{
-	resource = "$resourceAppIdUri"
-	client_id = "$appId"
-	client_secret = "$appSecret"
-	grant_type = 'client_credentials'
+    resource = "$resourceAppIdUri"
+    client_id = "$appId"
+    client_secret = "$appSecret"
+    grant_type = 'client_credentials'
 }
 $authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
 $aadToken = $authResponse.access_token
@@ -73,9 +73,9 @@ $aadToken = $authResponse.access_token
 #Get latest alert
 $alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
 $headers = @{ 
-	'Content-Type' = 'application/json'
-	Accept = 'application/json'
-	Authorization = "Bearer $aadToken" 
+    'Content-Type' = 'application/json'
+    Accept = 'application/json'
+    Authorization = "Bearer $aadToken" 
 }
 $alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
 $alerts =  ($alertResponse | ConvertFrom-Json).value
@@ -84,17 +84,17 @@ $machinesToInvestigate = New-Object System.Collections.ArrayList
 
 Foreach($alert in $alerts)
 {
-	#echo $alert.id	$alert.machineId	$alert.severity	$alert.status
+    #echo $alert.id $alert.machineId    $alert.severity $alert.status
 
-	$isSevereAlert = $alert.severity -in 'Medium', 'High'
-	$isOpenAlert = $alert.status -in 'InProgress', 'New'
-	if($isOpenAlert -and $isSevereAlert)
-	{
-		if (-not $machinesToInvestigate.Contains($alert.machineId))
-		{
-			$machinesToInvestigate.Add($alert.machineId) > $null
-		}
-	}
+    $isSevereAlert = $alert.severity -in 'Medium', 'High'
+    $isOpenAlert = $alert.status -in 'InProgress', 'New'
+    if($isOpenAlert -and $isSevereAlert)
+    {
+        if (-not $machinesToInvestigate.Contains($alert.machineId))
+        {
+            $machinesToInvestigate.Add($alert.machineId) > $null
+        }
+    }
 }
 
 $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
@@ -110,7 +110,6 @@ $queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
 $queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
 $response =  ($queryResponse | ConvertFrom-Json).Results
 $response
-
 ```
 
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index 81942f5dbe..c8029a1428 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -31,23 +31,24 @@ ms.topic: article
 ### End Point URI:
 
 > The service base URI is: https://api.securitycenter.windows.com
-
+> 
 > The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts
 
 ### Versioning:
 
 > The API supports versioning.
-
+> 
 > The current version is **V1.0**.
-
+> 
 > To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts
-
+> 
 > If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version.
 
 
 Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
 
 ## In this section
+
 Topic | Description
 :---|:---
 Advanced Hunting | Run queries from API.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 8372f90a3b..c166277e71 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -53,7 +53,7 @@ Content-type: application/json
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
             "computerDnsName": "mymachine1.contoso.com",
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
             "lastIpAddress": "172.17.230.209",
@@ -62,14 +62,14 @@ Content-type: application/json
             "osBuild": 18209,
             "healthStatus": "Active",
             "rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
+            "rbacGroupName": "The-A-Team",
             "riskScore": "High",
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
-		.
-		.
-		.
+        .
+        .
+        .
     ]
 }
 ```
@@ -92,27 +92,27 @@ Content-type: application/json
     "value": [
         {
             "id": "121688558380765161_2136280442",
-			"incidentId": 7696,
-			"assignedTo": "secop@contoso.com",
-			"severity": "High",
-			"status": "New",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-26T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+            "incidentId": 7696,
+            "assignedTo": "secop@contoso.com",
+            "severity": "High",
+            "status": "New",
+            "classification": "TruePositive",
+            "determination": "Malware",
+            "investigationState": "Running",
+            "category": "MalwareDownload",
+            "detectionSource": "WindowsDefenderAv",
+            "threatFamilyName": "Mikatz",
+            "title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+            "description": "Some description",
+            "alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+            "firstEventTime": "2018-11-26T16:17:50.0948658Z",
+            "lastEventTime": "2018-11-26T16:18:01.809871Z",
+            "resolvedTime": null,
+            "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         },
-		.
-		.
-		.
+        .
+        .
+        .
     ]
 }
 ```
@@ -137,7 +137,7 @@ Content-type: application/json
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
             "computerDnsName": "mymachine1.contoso.com",
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
             "lastIpAddress": "172.17.230.209",
@@ -146,14 +146,14 @@ Content-type: application/json
             "osBuild": 18209,
             "healthStatus": "Active",
             "rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
+            "rbacGroupName": "The-A-Team",
             "riskScore": "High",
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
-		.
-		.
-		.
+        .
+        .
+        .
     ]
 }
 ```
@@ -178,7 +178,7 @@ Content-type: application/json
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
             "computerDnsName": "mymachine1.contoso.com",
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
             "lastIpAddress": "172.17.230.209",
@@ -187,14 +187,14 @@ Content-type: application/json
             "osBuild": 18209,
             "healthStatus": "Active",
             "rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
+            "rbacGroupName": "The-A-Team",
             "riskScore": "High",
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
-		.
-		.
-		.
+        .
+        .
+        .
     ]
 }
 ```
@@ -219,7 +219,7 @@ Content-type: application/json
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
             "computerDnsName": "mymachine1.contoso.com",
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
             "lastIpAddress": "172.17.230.209",
@@ -228,14 +228,14 @@ Content-type: application/json
             "osBuild": 18209,
             "healthStatus": "Active",
             "rbacGroupId": 140,
-			"rbacGroupName": "The-A-Team",
+            "rbacGroupName": "The-A-Team",
             "riskScore": "High",
             "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
+            "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
-		.
-		.
-		.
+        .
+        .
+        .
     ]
 }
 ```
@@ -267,9 +267,9 @@ Content-type: application/json
             "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
             "relatedFileInfo": null
         },
-		.
-		.
-		.
+        .
+        .
+        .
     ]
 }
 ```
@@ -289,7 +289,6 @@ HTTP/1.1 200 OK
 Content-type: application/json
 
 4
-
 ```
 
 ## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index 42088b56aa..1b7847ce57 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -27,10 +27,10 @@ Retrieves a collection of alerts related to a given domain address.
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
 
-Permission type |	Permission	|	Permission display name
+Permission type |   Permission  |   Permission display name
 :---|:---|:---
-Application |	Alert.Read.All |	'Read all alerts'
-Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Application |   Alert.Read.All |    'Read all alerts'
+Application |   Alert.ReadWrite.All |   'Read and write all alerts'
 Delegated (work or school account) | Alert.Read | 'Read alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
@@ -46,10 +46,9 @@ GET /api/domains/{domain}/alerts
 
 ## Request headers
 
-Header | Value 
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
+| Header        | Value  |
+|:--------------|:-------|
+| Authorization | String |
 
 ## Request body
 Empty
@@ -83,45 +82,45 @@ Content-type: application/json
     "value": [
         {
             "id": "441688558380765161_2136280442",
-			"incidentId": 8633,
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "InProgress",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+            "incidentId": 8633,
+            "assignedTo": "secop@contoso.com",
+            "severity": "Low",
+            "status": "InProgress",
+            "classification": "TruePositive",
+            "determination": "Malware",
+            "investigationState": "Running",
+            "category": "MalwareDownload",
+            "detectionSource": "WindowsDefenderAv",
+            "threatFamilyName": "Mikatz",
+            "title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+            "description": "Some description",
+            "alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+            "firstEventTime": "2018-11-25T16:17:50.0948658Z",
+            "lastEventTime": "2018-11-25T16:18:01.809871Z",
+            "resolvedTime": null,
+            "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         },
         {
             "id": "121688558380765161_2136280442",
-			"incidentId": 4123,
-			"assignedTo": "secop@contoso.com",
-			"severity": "Low",
-			"status": "InProgress",
-			"classification": "TruePositive",
-			"determination": "Malware",
-			"investigationState": "Running",
-			"category": "MalwareDownload",
-			"detectionSource": "WindowsDefenderAv",
-			"threatFamilyName": "Mikatz",
-			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-			"description": "Some description",
-			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
-			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
-			"lastEventTime": "2018-11-24T16:18:01.809871Z",
-			"resolvedTime": null,
-			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+            "incidentId": 4123,
+            "assignedTo": "secop@contoso.com",
+            "severity": "Low",
+            "status": "InProgress",
+            "classification": "TruePositive",
+            "determination": "Malware",
+            "investigationState": "Running",
+            "category": "MalwareDownload",
+            "detectionSource": "WindowsDefenderAv",
+            "threatFamilyName": "Mikatz",
+            "title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+            "description": "Some description",
+            "alertCreationTime": "2018-11-24T16:19:21.8409809Z",
+            "firstEventTime": "2018-11-24T16:17:50.0948658Z",
+            "lastEventTime": "2018-11-24T16:18:01.809871Z",
+            "resolvedTime": null,
+            "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         }
-	]
+    ]
 }
 ```
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
index 9670455136..95b79f587e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
@@ -42,13 +42,13 @@ If a file meets the criteria set in the policy settings and endpoint data loss p
 1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. 
 2. Define which labels need to get WIP protection in Office 365 Security and Compliance. 
     
-    1. Go to: **Classifications > Labels**.
-    2. Create a new label or edit an existing one. 
-    3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
+   1. Go to: **Classifications > Labels**.
+   2. Create a new label or edit an existing one. 
+   3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
 
-    ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png)
+      ![Image of Office 365 Security and Compliance sensitivity label](images/endpoint-data-loss-protection.png)
 
-    4. Repeat for every label that you want to get WIP applied to in Windows. 
+   4. Repeat for every label that you want to get WIP applied to in Windows. 
 
 After completing these steps Microsoft Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them.
 
@@ -78,7 +78,7 @@ Those information types are evaluated against the auto-labeling policy. If a mat
    2. When you reach the Auto labeling page, turn on auto labeling toggle on.
    3. Add a new auto-labeling rule with the conditions that you require. 
     
-    ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png)    
+      ![Image of auto labeling in Office 365 Security and Compliance center](images/auto-labeling.png)    
 
    4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label".
  
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
index c0acd27220..934b929def 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
@@ -30,15 +30,15 @@ ms.topic: article
 
 Checking for the license state and whether it got properly provisioned, can be done through the **Office 365 admin center** or through the **Microsoft Azure portal**.
 
-  1. In the **Office 365 admin center** navigate to **Billing** > **Subscriptions**.
+1. In the **Office 365 admin center** navigate to **Billing** > **Subscriptions**.
 
-    - On the screen you will see all the provisioned licenses and their current **Status**.
+   - On the screen you will see all the provisioned licenses and their current **Status**.
 
-   ![Image of billing licenses](images\atp-billing-subscriptions.png)
+   ![Image of billing licenses](images/atp-billing-subscriptions.png)
 
-  2. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
+2. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
 
-   ![Image of Azure Licensing page](images\atp-licensing-azure-portal.png)
+   ![Image of Azure Licensing page](images/atp-licensing-azure-portal.png)
 
 ## Cloud Service Provider validation
 
@@ -48,7 +48,7 @@ To gain access into which licenses are provisioned to your company, and to check
 
 2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer **Office 365 admin center**.
 
-   ![Image of O365 admin portal](images\atp-O365-admin-portal-customer.png)
+   ![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png)
 
 ## Access Microsoft Defender Security Center for the first time
 
@@ -56,19 +56,19 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
 
 1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
 
-	![Image of Set up your permissions for Microsoft Defender ATP](images\atp-setup-permissions-wdatp-portal.png)
+    ![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png)
 
 	Once the authorization step is completed, the **Welcome** screen will be displayed.
 
 2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
 
-	![Image of Welcome screen for portal set up](images\welcome1.png)
+    ![Image of Welcome screen for portal set up](images/welcome1.png)
 
 	You will need to set up your preferences for Microsoft Defender Security Center.
 
 3. Set up preferences
     
-    ![Image of geographic location in set up](images\setup-preferences.png)
+    ![Image of geographic location in set up](images/setup-preferences.png)
 
    1. **Select data storage location** 
                                                                                   When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
 
@@ -77,19 +77,19 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
 
    2. **Select the data retention policy** 
                                                                                   Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
 
-    > [!NOTE]
-    > This option can be changed at a later time.
+      > [!NOTE]
+      > This option can be changed at a later time.
 
    3. **Select the size of your organization** 
                                                                                   You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
 
-    > [!NOTE]
-    > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
+      > [!NOTE]
+      > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
 
    4. **Turn on preview features** 
                                                                                   Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
 
 	    You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
 
-	- Toggle the setting between On and Off to choose **Preview features**.
+      - Toggle the setting between On and Off to choose **Preview features**.
 
       > [!NOTE]
       > This option can be changed at a later time.
@@ -99,27 +99,27 @@ When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windo
 	> [!NOTE]
 	> Some of these options can be changed at a later time in Microsoft Defender Security Center.
 
-	![Image of final preference set up](images\setup-preferences2.png)
+    ![Image of final preference set up](images/setup-preferences2.png)
 
 5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
 
-	![Image of Microsoft Defender ATP cloud instance](images\creating-account.png)
+    ![Image of Microsoft Defender ATP cloud instance](images/creating-account.png)
 
 6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to:
 
-	- [Onboard Windows 10 machines](configure-endpoints.md)
+   - [Onboard Windows 10 machines](configure-endpoints.md)
 
-	- Run detection test (optional)
+   - Run detection test (optional)
 
-	![Image of Onboard machines and run detection test](images\atp-onboard-endpoints-run-detection-test.png)
+     ![Image of Onboard machines and run detection test](images/atp-onboard-endpoints-run-detection-test.png)
 
-	> [!IMPORTANT]
-	> If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification:
-	>![Image of setup imcomplete](images\atp-setup-incomplete.png)
+     > [!IMPORTANT]
+     > If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification:
+     > ![Image of setup imcomplete](images/atp-setup-incomplete.png)
 
 7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time.
 
-	![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png)
+    ![Image of onboard machines](images/atp-onboard-endpoints-WDATP-portal.png)
 
 ## Related topics
 - [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index 3fe2960df7..6dff3ffaae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -32,12 +32,12 @@ To add machine tags using API, see [Add or remove machine tags API](add-or-remov
 
 1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
 
-    - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
-    - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
-    - **Machines list** - Select the machine name from the list of machines.
-    - **Search box** - Select Machine from the drop-down menu and enter the machine name.
+   - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
+   - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
+   - **Machines list** - Select the machine name from the list of machines.
+   - **Search box** - Select Machine from the drop-down menu and enter the machine name.
 
-    You can also get to the alert page through the file and IP views.
+     You can also get to the alert page through the file and IP views.
 
 2. Select **Manage Tags** from the row of Response actions.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
index e7f398ba33..714a678227 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
@@ -21,29 +21,32 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Method|Return Type |Description
-:---|:---|:---
-[List MachineActions](get-machineactions-collection.md) | [Machine Action](machineaction.md) | List [Machine Action](machineaction.md) entities.
-[Get MachineAction](get-machineaction-object.md) | [Machine Action](machineaction.md) | Get a single [Machine Action](machineaction.md) entity.
-[Collect investigation package](collect-investigation-package.md) | [Machine Action](machineaction.md) | Collect investigation package from a [machine](machine.md).
-[Get investigation package SAS URI](get-package-sas-uri.md) | [Machine Action](machineaction.md) | Get URI for downloading the investigation package.
-[Isolate machine](isolate-machine.md) | [Machine Action](machineaction.md) | Isolate [machine](machine.md) from network.
-[Release machine from isolation](unisolate-machine.md) | [Machine Action](machineaction.md) | Release [machine](machine.md) from Isolation.
-[Restrict app execution](restrict-code-execution.md) | [Machine Action](machineaction.md) | Restrict application execution.
-[Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction.
-[Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable).
-[Offboard machine](offboard-machine-api.md)|[Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP.
+| Method                                                            | Return Type                        | Description                                                 |
+|:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------|
+| [List MachineActions](get-machineactions-collection.md)           | [Machine Action](machineaction.md) | List [Machine Action](machineaction.md) entities.           |
+| [Get MachineAction](get-machineaction-object.md)                  | [Machine Action](machineaction.md) | Get a single [Machine Action](machineaction.md) entity.     |
+| [Collect investigation package](collect-investigation-package.md) | [Machine Action](machineaction.md) | Collect investigation package from a [machine](machine.md). |
+| [Get investigation package SAS URI](get-package-sas-uri.md)       | [Machine Action](machineaction.md) | Get URI for downloading the investigation package.          |
+| [Isolate machine](isolate-machine.md)                             | [Machine Action](machineaction.md) | Isolate [machine](machine.md) from network.                 |
+| [Release machine from isolation](unisolate-machine.md)            | [Machine Action](machineaction.md) | Release [machine](machine.md) from Isolation.               |
+| [Restrict app execution](restrict-code-execution.md)              | [Machine Action](machineaction.md) | Restrict application execution.                             |
+| [Remove app restriction](unrestrict-code-execution.md)            | [Machine Action](machineaction.md) | Remove application execution restriction.                   |
+| [Run antivirus scan](run-av-scan.md)                              | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable).    |
+| [Offboard machine](offboard-machine-api.md)                       | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP. |
+
 
                                                                                  
 
 ## Properties
-Property |	Type	|	Description
-:---|:---|:---
-id | Guid | Identity of the [Machine Action](machineaction.md) entity.
-type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
-requestor | String | Identity of the person that executed the action.
-requestorComment | String | Comment that was written when issuing the action.
-status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
-machineId | String | Id of the machine on which the action was executed.
-creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.
-lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated.
-relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5".
\ No newline at end of file
+
+| Property            | Type           | Description                                                                                                                                                                                                    |
+|:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| id                  | Guid           | Identity of the [Machine Action](machineaction.md) entity.                                                                                                                                                     |
+| type                | Enum           | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" |
+| requestor           | String         | Identity of the person that executed the action.                                                                                                                                                               |
+| requestorComment    | String         | Comment that was written when issuing the action.                                                                                                                                                              |
+| status              | Enum           | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".                                                                                 |
+| machineId           | String         | Id of the machine on which the action was executed.                                                                                                                                                            |
+| creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.                                                                                                                                                                 |
+| lastUpdateTimeUtc   | DateTimeOffset | The last date and time when the action status was updated.                                                                                                                                                     |
+| relatedFileInfo     | Class          | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5".                                                                         |
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index f04b35c833..442773e50f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -89,21 +89,21 @@ When you run the onboarding wizard for the first time, you must choose where you
 
 ### Diagnostic data settings
 You must ensure that the diagnostic data service is enabled on all the machines in your organization.
-By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
+By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
 
 **Use the command line to check the Windows 10 diagnostic data service startup type**:
 
-1.  Open an elevated command-line prompt on the machine:
+1. Open an elevated command-line prompt on the machine:
 
-  a.  Go to **Start** and type **cmd**.
+   a.  Go to **Start** and type **cmd**.
 
-  b.  Right-click **Command prompt** and select **Run as administrator**.
+   b.  Right-click **Command prompt** and select **Run as administrator**.
 
-2.  Enter the following command, and press **Enter**:
+2. Enter the following command, and press **Enter**:
 
-    ```text
-    sc qc diagtrack
-    ```
+   ```text
+   sc qc diagtrack
+   ```
 
 If the service is enabled, then the result should look like the following screenshot:
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index 36e77e0ea1..f65850cce0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -25,10 +25,10 @@ ms.topic: article
 
 [!include[Prerelease information](prerelease.md)]
 
->[!TIP]
->Go to **Advanced features** in the **Settings** page to turn on the preview features.
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) 
+> [!TIP]
+> Go to **Advanced features** in the **Settings** page to turn on the preview features.
+> 
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) 
 
 Understand the security status of your organization, including the status of machines, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI. 
 
@@ -47,23 +47,23 @@ Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing
 
 1. In the navigation pane, select **Settings** > **Power BI reports**.
 
-2.	Click **Create dashboard**.
+2. Click **Create dashboard**.
 
-    ![Image of create dashboard](images/atp-create-dashboard.png)
+   ![Image of create dashboard](images/atp-create-dashboard.png)
     
-    You'll see a notification that things are being loaded. 
+   You'll see a notification that things are being loaded. 
 
-    ![Image of loading](images/atp-loading.png)
+   ![Image of loading](images/atp-loading.png)
 
-    >[!NOTE]
-    >Loading your data in the Power BI service can take a few minutes.
+   >[!NOTE]
+   >Loading your data in the Power BI service can take a few minutes.
 
 3. Specify the following details:
-    - **extensionDataSourceKind**: WDATPConnector
-    - **extensionDataSourcePath**: WDATPConnector
-    - **Authentication method**: OAuth2
+   - **extensionDataSourceKind**: WDATPConnector
+   - **extensionDataSourcePath**: WDATPConnector
+   - **Authentication method**: OAuth2
 
-    ![Image of Power BI authentication method](images/atp-powerbi-extension.png)
+     ![Image of Power BI authentication method](images/atp-powerbi-extension.png)
 
 4. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
 
@@ -102,26 +102,26 @@ For more information, see [Create a Power BI dashboard from a report](https://po
 5. Click **Get it now**.
 
 6. Specify the following details:
-    - **extensionDataSourceKind**: WDATPConnector
-    - **extensionDataSourcePath**: WDATPConnector
-    - **Authentication method**: OAuth2
+   - **extensionDataSourceKind**: WDATPConnector
+   - **extensionDataSourcePath**: WDATPConnector
+   - **Authentication method**: OAuth2
 
-    ![Image of Power BI authentication method](images/atp-powerbi-extension.png)
+     ![Image of Power BI authentication method](images/atp-powerbi-extension.png)
 
 7. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
 
       ![Consent image](images/atp-powerbi-accept.png)
 
-8.	Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
+8. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
 
-    ![Image of importing data](images/atp-powerbi-importing.png)
+   ![Image of importing data](images/atp-powerbi-importing.png)
     
-    >[!NOTE]
-    >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load. 
+   >[!NOTE]
+   >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load. 
 
-    When importing data is completed and the dataset is ready, you’ll the following notification:
+   When importing data is completed and the dataset is ready, you’ll the following notification:
 
-    ![Image of dataset is ready](images/atp-data-ready.png)
+   ![Image of dataset is ready](images/atp-data-ready.png)
 
 9. Click **View dataset** to explore your data.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
index 23d24eaf40..f61fc0625f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
@@ -52,7 +52,6 @@ $tokenPayload = @{
 
 $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
 $token = $response.access_token
-
 ```
 
 
@@ -171,7 +170,6 @@ $iocPayload = @{
 $ioc =
     Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
          -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
-
 ```
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink) 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 9bb516ad99..80f4ea3708 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -98,9 +98,9 @@ You can roll back and remove a file from quarantine if you’ve determined that
     b. Right–click **Command prompt** and select **Run as administrator**.
 
 2. Enter the following command, and press **Enter**:
-  ```
-  “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
-  ```
+   ```
+   “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
+   ```
 
 > [!NOTE]
 > Microsoft Defender ATP will restore all files that were quarantined on this machine in the last 30 days.
@@ -148,9 +148,9 @@ Before you can block files, you'll need to enable the feature.
     The Action center shows the submission information:
     ![Image of block file](images/atp-blockfile.png)
 
-  - **Submission time** - Shows when the action was submitted.
-  - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
-  - **Status** - Indicates whether the file was added to or removed from the blacklist.
+   - **Submission time** - Shows when the action was submitted.
+   - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+   - **Status** - Indicates whether the file was added to or removed from the blacklist.
 
 When the file is blocked, there will be a new event in the machine timeline.
                                                                                  
 
@@ -178,7 +178,7 @@ For prevalent files in the organization, a warning is shown before an action is
 
 2. Open the **Actions** menu and select **Remove file from blocked list**.
 
-  ![Image of remove file from blocked list](images/atp-remove-blocked-file.png)
+   ![Image of remove file from blocked list](images/atp-remove-blocked-file.png)
 
 3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 1fc418f431..eba85f1a0f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -124,23 +124,23 @@ Content-Type: application/json​
 		"InitiatingProcessFileName": "powershell.exe"
 	}]
 }
-
-
 ```
 
-## T​roubl​eshoot issues
+## Troubleshoot issues
 
 - Error: (403) Forbidden / (401) Unauthorized
-	
-	
-    If you get this error when calling Microsoft Defender ATP API, your token might not include the necessary permission.
 
-	Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.
-	
-    If the 'roles' section in the token does not include the necessary permission: 
 
-	- The necessary permission to your app might not have been granted. For more information, see [Access Microsoft Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
-    - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent).
+~~~
+If you get this error when calling Microsoft Defender ATP API, your token might not include the necessary permission.
+
+Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.
+
+If the 'roles' section in the token does not include the necessary permission: 
+
+- The necessary permission to your app might not have been granted. For more information, see [Access Microsoft Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
+- The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent).
+~~~
 
 
 ## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
index 7bad215f17..389a39fd4a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-ms-flow.md
@@ -43,21 +43,21 @@ Use the following basic flow as an example.
 
 	![Image of MsFlow choose an action](images/ms-flow-choose-action.png)
 
-	- Set method to be POST
-	- Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations
-		- US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
-		- Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
-		- United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
-	- Add the Header: Content-Type              application/json
-	- In the body write your query surrounded by single quotation mark (')
-	- In the Advanced options select Authentication to be Active Directory OAuth
-	- Set the Tenant with proper AAD Tenant Id
-	- Audience is https://api.securitycenter.windows.com
-	- Client ID is your application ID
-	- Credential Type should be Secret
-	- Secret is the application secret generated in the Azure Active directory.
+   - Set method to be POST
+   - Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations
+       - US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
+       - Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
+       - United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
+   - Add the Header: Content-Type              application/json
+   - In the body write your query surrounded by single quotation mark (')
+   - In the Advanced options select Authentication to be Active Directory OAuth
+   - Set the Tenant with proper AAD Tenant Id
+   - Audience is https://api.securitycenter.windows.com
+   - Client ID is your application ID
+   - Credential Type should be Secret
+   - Secret is the application secret generated in the Azure Active directory.
 
-	![Image of MsFlow define action](images/ms-flow-define-action.png)
+     ![Image of MsFlow define action](images/ms-flow-define-action.png)
 
 3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate schema" and copy an output from of the expected result.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index d5e6c060c0..1c62e63285 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -33,9 +33,9 @@ You first need to [create an app](apis-intro.md).
 
 - Open a PowerShell window.
 - If your policy does not allow you to run the PowerShell commands, you can run the below command:
-```
-Set-ExecutionPolicy -ExecutionPolicy Bypass
-```
+  ```
+  Set-ExecutionPolicy -ExecutionPolicy Bypass
+  ```
 
 >For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
 
@@ -51,14 +51,13 @@ $appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret
 $resourceAppIdUri = 'https://api.securitycenter.windows.com'
 $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
 $body = [Ordered] @{
-	resource = "$resourceAppIdUri"
-	client_id = "$appId"
-	client_secret = "$appSecret"
-	grant_type = 'client_credentials'
+    resource = "$resourceAppIdUri"
+    client_id = "$appId"
+    client_secret = "$appSecret"
+    grant_type = 'client_credentials'
 }
 $response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
 $aadToken = $response.access_token
-
 ```
 
 where
@@ -75,9 +74,9 @@ $query = 'RegistryEvents | limit 10' # Paste your own query here
 
 $url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
 $headers = @{ 
-	'Content-Type' = 'application/json'
-	Accept = 'application/json'
-	Authorization = "Bearer $aadToken" 
+    'Content-Type' = 'application/json'
+    Accept = 'application/json'
+    Authorization = "Bearer $aadToken" 
 }
 $body = ConvertTo-Json -InputObject @{ 'Query' = $query }
 $webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
@@ -107,7 +106,7 @@ To output the results of the query in CSV format in file file1.csv do the below:
 $results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv
 ```
 
-To output the results of the query in JSON format in file file1.json​ do the below:
+To output the results of the query in JSON format in file file1.json do the below:
 
 ```
 $results | ConvertTo-Json | Set-Content file1.json
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index aa9a4469bb..20faa27ae0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -88,10 +88,10 @@ Remediating issues in the security recommendations list will improve your config
 
 3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
 
-   >>![request remediation](images/tvm_request_remediation.png). 
-
-   >You will see a confirmation message that the remediation task has been created.
-   >![remediation task creation confirmation](images/tvm_remediation_task_created.png)
+   > >![request remediation](images/tvm_request_remediation.png). 
+   > 
+   > You will see a confirmation message that the remediation task has been created.
+   > ![remediation task creation confirmation](images/tvm_remediation_task_created.png)
 
 4. Save your CSV file.
    ![save csv file](images/tvm_save_csv_file.png)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 36fe7db04c..8b29741543 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -101,7 +101,7 @@ Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause a
  0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.  | All |  **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. 

                                                                                   Currently is supported platforms:  Enterprise, Education, and Professional.
 
 
                                                                                  
-**Known issues with non-compliance**
+Known issues with non-compliance
 
 The following table provides information on issues with non-compliance and how you can address the issues.
 
@@ -112,7 +112,7 @@ Case | Symptoms | Possible cause and troubleshooting steps
 3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
 
 
                                                                                  
-**Mobile Device Management (MDM) event logs**
+Mobile Device Management (MDM) event logs
 
 View the MDM event logs to troubleshoot issues that might arise during onboarding:
 
@@ -139,7 +139,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
 
 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
 
-  > [!NOTE]
+   > [!NOTE]
 	> SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
 
 3. Select **Operational** to load the log.
@@ -148,7 +148,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
 
 5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
 
-  ![Image of Event Viewer log filter](images/filter-log.png)
+   ![Image of Event Viewer log filter](images/filter-log.png)
 
 6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
 
@@ -177,7 +177,7 @@ There are additional components on the machine that the Microsoft Defender ATP a
 
 
 ### Ensure the diagnostic data service is enabled
-If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes.
+If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes.
 
 First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
 
@@ -185,52 +185,52 @@ First, you should check that the service is set to start automatically when Wind
 
 **Use the command line to check the Windows 10 diagnostic data service startup type**:
 
-1.  Open an elevated command-line prompt on the machine:
+1. Open an elevated command-line prompt on the machine:
 
-  a.  Click **Start**, type **cmd**, and press **Enter**.
+   a.  Click **Start**, type **cmd**, and press **Enter**.
 
-  b.  Right-click **Command prompt** and select **Run as administrator**.
+   b.  Right-click **Command prompt** and select **Run as administrator**.
 
-2.  Enter the following command, and press **Enter**:
+2. Enter the following command, and press **Enter**:
 
-    ```text
-    sc qc diagtrack
-    ```
+   ```text
+   sc qc diagtrack
+   ```
 
-    If the service is enabled, then the result should look like the following screenshot:
+   If the service is enabled, then the result should look like the following screenshot:
 
-    ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
+   ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
 
-    If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
+   If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
 
 
 **Use the command line to set the Windows 10 diagnostic data service to automatically start:**
 
-1.  Open an elevated command-line prompt on the machine:
+1. Open an elevated command-line prompt on the machine:
 
-  a.  Click **Start**, type **cmd**, and press **Enter**.
+   a.  Click **Start**, type **cmd**, and press **Enter**.
 
-  b.  Right-click **Command prompt** and select **Run as administrator**.
+   b.  Right-click **Command prompt** and select **Run as administrator**.
 
-2.  Enter the following command, and press **Enter**:
+2. Enter the following command, and press **Enter**:
 
-    ```text
-    sc config diagtrack start=auto
-    ```
+   ```text
+   sc config diagtrack start=auto
+   ```
 
-3.  A success message is displayed. Verify the change by entering the following command, and press **Enter**:
+3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
 
-    ```text
-    sc qc diagtrack
-    ```
+   ```text
+   sc qc diagtrack
+   ```
 
 4. Start the service.
 
-  a. In the command prompt, type the following command and press **Enter**:
+   a. In the command prompt, type the following command and press **Enter**:
 
-  ```text
-  sc start diagtrack
-  ```
+   ```text
+   sc start diagtrack
+   ```
 
 ### Ensure the machine has an Internet connection
 
@@ -258,14 +258,14 @@ If the verification fails and your environment is using a proxy to connect to th
 
   - ``````
   - ``````
--  After clearing the policy, run the onboarding steps again.
+- After clearing the policy, run the onboarding steps again.
 
 - You can also check the following registry key values to verify that the policy is disabled:
 
   1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
   2. Ensure that the value ```DisableAntiSpyware``` is not present.
 
-    ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png)
+     ![Image of registry key for Windows Defender Antivirus](images/atp-disableantispyware-regkey.png)
 
 
 ## Troubleshoot onboarding issues on a server
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
index bd119b7e76..c45bc362d2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
@@ -64,9 +64,9 @@ If you encounter an error when trying to get a refresh token when using the thre
     - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
 
 5. Add the following URL:
-  - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
-  - For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
-  - For the United States:  `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
+   - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
+   - For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
+   - For the United States:  `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
  
 6. Click **Save**.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
index 97e6d3e2de..9452c634c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
@@ -23,10 +23,10 @@ ms.date: 04/24/2018
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
->[!TIP]
->This topic has been deprecated. See [Indicators](ti-indicator.md) for the updated content.
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) 
+> [!TIP]
+> This topic has been deprecated. See [Indicators](ti-indicator.md) for the updated content.
+> 
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink) 
 
 Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index b680c1471d..9723b0afa6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -88,6 +88,6 @@ After creating roles, you'll need to create a machine group and provide access t
 2.	Click the drop-down button and select **Delete role**.
 
 
-##Related topic
+## Related topic
 - [User basic permissions to access the portal](basic-permissions.md)
 - [Create and manage machine groups](machine-groups.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index 3b6104deaf..00ba76594e 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -49,12 +49,12 @@ The following procedure describes how to use Group Policy to override individual
 
     **Important**
                                                                                  For each app you want to include, you must include:
     
-    - **Value name.** The app file name, including the extension. For example, iexplore.exe.
-    - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
+   - **Value name.** The app file name, including the extension. For example, iexplore.exe.
+   - **Value.** A bit field with a series of bit flags in particular positions. Bits can be set to 0 (where the setting is forced off), 1 (where the setting is forced on), or ? (where the setting retains the previous, existing value).
     
-        **Note**
                                                                                  Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
+       **Note**
                                                                                  Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
 
-    ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png)
+     ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png)
 
 ## Setting the bit field
 Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index dde3ded161..a0f5a549a6 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -1,6 +1,6 @@
 ---
 title: Control the health of Windows 10-based devices (Windows 10)
-description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
+description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
 ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873
 ms.reviewer: 
 manager: dansimp
@@ -20,9 +20,9 @@ ms.localizationpriority: medium
 
 **Applies to**
 
--   Windows 10
+-   Windows 10
 
-This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
+This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
 
 ## Introduction
 
@@ -36,7 +36,7 @@ Even managed devices can be compromised and become harmful. Organizations need t
 
 As Microsoft moves forward, security investments are increasingly focused on security preventive defenses and also on detection and response capabilities.
 
-Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy.
+Windows 10 is an important component of an end-to-end security solution that focuses not only on the implementation of security preventive defenses, but adds device health attestation capabilities to the overall security strategy.
 
 ## Description of a robust end-to-end security solution
 
@@ -82,15 +82,15 @@ Access to content is then authorized to the appropriate level of trust for whate
 
 Depending on the requirements and the sensitivity of the managed asset, device health status can be combined with user identity information when processing an access request. Access to content is then authorized to the appropriate level of trust. The Conditional Access engine may be structured to allow additional verification as needed by the sensitivity of the managed asset. For example, if access to high-value data is requested, additional security authentication may need to be established by querying the user to answer a phone call before access is granted.
 
-### Microsoft’s security investments in Windows 10
+### Microsoft’s security investments in Windows 10
 
-In Windows 10, there are three pillars of investments:
+In Windows 10, there are three pillars of investments:
 
 -   **Secure identities.** Microsoft is part of the FIDO Alliance which aims to provide an interoperable method of secure authentication by moving away from the use of passwords for authentication, both on the local system as well as for services like on-premises resources and cloud resources.
--   **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
+-   **Information protection.** Microsoft is making investments to allow organizations to have better control over who has access to important data and what they can do with that data. With Windows 10, organizations can take advantage of policies that specify which applications are considered to be corporate applications and can be trusted to access secure data.
 -   **Threat resistance.** Microsoft is helping organizations to better secure enterprise assets against the threats of malware and attacks by using security defenses relying on hardware.
 
-### Protect, control, and report on the security status of Windows 10-based devices
+### Protect, control, and report on the security status of Windows 10-based devices
 
 This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
 
@@ -98,39 +98,39 @@ This section is an overview that describes different parts of the end-to-end sec
 
 | Number | Part of the solution | Description |
 | - | - | - |
-| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
                                                                                  A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
+| **1** | Windows 10-based device | The first time a Windows 10-based device is powered on, the out-of-box experience (OOBE) screen is displayed. During setup, the device can be automatically registered into Azure Active Directory (AD) and enrolled in MDM.
                                                                                  A Windows 10-based device with TPM can report health status at any time by using the Health Attestation Service available with all editions of Windows 10.|
 | **2** | Identity provider | Azure AD contains users, registered devices, and registered application of organization’s tenant. A device always belongs to a user and a user can have multiple devices. A device is represented as an object with different attributes like the compliance status of the device. A trusted MDM can update the compliance status.
                                                                                  Azure AD is more than a repository. Azure AD is able to authenticate users and devices and can also authorize access to managed resources. Azure AD has a conditional access control engine that leverages the identity of the user, the location of the device and also the compliance status of the device when making a trusted access decision.|
-| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.
                                                                                  MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
-| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.
                                                                                  Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
+| **3**|Mobile device management| Windows 10 has MDM support that enables the device to be managed out-of-box without deploying any agent.
                                                                                  MDM can be Microsoft Intune or any third-party MDM solution that is compatible with Windows 10.|
+| **4** | Remote health attestation | The Health Attestation Service is a trusted cloud service operated by Microsoft that performs a series of health checks and reports to MDM what Windows 10 security features are enabled on the device.
                                                                                  Security verification includes boot state (WinPE, Safe Mode, Debug/test modes) and components that manage security and integrity of runtime operations (BitLocker, Device Guard).|
 | **5** | Enterprise managed asset | Enterprise managed asset is the resource to protect.
                                                                                  For example, the asset can be Office 365, other cloud apps, on-premises web resources published by Azure AD, or even VPN access.|
- 
-The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
+
+The combination of Windows 10-based devices, identity provider, MDM, and remote health attestation creates a robust end-to-end-solution that provides validation of health and compliance of devices that access high-value assets.
 
 ## Protect devices and enterprise credentials against threats
 
-This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to.
+This section describes what Windows 10 offers in terms of security defenses and what control can be measured and reported to.
 
-### Windows 10 hardware-based security defenses
+### Windows 10 hardware-based security defenses
 
 The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
-Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
+Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
 
 ![figure 4](images/hva-fig4-hardware.png)
 
-Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
+Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
 
 -   **Trusted Platform Module.** A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
 
-    Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+    Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
 
     A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
 
     -   The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
     -   The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+    Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
 
-    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
+    Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
 
     TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
 
@@ -151,21 +151,21 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
 
 -   **Secure Boot.** Devices with UEFI firmware can be configured to load only trusted operating system bootloaders. Secure Boot does not require a TPM.
 
-    The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
+    The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program.
 
     Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE).
-    Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded.
+    Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded.
 
-    >**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
-     
--   **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
+    >**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over.
+
+-   **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration.
 
     Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This ensures that the binaries and configuration of the computer can be trusted after the boot process has completed.
     Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot.
 
-    The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
+    The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr.
 
-    The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
+    The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and the ELAM component. This step is important and protects the rest of the boot process by verifying that all Windows boot components have integrity and can be trusted.
 
 -   **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading.
 
@@ -173,35 +173,35 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
 
     ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
 
-    >**Note:**  Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.
-     
+    >**Note:**  Windows Defender, Microsoft's antimalware included by default in Windows 10, supports ELAM; it can be replaced with a third-party antimalware compatible solution. The name of the Windows Defender ELAM driver is WdBoot.sys. Windows Defender in Windows 10 uses its ELAM driver to roll back any malicious changes made to the Windows Defender driver at the next reboot. This prevents kernel mode malware making lasting changes to Windows Defender’s mini-filter driver before shutdown or reboot.
+
     The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code.
 
     The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1).
--   **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10.
+-   **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10.
 
     Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, refer to the [Virtualization-based security](#virtual) section.
 
 -   **Hypervisor-protected Code Integrity (HVCI).** Hypervisor-protected Code Integrity is a feature of Device Guard that ensures only drivers, executables, and DLLs that comply with the Device Guard Code Integrity policy are allowed to run.
 
-    When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
+    When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup.
 
     HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified.
 
-    >**Note:**  Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.
-     
+    >**Note:**  Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=691612) blog post.
+
     The Device Guard Code Integrity feature lets organizations control what code is trusted to run into the Windows kernel and what applications are approved to run in user mode. It’s configurable by using a policy.
     Device Guard Code Integrity policy is a binary file that Microsoft recommends you sign. The signing of the Code Integrity policy aids in the protection against a malicious user with Administrator privileges trying to modify or remove the current Code Integrity policy.
 
 -   **Credential Guard.** Credential Guard protects corporate credentials with hardware-based credential isolation.
 
-    In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
+    In Windows 10, Credential Guard aims to protect domain corporate credentials from theft and reuse by malware. With Credential Guard, Windows 10 implemented an architectural change that fundamentally prevents the current forms of the pass-the-hash (PtH) attack.
 
     This is accomplished by leveraging Hyper-V and the new virtualization-based security feature to create a protected container where trusted code and secrets are isolated from the Windows kernel. That means that even if the Windows kernel is compromised an attacker has no way to read and extract the data required to initiate a PtH attack. Credential Guard prevents this because the memory where secrets are stored is no longer accessible from the regular OS, even in kernel mode - the hypervisor controls who can access the memory.
 
--   **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health.
+-   **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health.
 
-    Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset.
+    Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset.
 
     For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](https://go.microsoft.com/fwlink/p/?LinkId=733950).
 
@@ -211,26 +211,26 @@ Windows 10 supports features to help prevent sophisticated low-level malware li
 
 ### Virtualization-based security
 
-Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
+Virtualization-based security provides a new trust boundary for Windows 10. leverages Hyper-V hypervisor technology to enhance platform security. Virtualization-based security provides a secure execution environment to run specific Windows trusted code (trustlet) and to protect sensitive data.
 
 Virtualization-based security helps to protect against a compromised kernel or a malicious user with Administrator privileges. Note that virtualization-based security is not trying to protect against a physical attacker.
 
-The following Windows 10 services are protected with virtualization-based security:
+The following Windows 10 services are protected with virtualization-based security:
 
 -   **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory
--   **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
+-   **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
 -   **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers.
 
->**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
- 
+>**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.
 
-The schema below is a high-level view of Windows 10 with virtualization-based security.
+
+The schema below is a high-level view of Windows 10 with virtualization-based security.
 
 ![figure 5](images/hva-fig5-virtualbasedsecurity.png)
 
 ### Credential Guard
 
-In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on 
+In Windows 10, when Credential Guard is enabled, Local Security Authority Subsystem Service (lsass.exe) runs sensitive code in an Isolated user mode to help protect data from malware that may be running in the normal user mode. This helps ensure that protected data is not stolen and reused on 
 remote machines, which mitigates many PtH-style attacks.
 
 Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key:
@@ -242,17 +242,17 @@ credential isolation is enabled, it then spawns LsaIso.exe as an isolated proces
 
 ### Device Guard
 
-Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization.
+Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization.
 
 The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows.
 
-Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
+Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed.
 
->**Note:**  Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](https://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.
- 
-With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts.
+>**Note:**  Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](https://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate.
 
-Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
+With Device Guard in Windows 10, organizations are now able to define their own Code Integrity policy for use on x64 systems running Windows 10 Enterprise. Organizations have the ability to configure the policy that determines what is trusted to run. These include drivers and system files, as well as traditional desktop applications and scripts. The system is then locked down to only run applications that the organization trusts.
+
+Device Guard is a built-in feature of Windows 10 Enterprise that prevents the execution of unwanted code and applications. Device Guard can be configured using two rule actions - allow and deny:
 
 -   **Allow** limits execution of applications to an allowed list of code or trusted publisher and blocks everything else.
 -   **Deny** completes the allow trusted publisher approach by blocking the execution of a specific application.
@@ -261,10 +261,10 @@ At the time of this writing, and according to Microsoft’s latest research, mor
 
 Device Guard needs to be planned and configured to be truly effective. It is not just a protection that is enabled or disabled. Device Guard is a combination of hardware security features and software security features that, when configured together, can lock down a computer to help ensure the most secure and resistant system possible.
 
-There are three different parts that make up the Device Guard solution in Windows 10:
+There are three different parts that make up the Device Guard solution in Windows 10:
 
 -   The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start.
--   After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
+-   After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security.
 -   The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs).
 
 For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@@ -284,10 +284,10 @@ Similarly, on corporate fully-managed workstations, where applications are insta
 
 It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s quite difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run.
 
-Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device.
+Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device.
+
+>**Note:**  Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.
 
->**Note:**  Device Guard policy can be signed in Windows 10, which adds additional protection against administrative users changing or removing this policy.
- 
 Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard.
 
 When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the 
@@ -295,14 +295,14 @@ Device Guard policy into the UpdateSigner section.
 
 ### The importance of signing applications
 
-On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
+On computers with Device Guard, Microsoft proposes to move from a world where unsigned apps can be run without restriction to a world where only signed and trusted code is allowed to run on Windows 10.
 
-With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal 
+With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal 
 Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed.
 
 In organizations today, the vast majority of LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed.
 
-Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications.
+Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications.
 
 ### Why are antimalware and device management solutions still necessary?
 
@@ -316,13 +316,13 @@ To combat these threats, patching is the single most effective control, with ant
 
 Most application software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it, and therefore remains vulnerable to attack. Organizations still need to manage devices and to patch vulnerabilities.
 
-MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices.
+MDM solutions are becoming prevalent as a light-weight device management technology. Windows 10 extends the management capabilities that have become available for MDMs. One key feature Microsoft has added to Windows 10 is the ability for MDMs to acquire a strong statement of device health from managed and registered devices.
 
 ### Device health attestation
 
 Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device.
 
-For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
+For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy.
 
 For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section.
 
@@ -346,17 +346,16 @@ The following table details the hardware requirements for both virtualization-ba
                                                                                   
+
                                                                                  Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”
                                                                                  
@@ -366,7 +365,7 @@ The following table details the hardware requirements for both virtualization-ba
 
-
+
@@ -374,16 +373,16 @@ The following table details the hardware requirements for both virtualization-ba
 
                                                                                  
 
 
                                                                                  
 1Microsoft Defender Advanced Threat Protection service started (Version ```variable```).Microsoft Defender Advanced Threat Protection service started (Version variable).
 Occurs during system start up, shut down, and during onbboarding.
 Normal operating notification; no action required.
 
                                                                                  
 
                                                                                  
 3Microsoft Defender Advanced Threat Protection service failed to start. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to start. Failure code: variable.
 Service did not start.
 Review other messages to determine possible cause and troubleshooting steps.
 
                                                                                  
 
                                                                                  
 4Microsoft Defender Advanced Threat Protection service contacted the server at ```variable```.Microsoft Defender Advanced Threat Protection service contacted the server at variable.
 Variable = URL of the Microsoft Defender ATP processing servers.
                                                                                  
 This URL will match that seen in the Firewall or network activity.                                                                                  		
 Normal operating notification; no action required.
 
                                                                                  
 
                                                                                  
 5Microsoft Defender Advanced Threat Protection service failed to connect to the server at ```variable```.Microsoft Defender Advanced Threat Protection service failed to connect to the server at variable.
 Variable = URL of the Microsoft Defender ATP processing servers.
                                                                                  
 The service could not contact the external processing servers at that URL.                                                                                  		Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).Check the connection to the URL. See Configure proxy and Internet connectivity.
 
                                                                                  
 
                                                                                  
 6
 The machine did not onboard correctly and will not be reporting to the portal.
 Onboarding must be run before starting the service.
                                                                                  
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 7Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: variable.
 Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal.
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 8Microsoft Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```.**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. 

                                                                                   **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
+                                                                                  		Microsoft Defender Advanced Threat Protection service failed to clean its configuration. Failure code: variable.During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues. 

                                                                                   During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
                                                                                    		**Onboarding:** No action required. 

                                                                                   **Offboarding:** Reboot the system.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		Onboarding: No action required. 

                                                                                   Offboarding: Reboot the system.
                                                                                  
+See Onboard Windows 10 machines.                                                                                  		
 
                                                                                  
 
                                                                                  
 9Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.**During onboarding:** The machine did not onboard correctly and will not be reporting to the portal. 

                                                                                  **During offboarding:** Failed to change the service start type. The offboarding process continues.                                                                                   		Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable.During onboarding: The machine did not onboard correctly and will not be reporting to the portal. 

                                                                                  During offboarding: Failed to change the service start type. The offboarding process continues.                                                                                   		
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 10Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable.
 The machine did not onboard correctly and will not be reporting to the portal.
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 11
 
                                                                                  
 
                                                                                  
 13Microsoft Defender Advanced Threat Protection machine ID calculated: ```variable```.Microsoft Defender Advanced Threat Protection machine ID calculated: variable.
 Normal operating process.
 Normal operating notification; no action required.
 
                                                                                  
 
                                                                                  
 15Microsoft Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.Microsoft Defender Advanced Threat Protection cannot start command channel with URL: variable.
 Variable = URL of the Microsoft Defender ATP processing servers.
                                                                                  
 The service could not contact the external processing servers at that URL.                                                                                  		Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet.md).Check the connection to the URL. See Configure proxy and Internet connectivity.
 
                                                                                  
 
                                                                                  
 17Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable.
 An error occurred with the Windows telemetry service.[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled).
                                                                                  
+                                                                                  		Ensure the diagnostic data service is enabled.
                                                                                  
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 18
                                                                                  
 
                                                                                  
 20Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```.Cannot wait for OOBE (Windows Welcome) to complete. Failure code: variable.
 Internal error.
 If this error persists after a system restart, ensure all Windows updates have full installed.
 
                                                                                  
 
                                                                                  
 25Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: variable.
 The machine did not onboard correctly.
 It will report to the portal, however the service may not appear as registered in SCCM or the registry.
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 26Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: variable.
 The machine did not onboard correctly.
                                                                                  
 It will report to the portal, however the service may not appear as registered in SCCM or the registry.                                                                                  		
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 27Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: variable.
 Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP.
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).
                                                                                  
+See Onboard Windows 10 machines.
                                                                                  
 Ensure real-time antimalware protection is running properly.                                                                                  		
 
                                                                                  
 
                                                                                  
 28Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: variable.
 An error occurred with the Windows telemetry service.[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).
                                                                                  
+                                                                                  		Ensure the diagnostic data service is enabled.
                                                                                  
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 29
 Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 This event occurs when the system can't read the offboarding parameters.This event occurs when the system can't read the offboarding parameters.
 Ensure the machine has Internet access, then run the entire offboarding process again.
 
                                                                                  
 
                                                                                  
 30Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: variable.
 Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP.
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md)
                                                                                  
+See Onboard Windows 10 machines
                                                                                  
 Ensure real-time antimalware protection is running properly.                                                                                  		
 
                                                                                  
 
                                                                                  
 31Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: variable.
 An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.[Check for errors with the Windows telemetry service](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).Check for errors with the Windows telemetry service.
 
                                                                                  
 
                                                                                  
 32
 
                                                                                  
 
                                                                                  
 33Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: variable.
 A unique identifier is used to represent each machine that is reporting to the portal.
                                                                                  
 If the identifier does not persist, the same machine might appear twice in the portal.                                                                                  		
 Check registry permissions on the machine to ensure the service can update the registry.
 
                                                                                  
 
                                                                                  
 34Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable.
 An error occurred with the Windows telemetry service.[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostic-data-service-is-enabled).
                                                                                  
+                                                                                  		Ensure the diagnostic data service is enabled.
                                                                                  
 Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                                                                                  
-See [Onboard Windows 10 machines](configure-endpoints.md).                                                                                  		
 
                                                                                  
 
                                                                                  
 35Microsoft Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.Microsoft Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: variable.
 An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
 
 Check for errors with the Windows diagnostic data service.
 
                                                                                  
 
                                                                                  
 36Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: variable.
 Registering Microsoft Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.
 Normal operating notification; no action required.
 
                                                                                  UEFI 2.3.1 or later firmware with Secure Boot enabled
                                                                                  		
 
                                                                                  Required to support UEFI Secure Boot.
                                                                                  
 
                                                                                  UEFI Secure Boot ensures that the device boots only authorized code.
                                                                                  
-
                                                                                  Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”
                                                                                  		
 
                                                                                  
 
                                                                                  
 
                                                                                  Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled
                                                                                  		
 
                                                                                  Required to support virtualization-based security.
                                                                                  
 
                                                                                  
-Note  
-
                                                                                  Device Guard can be enabled without using virtualization-based security.
                                                                                  
+Note
                                                                                  Device Guard can be enabled without using virtualization-based security.
                                                                                  
 
                                                                                  
 
                                                                                  
- 
+
 
                                                                                  		
 
                                                                                  
 
                                                                                  
 
                                                                                  
 
                                                                                  IOMMU, such as Intel VT-d, AMD-Vi
                                                                                  Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.
                                                                                  Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.
                                                                                  		
 
                                                                                  
 
                                                                                  
 
                                                                                  Trusted Platform Module (TPM) 
                                                                                  
                                                                                   
 
                                                                                  
- 
-This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
 
-## Detect an unhealthy Windows 10-based device
+This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them.
+
+## Detect an unhealthy Windows 10-based device
 
 As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting is not entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools.
 
 The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running.
 
-As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
+As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware.
 
 By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data.
 
@@ -401,15 +400,15 @@ But health attestation only provides information, which is why an MDM solution i
 
 ### Remote device health attestation
 
-In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft.
+In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft.
 
-This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device.
+This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device.
 
 A relying party like an MDM can inspect the report generated by the remote health attestation service.
 
->**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.
- 
-Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
+>**Note:**  To use the health attestation feature of Windows 10, the device must be equipped with a discrete or firmware TPM. There is no restriction on any particular edition of Windows 10.
+
+Windows 10 supports health attestation scenarios by allowing applications access to the underlying health attestation configuration service provider (CSP) so that applications can request a health attestation token. The measurement of the boot sequence can be checked at any time locally by an antimalware or an MDM agent.
 
 Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system.
 
@@ -421,7 +420,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R
 
 ![figure 6](images/hva-fig6-logs.png)
 
-When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
+When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
 
 ![figure 7](images/hva-fig7-measurement.png)
 
@@ -436,12 +435,12 @@ The health attestation process works as follows:
 7.  MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP.
 8.  Boot measurements are validated by the Health Attestation Service
 
->**Note:**  By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
+>**Note:**  By default, the last 100 system boot logs and all associated resume logs are archived in the %SystemRoot%\\logs\\measuredboot folder.
 The number of retained logs may be set with the registry **REG\_DWORD** value **PlatformLogRetention** under the **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM** key. A value of **0** will turn off log archival and a value of **0xffffffff** will keep all logs.
- 
+
 The following process describes how health boot measurements are sent to the health attestation service:
 
-1.  The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
+1.  The client (a Windows 10-based device with TPM) initiates the request with the remote device health attestation service. Because the health attestation server is expected to be a Microsoft cloud service, the URI is already pre-provisioned in the client.
 2.  The client then sends the TCG log, the AIK signed data (PCR values, boot counter) and the AIK certificate information.
 3.  The remote device heath attestation service then:
 
@@ -484,25 +483,25 @@ The endorsement key is often accompanied by one or two digital certificates:
 
 -   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it’s a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
 -   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
-For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
 
->**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
+>**Note:**  Secure Boot protects the platform until the Windows kernel is loaded. Then protections like Trusted Boot, Hyper-V Code Integrity and ELAM take over. A device that uses Intel TPM or Qualcomm TPM gets a signed certificate online from the manufacturer that has created the chip and then stores the signed certificate in TPM storage. For the operation to succeed, if you are filtering Internet access from your client devices, you must authorize the following URLs:
 
 -   For Intel firmware TPM: **https://ekop.intel.com/ekcertservice**
 -   For Qualcomm firmware TPM: **https://ekcert.spserv.microsoft.com/**
- 
+
 ### Attestation Identity Keys
 
-Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+
+>**Note:**  Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
 
->**Note:**  Before the device can report its health using the TPM attestation functions, an AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
- 
 The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
 
-Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft 
-Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft 
+Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device.
 
-Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
 
 In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
 
@@ -522,9 +521,9 @@ The value of a PCR on its own is hard to interpret (it is just a hash value), bu
 
 ### TPM provisioning
 
-For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry.
+For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry.
 
-When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement**
+When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement**
 
 During the provisioning process, the device may need to be restarted.
 
@@ -533,15 +532,15 @@ Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with a
 If the TPM ownership is not known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: 
 **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub**
 
-As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
+As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub**
 
->**Note:**  For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: **https://\*.microsoftaik.azure.net**
- 
-### Windows 10 Health Attestation CSP
+> **Note:**  For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net
 
-Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on.
+### Windows 10 Health Attestation CSP
 
-The following is a list of functions performed by the Windows 10 Health Attestation CSP:
+Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on.
+
+The following is a list of functions performed by the Windows 10 Health Attestation CSP:
 
 -   Collects data that is used to verify a device’s health status
 -   Forwards the data to the Health Attestation Service
@@ -556,8 +555,8 @@ When an MDM server validates that a device has attested to the Health Attestatio
 
 The role of Windows Health Attestation Service is essentially to evaluate a set of health data (TCG log and PCR values), make a series of detections (based on available health data) and generate encrypted health blob or produce report to MDM servers.
 
->**Note:**  Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).
- 
+>**Note:**  Both device and MDM servers must have access to **has.spserv.microsoft.com** using the TCP protocol on port 443 (HTTPS).
+
 Checking that a TPM attestation and the associated log are valid takes several steps:
 
 1.  First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked.
@@ -578,7 +577,7 @@ The Health Attestation Service provides the following information to an MDM solu
 
 For completeness of the measurements, see [Health Attestation CSP](https://go.microsoft.com/fwlink/p/?LinkId=733949).
 
-The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device.
+The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device.
 
 @@ -593,7 +592,7 @@ The following table presents some key items that can be reported back to MDM dep
 
-
+
-
+
                                                                                  
 

 
 
                                                                                  Windows 10 Mobile
                                                                                  Windows 10 Mobile
                                                                                  		
 
                                                                                    
 
                                                                                  • PCR0 measurement
                                                                                    • 
 
                                                                                  • Secure Boot enabled
                                                                                    • 
@@ -605,7 +604,7 @@ The following table presents some key items that can be reported back to MDM dep
 
                                                                                  		
 
                                                                                  
 
                                                                                  Windows 10 for desktop editions
                                                                                  Windows 10 for desktop editions
                                                                                  		
 
                                                                                    
 
                                                                                  • PCR0 measurement
                                                                                    • 
 
                                                                                  • Secure Boot Enabled
                                                                                    • 
@@ -621,7 +620,7 @@ The following table presents some key items that can be reported back to MDM dep
 
                                                                                  
                                                                                   
 
                                                                                  
- 
+
 ### Leverage MDM and the Health Attestation Service
 
 To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements.
@@ -634,7 +633,7 @@ A solution that leverages MDM and the Health Attestation Service consists of thr
 
 ![figure 9](images/hva-fig8-evaldevicehealth8.png)
 
-Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
+Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
 
 1.  The client initiates a session with the MDM server. The URI for the MDM server would be part of the client app that initiates the request. The MDM server at this time could request the health attestation data by using the appropriate CSP URI.
 2.  The MDM server specifies a nonce along with the request.
@@ -652,21 +651,21 @@ Interaction between a Windows 10-based device, the Health Attestation Service,
     4.  Because the boot counter and the nonce are quoted with the AIK from the health blob, it also proves that the device is the same one as the one for which the health blob has been generated.
     5.  Sends data back to the MDM server including health parameters, freshness, and so on.
 
->**Note:**  The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
- 
+>**Note:**  The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns.
+
 Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution.
 
 Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. 
 That is the purpose of conditional access control, which is detailed in the next section.
 
-## Control the security of a Windows 10-based device before access is granted
+## Control the security of a Windows 10-based device before access is granted
 
 Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware?
 
 The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune.
 
->**Note:**  For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](https://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733956).
- 
+>**Note:**  For the latest information on Intune and Windows 10 features support, see the [Microsoft Intune blog](https://go.microsoft.com/fwlink/p/?LinkId=691614) and [What's new in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733956).
+
 The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
 
 ![figure 10](images/hva-fig9-intune.png)
@@ -676,23 +675,23 @@ firewall is running, and the devices patch state is compliant.
 
 Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources.
 
-### Built-in support of MDM in Windows 10
+### Built-in support of MDM in Windows 10
 
-Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent.
+Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent.
 
 ### Third-party MDM server support
 
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=733954).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=733954).
 
->**Note:**  MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=733955).
- 
-The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
+>**Note:**  MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=733955).
+
+The third-party MDM server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users.
 
 ### Management of Windows Defender by third-party MDM
 
-This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
+This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms.
 
-For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=733953).
+For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=733953).
 
 ### Conditional access control
 
@@ -713,8 +712,8 @@ When a user requests access to an Office 365 service from a supported device pla
 
 When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune.
 
->**Note**  Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.
- 
+>**Note**  Microsoft is working with third-party MDM ISVs to support automated MDM enrollment and policy based access checks. Steps to turn on auto-MDM enrollment with Azure AD and Intune are explained in the [Windows 10, Azure AD And Microsoft Intune: Automatic MDM Enrollment Powered By The Cloud!](https://go.microsoft.com/fwlink/p/?LinkId=691615) blog post.
+
 When a user enrolls a device successfully, the device becomes trusted. Azure AD provides single-sign-on to access company applications and enforces conditional access policy to grant access to a service not only the first time the user requests access, but every time the user requests to renew access.
 
 The user will be denied access to services when sign-in credentials are changed, a device is lost/stolen, or the compliance policy is not met at the time of request for renewal.
@@ -729,14 +728,14 @@ Clients that attempt to access Office 365 will be evaluated for the following pr
 -   Is the device registered with Azure AD?
 -   Is the device compliant?
 
-To get to a compliant state, the Windows 10-based device needs to:
+To get to a compliant state, the Windows 10-based device needs to:
 
 -   Enroll with an MDM solution.
 -   Register with Azure AD.
 -   Be compliant with the device policies set by the MDM solution.
 
->**Note:**  At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.
- 
+>**Note:**  At the present time, conditional access policies are selectively enforced on users on iOS and Android devices. For more information, see the [Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!](https://go.microsoft.com/fwlink/p/?LinkId=691616) blog post.
+
 ### Cloud and on-premises apps conditional access control
 
 Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access.
@@ -745,8 +744,8 @@ IT pros can configure conditional access control policies for cloud SaaS applica
 
 For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](https://go.microsoft.com/fwlink/p/?LinkId=524807)
 
->**Note:**  Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
- 
+>**Note:**  Conditional access control is an Azure AD Premium feature that's also available with EMS. If you don't have an Azure AD Premium subscription, you can get a trial from the [Microsoft Azure](https://go.microsoft.com/fwlink/p/?LinkId=691617) site.
+
 For on-premises applications there are two options to enable conditional access control based on a device's compliance state:
 
 -   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
@@ -793,7 +792,7 @@ The following list contains high-level key take-aways to improve the security po
 
 -   **Use Device Guard**
 
-    Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
+    Device Guard is a real advance in security and an effective way to help protect against malware. The new Device Guard feature in Windows 10 blocks untrusted apps (apps not authorized by your organization).
 
 -   **Sign Device Guard policy**
 
@@ -817,9 +816,9 @@ The following list contains high-level key take-aways to improve the security po
 
 -   **Lock down firmware and configuration**
 
-    After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
+    After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool.
 
-Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
+Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution.
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
index 234f7dde22..49f815ce3f 100644
--- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
+++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md
@@ -53,7 +53,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
 | Domain controller effective default settings | Not defined |
 | Member server effective default settings | Not defined |
 | Client computer effective default settings | Not defined |
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
@@ -90,4 +90,4 @@ None. Not defined is the default configuration.
 
 ## Related topics
 [User Rights Assignment](user-rights-assignment.md)
- 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
index 3d6ec831c5..06d067f006 100644
--- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default policy values for the
 | Domain controller effective default settings | Everyone, Administrators, Authenticated Users, Enterprise Domain Controllers, Pre-Windows 2000 Compatible Access |
 | Member server effective default settings | Everyone, Administrators, Users, Backup Operators |
 | Client computer effective default settings |Everyone, Administrators, Users, Backup Operators |
- 
+ 
 ## Policy management
 
 When modifying this user right, the following actions might cause users and services to experience network access issues:
@@ -98,12 +98,12 @@ Restrict the **Access this computer from the network** user right to only those
 from servers in the domain if members of the **Domain Users** group are included in the local **Users** group.
 
 > **Note**  If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement.
- 
+ 
 ### Potential impact
 
 If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network.
 
 ## Related topics
 [User Rights Assignment](user-rights-assignment.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index dfe72244c8..4394099acc 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -54,7 +54,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | Not defined |
 | Member server effective default settings | Not defined |
 | Client computer effective default settings | Not applicable |
- 
+ 
 ## Security considerations
 
 More than a few unsuccessful password submissions during an attempt to log on to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track logon attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached.
@@ -74,5 +74,5 @@ Configuring the **Account lockout duration** policy setting to 0 so that account
 ## Related topics
 
 [Account Lockout Policy](account-lockout-policy.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
index eb4fb3fe00..852449d7ce 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md
@@ -38,9 +38,9 @@ The following topics provide a discussion of each policy setting's implementatio
 | [Account lockout threshold](account-lockout-threshold.md) | Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting. |
 | [Account lockout duration](account-lockout-duration.md) | Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting. |
 | [Reset account lockout counter after](reset-account-lockout-counter-after.md) | Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting. |
- 
+ 
 ## Related topics
 
 [Configure security policy settings](how-to-configure-security-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index 86bf20f504..e751b8d90d 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -48,7 +48,7 @@ The threshold that you select is a balance between operational efficiency and se
 As with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/).
 
 Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic.
- 
+ 
 ### Location
 
 **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**
@@ -65,7 +65,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | 0 invalid sign-in attempts |
 | Member server effective default settings |0 invalid sign-in attempts |
 | Effective GPO default settings on client computers |0 invalid sign-in attempts |
- 
+ 
 ### Policy management
 
 This section describes features and tools that are available to help you manage this policy setting.
@@ -93,7 +93,7 @@ Brute force password attacks can use automated methods to try millions of passwo
 However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock every account without needing any special privileges or being authenticated in the network.
 
 > **Note:** Offline password attacks are not countered by this policy setting.
- 
+ 
 ### Countermeasure
 
 Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
@@ -115,4 +115,4 @@ If you configure this policy setting to a number greater than 0, an attacker can
 
 ## Related topics
 [Account Lockout Policy](account-lockout-policy.md)
- 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md
index 18e9ce80ed..3c9a703853 100644
--- a/windows/security/threat-protection/security-policy-settings/account-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/account-policies.md
@@ -26,7 +26,7 @@ An overview of account policies in Windows and provides links to policy descript
 
 All account policies settings applied by using Group Policy are applied at the domain level. Default values are present in the built-in default domain controller policy for Password Policy settings, Account Lockout Policy settings, and Kerberos Policy settings. The domain account policy becomes the default local account policy of any device that is a member of the domain. If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.
 > **Note:**  Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
- 
+ 
 The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.
 
 ## In this section
@@ -36,7 +36,7 @@ The only exception is when another account policy is defined for an organization
 | [Password Policy](password-policy.md) | An overview of password policies for Windows and links to information for each policy setting. |
 | [Account Lockout Policy](account-lockout-policy.md) | Describes the Account Lockout Policy settings and links to information about each policy setting. |
 | [Kerberos Policy](kerberos-policy.md) | Describes the Kerberos Policy settings and provides links to policy setting descriptions. |
- 
+ 
 ## Related topics
 
 [Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index 6f98d89b89..a41896c0f5 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -64,7 +64,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled |
 | Member Server Effective Default Settings | Disabled |
 | Client Computer Effective Default Settings | Disabled |
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -92,5 +92,5 @@ Establishing greater control over accounts in your organization can give you mor
 ## Related topics
 
 [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
index 475dbc2ff7..0677dbe5ed 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled |
 | Member Server Effective Default Settings | Disabled |
 | Client Computer Effective Default Settings | Disabled |
- 
+ 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
@@ -75,5 +75,5 @@ All network users must be authenticated before they can access shared resources.
 ## Related topics
 
 [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
index a0a1962f79..94c7732647 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled |
 | Member Server Effective Default Settings | Enabled |
 | Client Computer Effective Default Settings | Enabled |
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
index ff0c11b6d5..416c761dd9 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md
@@ -54,7 +54,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Administrator |
 | Member Server Effective Default Settings | Administrator |
 | Client Computer Effective Default Settings | Administrator |
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -92,5 +92,5 @@ You must provide users who are authorized to use this account with the new accou
 ## Related topics
 
 [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
index a25ae74f62..4e136d6fc7 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md
@@ -54,7 +54,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Guest |
 | Member Server Effective Default Settings | Guest |
 | Client Computer Effective Default Settings | *User-defined text* |
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -91,5 +91,5 @@ There should be little impact because the Guest account is disabled by default i
 ## Related topics
 
 [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
index 5f639ffeab..b32355b82a 100644
--- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
+++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md
@@ -53,7 +53,7 @@ The following table lists the actual and effective default policy values for the
 | Domain controller effective default settings | Not defined |
 | Member server effective default settings | Not defined |
 | Client computer effective default settings | Not defined |
- 
+ 
 ## Policy management
 
 A restart of the device is not required for this policy setting to be effective.
@@ -88,4 +88,4 @@ There should be little or no impact because the **Act as part of the operating s
 
 ## Related topics
 [User Rights Assignment](user-rights-assignment.md)
- 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
index 7aff343665..fc90fa5e4b 100644
--- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
+++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service |
 | Member Server Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service |
 | Client Computer Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service |
- 
+ 
 ## Policy management
 
 A restart of the device is not required for this policy setting to be effective.
@@ -96,5 +96,5 @@ Organizations that have not restricted users to roles with limited privileges ma
 
 ## Related topics
 - [User Rights Assignment](user-rights-assignment.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
index bc243e4f85..4b9f7e599b 100644
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@@ -57,49 +57,49 @@ Over time, new ways to manage security policy settings have been introduced, whi
 
 
 
-
                                                                                  [Security Policy snap-in](#bkmk-secpol)
                                                                                  
+
                                                                                  Security Policy snap-in
                                                                                  
 
                                                                                  Secpol.msc
                                                                                  
 
                                                                                  MMC snap-in designed to manage only security policy settings.
                                                                                  
 
 
-
                                                                                  [Security editor command line tool](#bkmk-secedit)
                                                                                  
+
                                                                                  Security editor command line tool
                                                                                  
 
                                                                                  Secedit.exe
                                                                                  
 
                                                                                  Configures and analyzes system security by comparing your current configuration to specified security templates.
                                                                                  
 
 
-
                                                                                  [Security Compliance Manager](#bkmk-scm)
                                                                                  
+
                                                                                  Security Compliance Manager
                                                                                  
 
                                                                                  Tool download
                                                                                  
 
                                                                                  A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.
                                                                                  
 
 
-
                                                                                  [Security Configuration Wizard](#bkmk-scw)
                                                                                  
+
                                                                                  Security Configuration Wizard
                                                                                  
 
                                                                                  Scw.exe
                                                                                  
 
                                                                                  SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.
                                                                                  
 
 
-
                                                                                  [Security Configuration Manager tool](#bkmk-scmtool)
                                                                                  
+
                                                                                  Security Configuration Manager tool
                                                                                  
 
                                                                                  This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
                                                                                  
 
 
-
                                                                                  [Group Policy](#bkmk-grouppolicy)
                                                                                  
+
                                                                                  Group Policy
                                                                                  
 
                                                                                  Gpmc.msc and Gpedit.msc
                                                                                  
 
                                                                                  The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.
                                                                                  
 
 
 
                                                                                  Software Restriction Policies
                                                                                  
-
                                                                                  See [Administer Software Restriction Policies](https://technet.microsoft.com/library/hh994606.aspx).
                                                                                  
+
                                                                                  See Administer Software Restriction Policies.
                                                                                  
 
                                                                                  Gpedit.msc
                                                                                  
 
                                                                                  Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.
                                                                                  
 
 
 
                                                                                  AppLocker
                                                                                  
-
                                                                                  See [Administer AppLocker](/windows/device-security/applocker/administer-applocker).
                                                                                  
+
                                                                                  See Administer AppLocker.
                                                                                  
 
                                                                                  Gpedit.msc
                                                                                  
 
                                                                                  Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.
                                                                                  
 
 
 
- 
+ 
 ## Using the Local Security Policy snap-in
 
 The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features:
@@ -147,15 +147,15 @@ SCW is a role-based tool: You can use it to create a policy that enables service
 
 The following are considerations for using SCW:
 
--   SCW disables unnecessary services and provides Windows Firewall with Advanced Security support.
--   Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file.
--   You can deploy security policies that you create with SCW by using Group Policy.
--   SCW does not install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager.
--   SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
--   All apps that use the IP protocol and ports must be running on the server when you run SCW.
--   In some cases, you must be connected to the Internet to use the links in the SCW help.
-> **Note**  The SCW is available only on Windows Server and only applicable to server installations.
- 
+- SCW disables unnecessary services and provides Windows Firewall with Advanced Security support.
+- Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file.
+- You can deploy security policies that you create with SCW by using Group Policy.
+- SCW does not install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager.
+- SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
+- All apps that use the IP protocol and ports must be running on the server when you run SCW.
+- In some cases, you must be connected to the Internet to use the links in the SCW help.
+  > **Note**  The SCW is available only on Windows Server and only applicable to server installations.
+ 
 The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
 
 -   Create a security policy that can be applied to any server on your network.
@@ -187,19 +187,19 @@ The following table lists the features of the Security Configuration Manager.
 
 
 
-
                                                                                  [Security Configuration and Analysis](#bkmk-seccfgana)
                                                                                  
+
                                                                                  Security Configuration and Analysis
                                                                                  
 
                                                                                  Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.
                                                                                  
 
 
-
                                                                                  [Security templates](#bkmk-sectmpl)
                                                                                  
+
                                                                                  Security templates
                                                                                  
 
                                                                                  Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.
                                                                                  
 
 
-
                                                                                  [Security Settings extension to Group Policy](#bkmk-secextensions)
                                                                                  
+
                                                                                  Security Settings extension to Group Policy
                                                                                  
 
                                                                                  Edits individual security settings on a domain, site, or organizational unit.
                                                                                  
 
 
-
                                                                                  [Local Security Policy](#bkmk-localsecpol)
                                                                                  
+
                                                                                  Local Security Policy
                                                                                  
 
                                                                                  Edits individual security settings on your local computer.
                                                                                  
 
 
@@ -208,7 +208,7 @@ The following table lists the features of the Security Configuration Manager.
 
 
 
- 
+ 
 ### Security Configuration and Analysis
 
 Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security.
@@ -317,7 +317,7 @@ For example, a workstation that is joined to a domain will have its local securi
 both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
 > **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order.
 For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
- 
+ 
 **Persistence in security settings**
 
 Security settings may still persist even if a setting is no longer defined in the policy that originally applied it.
@@ -383,7 +383,7 @@ Security Configuration and Analysis displays the analysis results by security ar
 
 
 
- 
+ 
 If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
 
 To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template.
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index 211d76d062..ee0f5f1b86 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security
 
 This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
 > **Note:**  Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.
- 
+ 
 Constant: SeInteractiveLogonRight
 
 ### Possible values
@@ -71,7 +71,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Account Operators
                                                                                  Administrators
                                                                                  Backup Operators
                                                                                  Print Operators
                                                                                  Server Operators |
 | Member Server Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Users |
 | Client Computer Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Users |
- 
+ 
 ## Policy management
 
 Restarting the device is not required to implement this change.
@@ -111,5 +111,5 @@ If you remove these default groups, you could limit the abilities of users who a
 
 ## Related topics
 - [User Rights Assignment](user-rights-assignment.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
index 7df988cabb..4725c3e9ba 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md
@@ -94,7 +94,7 @@ Any account with the **Allow log on through Remote Desktop Services** user right
 For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups.
 
 > **Caution:**  For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default.
- 
+ 
 Alternatively, you can assign the **Deny log on through Remote Desktop Services** user right to groups such as Account Operators, Server Operators, and Guests. However, be careful when you use this method because you could block access to legitimate administrators who also belong to a group that has the **Deny log on through Remote Desktop Services** user right.
 
 ### Potential impact
@@ -104,5 +104,5 @@ Removal of the **Allow log on through Remote Desktop Services** user right from
 ## Related topics
 
 - [User Rights Assignment](user-rights-assignment.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index f3df693cc4..4fcca719b6 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled | 
 | Member Server Effective Default Settings | Disabled | 
 | Client Computer Effective Default Settings | Disabled | 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -90,7 +90,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
 | 4660 | An object was deleted. |  
 | 4661 | A handle to an object was requested. |  
 | 4663 | An attempt was made to access an object. |  
- 
+ 
 If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is configured, the following events are generated:
 
 | Event ID | Event message |
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
index cfc795d553..9a078921e7 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md
@@ -54,7 +54,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled | 
 | Member Server Effective Default Settings | Disabled | 
 | Client Computer Effective Default Settings | Disabled | 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -91,5 +91,5 @@ If you enable this policy setting, a large number of security events could be ge
 ## Related topics
 
 - [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
index 3a2dfa3462..1c0450ff49 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled |
 | Member Server Effective Default Settings | Enabled | 
 | Client Computer Effective Default Settings | Enabled | 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -95,9 +95,9 @@ Enable audit policy subcategories as needed to track specific events.
 If you attempt to modify an audit setting by using Group Policy after enabling this setting through the command-line tools, the Group Policy audit setting is ignored in favor of the custom policy setting. To modify audit settings by using Group Policy, you must first disable the 
 **SCENoApplyLegacyAuditPolicy** key.
 > **Important:**  Be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events that are generated can make it difficult to find other types of entries in the security event log. Such a configuration could also have a significant impact on system performance.
- 
+ 
 ## Related topics
 
 - [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
index d6657c6b66..cbdc94c7ae 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md
@@ -40,7 +40,7 @@ With **Audit: Shut down system immediately if unable to log security audits** se
 
 
 
- 
+ 
 To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired.
 
 If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident.
@@ -71,7 +71,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled 
 | Member Server Effective Default Settings | Disabled 
 | Client Computer Effective Default Settings | Disabled 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -104,5 +104,5 @@ If you enable this policy setting, the administrative burden can be significant,
 ## Related topics
 
 - [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
index 26625f4c7d..550e21d847 100644
--- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md
@@ -77,7 +77,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Server Operators|
 | Member Server Effective Default Settings | Administrators
                                                                                  Backup Operators|
 | Client Computer Effective Default Settings | Administrators
                                                                                  Backup Operators|
- 
+ 
 ## Policy management
 
 A restart of the device is not required for this policy setting to be effective.
@@ -114,5 +114,5 @@ Changes in the membership of the groups that have the **Back up files and direct
 ## Related topics
 
 - [User Rights Assignment](user-rights-assignment.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index 6bf7e2dd7c..a485a13590 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Authenticated Users
                                                                                  Everyone
                                                                                  Local Service
                                                                                  Network Service
                                                                                  Pre-Windows 2000 Compatible Access| 
 | Member Server Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Users
                                                                                  Everyone
                                                                                  Local Service
                                                                                  Network Service| 
 | Client Computer Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Users
                                                                                  Everyone
                                                                                  Local Service
                                                                                  Network Service| 
- 
+ 
 ## Policy management
 
 Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs).The ability to traverse the folder does not provide any Read or Write permissions to the user.
@@ -97,5 +97,5 @@ The Windows operating systems and many applications were designed with the expec
 ## Related topics
 
 - [User Rights Assignment](user-rights-assignment.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
index 423493131c..3729af5440 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values. Defaul
 | DC Effective Default Settings | Administrators 
                                                                                  Server Operators 
                                                                                  Local Service| 
 | Member Server Effective Default Settings | Administrators 
                                                                                  Local Service|
 | Client Computer Effective Default Settings | Administrators 
                                                                                  Local Service| 
- 
+ 
 ## Policy management
 
 This section describes features, tools and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
index d01a36d5e2..21918a8f75 100644
--- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
+++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Users| 
 | Member Server Effective Default Settings | Administrators
                                                                                  Users| 
 | Client Computer Effective Default Settings | Administrators
                                                                                  Users| 
- 
+ 
 ## Policy management
 
 A restart of the device is not required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
index 0a6d48fdb7..869edc69a5 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators | 
 | Member Server Effective Default Settings | Administrators | 
 | Client Computer Effective Default Settings | Administrators | 
- 
+ 
 ## Policy management
 
 A restart of the device is not required for this policy setting to be effective.
diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
index e2104b7abb..2aab29e91a 100644
--- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
+++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Local System | 
 | Member Server Effective Default Settings | Local System | 
 | Client Computer Effective Default Settings | Local System | 
- 
+ 
 ## Policy management
 
 A restart of the device is not required for this policy setting to be effective.
@@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat
 ### Vulnerability
 
 >**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts.
- 
+ 
 Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they are currently logged on. They could escalate their privileges or create a DoS condition.
 
 ### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
index 4076e8cc39..6093dfc046 100644
--- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service
                                                                                  Service| 
 | Member Server Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service
                                                                                  Service| 
 | Client Computer Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service
                                                                                  Service| 
- 
+ 
 ## Policy management
 
 A restart of the device is not required for this policy setting to take effect.
diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
index da94ddf382..99d3c81d18 100644
--- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | **LocalSystem**| 
 | Member Server Effective Default Settings | **LocalSystem**| 
 | Client Computer Effective Default Settings | **LocalSystem**| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
index 6678db03a9..e361acf1d9 100644
--- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
+++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index 615f205dc7..4d60dbd07d 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Not defined | 
 | Member Server Effective Default Settings | Not defined | 
 | Client Computer Effective Default Settings | Not defined | 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -96,5 +96,5 @@ Windows implements default COM ACLs when they are installed. Modifying these ACL
 ## Related topics
 
 - [Security Options](security-options.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
index c7e911144d..01185ae6a6 100644
--- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
+++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined | 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md
index d916d60bac..cb03383fb3 100644
--- a/windows/security/threat-protection/security-policy-settings/debug-programs.md
+++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators | 
 | Member Server Effective Default Settings | Administrators | 
 | Client Computer Effective Default Settings | Administrators | 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index 54b2ff4a1d..1ffae4c1ad 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Guest | 
 | Member Server Effective Default Settings | Guest | 
 | Client Computer Effective Default Settings | Guest | 
- 
+ 
 ## Policy management
 
 This section describes features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
index 777d668f06..ad211f1718 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Not defined | 
 | Member Server Effective Default Settings | Not defined | 
 | Client Computer Effective Default Settings | Not defined | 
- 
+ 
 ## Policy management
 
 This section describes features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
index 2f12921ead..2da4ae7aa5 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Not defined | 
 | Member Server Effective Default Settings | Not defined | 
 | Client Computer Effective Default Settings | Not defined | 
- 
+ 
 ## Policy management
 
 This section describes features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
index 03bd4e233c..c29d301d15 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md
@@ -56,7 +56,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
index c0de169510..621bf61523 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
index 3099614d43..b9c5b91f0b 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
 This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission.
 
 >**Note:**  Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality.
- 
+ 
 Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices
 
 ### Possible values
@@ -58,7 +58,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings | Enabled| 
 | Client Computer Effective Default Settings| Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
index 63c57cb24a..63a755d174 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
index b915e7951a..6b2c51d931 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md
@@ -58,7 +58,7 @@ Server type or GPO | Default value |
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings | Enabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
index 5dba3f07ba..efc1e8ea6f 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled | 
 | Member Server Effective Default Settings | Disabled | 
 | Client Computer Effective Default Settings | Disabled | 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
index ee38a90960..f0de6a47fe 100644
--- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
+++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
index b3d01dd5d9..42e3ec17e1 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
 This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account.
 
 >**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.
- 
+ 
 Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group.
 
 The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job.
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
index 8dedc1fbf7..473772b9bc 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md
@@ -35,7 +35,7 @@ This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/
 If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389).
 
 >**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.
- 
+ 
 ### Possible values
 
 -   None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it.
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | None| 
 | Member Server Effective Default Settings | None| 
 | Client Computer Effective Default Settings | None| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 6ff80d6d0b..91a78717ea 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Not applicable| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
index 5d90410137..5440a05596 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md
@@ -47,27 +47,27 @@ When a device joins a domain, a machine account is created. After joining the do
 
 ### Possible values
 
--   Enabled
+- Enabled
 
-    The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure 
-    channel traffic.
+  The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure 
+  channel traffic.
 
--   Disabled
+- Disabled
 
-    The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies:
+  The encryption and signing of all secure channel traffic is negotiated with the domain controller, in which case the level of signing and encryption depends on the version of the domain controller and the settings of the following policies:
 
-    1.  [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
-    2.  [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
+  1.  [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md)
+  2.  [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md)
 
--   Not defined
-### Best practices
+- Not defined
+  ### Best practices
 
--   Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**.
--   Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
--   Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
+- Set **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled**.
+- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
+- Set [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) to **Enabled**.
 
 >**Note:**  You can enable the policy settings [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) on all devices in the domain that support these policy settings without affecting earlier-version clients and applications.
- 
+ 
 ### Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -84,7 +84,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings | Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
index 0002e3f79a..e91f76f50f 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md
@@ -53,7 +53,7 @@ When a device joins a domain, a machine account is created. After joining the do
     The domain member will not attempt to negotiate secure channel encryption.
 
     >**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten.
-     
+     
 -   Not defined
 
 ### Best practices
@@ -78,7 +78,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
index 303d5dfef5..ad341bc3f9 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md
@@ -55,11 +55,11 @@ When a device joins a domain, a machine account is created. After joining the do
 
 ### Best practices
 
--   Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
--   Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
--   Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
->**Note:**  You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
- 
+- Set [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled**.
+- Set [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) to **Enabled**.
+- Set **Domain member: Digitally sign secure channel data (when possible)** to **Enabled**.
+  >**Note:**  You can enable the other two policy settings, Domain member: [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) and **Domain member: Digitally sign secure channel data (when possible)**, on all devices joined to the domain that support these policy settings without affecting earlier-version clients and applications.
+ 
 ### Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -76,7 +76,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
index 0761901c3d..bc76ebc546 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index ed1117e3d5..a9d641a335 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | 30 days| 
 | Member Server Effective Default Settings|30 days| 
 | Client Computer Effective Default Settings | 30 days| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
index edc1e165f5..f4021623d1 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md
@@ -20,13 +20,13 @@ ms.date: 04/19/2017
 # Domain member: Require strong (Windows 2000 or later) session key
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Describes the best practices, location, values, and security considerations for the **Domain member: Require strong (Windows 2000 or later) session key** security policy setting.
 
 ## Reference
 
-The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys.
+The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys.
 
 Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected.
 
@@ -34,7 +34,7 @@ Whenever possible, you should take advantage of these stronger session keys to h
 
 -   Enabled
 
-    When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server.
+    When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server.
 
 -   Disabled
 
@@ -44,7 +44,7 @@ Whenever possible, you should take advantage of these stronger session keys to h
 
 ### Best practices
 
--   It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled.
+-   It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled.
 
 ### Location
 
@@ -55,15 +55,16 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
 
 | Server type or GPO 
-| Default value 
-| - | - |
-| Default Domain Policy | Not defined | 
-| Default Domain Controller Policy | Not defined| 
-| Stand-Alone Server Default Settings | Disabled| 
-| DC Effective Default Settings | Disabled| 
-| Member Server Effective Default Settings | Disabled| 
-| Client Computer Effective Default Settings | Disabled| 
- 
+
+|               Default value                |
+|--------------------------------------------|
+|           Default Domain Policy            |
+|      Default Domain Controller Policy      |
+|    Stand-Alone Server Default Settings     |
+|       DC Effective Default Settings        |
+|  Member Server Effective Default Settings  |
+| Client Computer Effective Default Settings |
+
 ## Policy management
 
 
@@ -85,13 +86,13 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000.
+Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger starting with Windows 2000.
 
 Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdrop. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)
 
 ### Countermeasure
 
-Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting.
+Enable the **Domain member: Require strong (Windows 2000 or later) session key** setting.
 
 If you enable this policy setting, all outgoing secure channel traffic requires a strong encryption key. If you disable this policy setting, the key strength is negotiated. You should enable this policy setting only if the domain controllers in all trusted domains support strong keys. By default, this policy setting is disabled.
 
diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
index ba894db1ca..090bb9f3bf 100644
--- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
+++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools and guidance to help you manage this policy.
@@ -98,7 +98,7 @@ after a security incident.
 The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default.
 
 >**Note:**  There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers.
- 
+ 
 ### Potential impact
 
 None. Not defined is the default configuration.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
index 913ceeaf40..43ed37c3fc 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | 24 passwords remembered| 
 | Member server effective default settings | 24 passwords remembered| 
 | Effective GPO default settings on client computers | 24 passwords remembered| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
@@ -78,7 +78,7 @@ The longer a user uses the same password, the greater the chance that an attacke
 If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you do not also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password.
 
 >**Note:**  After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised.
- 
+ 
 ### Countermeasure
 
 Configure the **Enforce password history** policy setting to 24 (the maximum setting) to help minimize the number of vulnerabilities that are caused by password reuse.
diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
index 7ee7cd4584..ac0af26a19 100644
--- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
+++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md
@@ -56,7 +56,7 @@ The following table lists the actual and effective default policy values. Defaul
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Not applicable| 
 | Client Computer Effective Default Settings | Not applicable| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
index c709c79580..d21bf2cf15 100644
--- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
+++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Server Operators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
index 11d3c21324..d6a7cf2241 100644
--- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
+++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Local Service
                                                                                  Network Service| 
 | Member Server Effective Default Settings | Local Service
                                                                                  Network Service| 
 | Client Computer Effective Default Settings | Local Service
                                                                                  Network Service| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 3afa522d29..51660a31fe 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -42,7 +42,7 @@ When a local setting is inaccessible, it indicates that a GPO currently controls
     > [!NOTE]
     > -   Some security policy settings require that the device be restarted before the setting takes effect.
     > -   Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
-     
+     
 ## To configure a security policy setting using the Local Group Policy Editor console
 
 You must have the appropriate permissions to install and use the Microsoft Management Console (MMC), and to update a Group Policy Object (GPO) on the domain controller to perform these procedures.
@@ -58,12 +58,12 @@ You must have the appropriate permissions to install and use the Microsoft Manag
 
     > [!NOTE]
     > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-     
+     
 5.  Modify the security policy setting, and then click **OK**.
 
 > [!NOTE]
 > If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
- 
+ 
 ## To configure a setting for a domain controller
 
 The following procedure describes how to configure a security policy setting for only a domain controller (from the domain controller).
@@ -78,13 +78,13 @@ The following procedure describes how to configure a security policy setting for
 
     > [!NOTE]
     > If this security policy has not yet been defined, select the **Define these policy settings** check box.
-     
+     
 4.  Modify the security policy setting, and then click **OK**.
 
 > [!IMPORTANT]  
 > -   Always test a newly created policy in a test organizational unit before you apply it to your network.
 > -   When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
- 
+ 
 ## Related topics
 
 - [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
index 303e381873..1d241529ee 100644
--- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md
@@ -69,7 +69,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service
                                                                                  Service| 
 | Member Server Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service
                                                                                  Service| 
 | Client Computer Effective Default Settings | Administrators
                                                                                  Local Service
                                                                                  Network Service
                                                                                  Service| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
index 68a474672e..1225e25cd9 100644
--- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
+++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings| Users| 
 | Member Server Effective Default Settings | Users| 
 | Client Computer Effective Default Settings | Users| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
index 7ecad47f1a..dbb2b2c45b 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md
@@ -55,7 +55,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Disabled|
 | Member server effective default settings | Disabled|
 | Effective GPO default settings on client computers | Disabled|
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
index 32e0f0d37a..802f0fdc28 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index 1b1848c1c3..e1d64c8cfd 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -56,7 +56,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not defined|
 | Member server effective default settings | Not defined|
 | Effective GPO default settings on client computers | Not defined|
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
index 24f0a98553..1622780408 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled |
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index 0dcb32346b..b836aabd10 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index ca19c35f8e..dafe367748 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -42,12 +42,12 @@ The possible values for this setting are:
 
 ### Best practices
 
--   It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following:
+- It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following:
 
-    1.  IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.
-    2.  This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
->**Important:**  Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
- 
+  1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.
+  2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
+     >**Important:**  Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
+ 
 ### Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -64,7 +64,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes different requirements to help you manage this policy.
@@ -93,7 +93,7 @@ Users often do not understand the importance of security practices. However, the
 Configure the **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) settings to an appropriate value for your organization.
 
 >**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives.
- 
+ 
 ### Potential impact
 
 Users see a message in a dialog box before they can log on to the server console.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
index f3e871cd10..a66a0bb4f3 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
@@ -67,7 +67,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -96,7 +96,7 @@ Users often do not understand the importance of security practices. However, the
 Configure the [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) and **Interactive logon: Message title for users attempting to log on** settings to an appropriate value for your organization.
 
 >**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives.
- 
+ 
 ### Potential impact
 
 Users see a message in a dialog box before they can log on to the server console.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 9515dcee3f..de6c9be4ad 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -66,7 +66,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | No effect| 
 | Member Server Effective Default Settings | 10 logons| 
 | Client Computer Effective Default Settings| 10 logons| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
index e0e6fbf633..e76c70eaa0 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | 5 days | 
 | Member Server Effective Default Settings| 5 days |
 | Client Computer Effective Default Settings | 5 days| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
index 3f23da83fc..4fcccdefa1 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
index 4d68c9b8c4..6660f7a19e 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
index 3ee0c74e91..07d967bae1 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md
@@ -69,7 +69,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | No Action| 
 | Member Server Effective Default Settings | No Action| 
 | Client Computer Effective Default Settings | No Action| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
index 37b3ee494c..b99dec5d92 100644
--- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md
@@ -33,14 +33,14 @@ countermeasures you can take, and the potential impact for each setting.
 
 ## In this section
 
-| Topic | Description |
-| - | - |
-| [Enforce user logon restrictions](enforce-user-logon-restrictions.md) | Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting.| 
-| [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting.| 
-| [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting.| 
-| [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting.| 
-| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) | Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security| policy setting. 
- 
+|                                                      Topic                                                      |                                                                                 Description                                                                                  |
+|-----------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|                      [Enforce user logon restrictions](enforce-user-logon-restrictions.md)                      |     Describes the best practices, location, values, policy management, and security considerations for the **Enforce user logon restrictions** security policy setting.      |
+|                  [Maximum lifetime for service ticket](maximum-lifetime-for-service-ticket.md)                  |   Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for service ticket** security policy setting.    |
+|                     [Maximum lifetime for user ticket](maximum-lifetime-for-user-ticket.md)                     |         Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket** policy setting.          |
+|             [Maximum lifetime for user ticket renewal](maximum-lifetime-for-user-ticket-renewal.md)             | Describes the best practices, location, values, policy management, and security considerations for the **Maximum lifetime for user ticket renewal** security policy setting. |
+| [Maximum tolerance for computer clock synchronization](maximum-tolerance-for-computer-clock-synchronization.md) |   Describes the best practices, location, values, policy management, and security considerations for the **Maximum tolerance for computer clock synchronization** security   |
+ 
 ## Related topics
 
 - [Configure security policy settings](how-to-configure-security-policy-settings.md)
diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
index db462631ac..d80474a5ab 100644
--- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
+++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Print Operators |
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
@@ -90,7 +90,7 @@ This section describes how an attacker might exploit a feature or its configurat
 Device drivers run as highly privileged code. A user who has the **Load and unload device drivers** user right could unintentionally install malware that masquerades as a device driver. Administrators should exercise care and install only drivers with verified digital signatures.
 
 >**Note:**  You must have this user right or be a member of the local Administrators group to install a new driver for a local printer or to manage a local printer and configure defaults for options such as duplex printing.
- 
+ 
 ### Countermeasure
 
 Do not assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins.
diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
index cb25309de5..9c53d5bb73 100644
--- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
+++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md
@@ -33,7 +33,7 @@ Normally, an application running on Windows can negotiate for more physical memo
 Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation.
 
 >**Note:**  By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system.
- 
+ 
 Constant: SeLockMemoryPrivilege
 
 ### Possible values
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index afa03c2b93..3b2f31c5ee 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Performance Log Users| 
 | Member Server Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Performance Log Users| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
index 14d5d0b1d9..5d897aa891 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Network Service| 
 | Member Server Effective Default Settings| Network Service| 
 | Client Computer Effective Default Settings | Network Service| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
index bd01d5654e..cec2f34a4c 100644
--- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
+++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings| Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
@@ -100,7 +100,7 @@ Ensure that only the local Administrators group has the **Manage auditing and se
 Restricting the **Manage auditing and security log** user right to the local Administrators group is the default configuration.
 
 >**Warning:**  If groups other than the local Administrators group have been assigned this user right, removing this user right might cause performance issues with other applications. Before removing this right from a group, investigate whether applications are dependent on this right.
- 
+ 
 ## Related topics
 
 - [User Rights Assignment](user-rights-assignment.md)
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
index 48d1bd0bbf..2ba4e7f98c 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values. Defaul
 | DC Effective Default Settings | 600 minutes| 
 | Member Server Effective Default Settings | Not applicable| 
 | Client Computer Effective Default Settings | Not applicable| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
index e86d88cbaf..d4fc263448 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | 7 days| 
 | Member Server Effective Default Settings | Not applicable| 
 | Client Computer Effective Default Settings | Not applicable| 
- 
+ 
 ### Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
index 5eea8c0e1e..930089e0dd 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | 10 hours| 
 | Member Server Effective Default Settings | Not applicable| 
 | Client Computer Effective Default Settings | Not applicable| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 0f49c0a8de..00c2b3a1a2 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
 The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days.
 
 >**Note:**  Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**.
- 
+ 
 ### Possible values
 
 -   User-specified number of days between 0 and 999
@@ -55,7 +55,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | 42 days| 
 | Member server effective default settings | 42 days| 
 | Effective GPO default settings on client computers| 42 days| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
index 63315cd157..cac506ca6d 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md
@@ -56,7 +56,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings| 5 minutes| 
 | Member Server Effective Default Settings | Not applicable| 
 | Client Computer Effective Default Settings | Not applicable| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
index 33936f7443..a5b52f4b4f 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md
@@ -17,7 +17,7 @@ ms.date: 06/28/2018
 # Microsoft network client: Digitally sign communications (always)
 
 **Applies to**
--   Windows 10
+-   Windows 10
 -   Windows Server
 
 Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. 
@@ -32,10 +32,12 @@ Beginning with SMBv2 clients and servers, signing can be either required or not
 
 There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
 
-|   | Server – Required | Server – Not Required |
-|---|-------------------|-----------------------|
-| **Client – Required** | Signed | Signed           | 
+
+|                           |  Server – Required  | Server – Not Required  |
+|---------------------------|---------------------|------------------------|
+|   **Client – Required**   |       Signed        |         Signed         |
 | **Client – Not Required** | Signed 1 | Not Signed2 |
+
 
                                                                                  
 1 Default for domain controller SMB traffic
                                                                                  
 2 Default for all other SMB traffic
@@ -67,7 +69,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -90,9 +92,9 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Enable **Microsoft network client: Digitally sign communications (always)**.
 
->[!NOTE]  
+>[!NOTE]  
 >An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
- 
+
 ### Potential impact
 
 Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
index 3249ec6314..a3a1d550e4 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings| Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
index e458387bf9..eec79a7055 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
 # Microsoft network server: Amount of idle time required before suspending session
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting.
 
@@ -50,15 +50,16 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
 
-| Server type or GPO Default value |
-| - | - |
-| Default Domain Policy| Not defined| 
-| Default Domain Controller Policy | Not defined |
-| Stand-Alone Server Default Settings | 15 minutes| 
-| DC Effective Default Settings | 15 minutes| 
-| Member Server Effective Default Settings | 15 minutes| 
-| Client Computer Effective Default Settings | 15 minutes| 
- 
+
+|      Server type or GPO Default value      |
+|--------------------------------------------|
+|           Default Domain Policy            |
+|      Default Domain Controller Policy      |
+|    Stand-Alone Server Default Settings     |
+|       DC Effective Default Settings        |
+|  Member Server Effective Default Settings  |
+| Client Computer Effective Default Settings |
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
index afaaf59a1e..130fb31904 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md
@@ -69,7 +69,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings| Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
index beb59e14f6..b5aa866a84 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md
@@ -20,7 +20,7 @@ ms.date: 06/21/2018
 # Microsoft network server: Digitally sign communications (always)
 
 **Applies to**
--   Windows 10
+-   Windows 10
 -   Windows Server
 
 Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.
@@ -35,10 +35,12 @@ Beginning with SMBv2 clients and servers, signing can be either required or not
 
 There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2.
 
-|   | Server – Required | Server – Not Required |
-|---|-------------------|-----------------------|
-| **Client – Required** | Signed | Signed           | 
+
+|                           |  Server – Required  | Server – Not Required  |
+|---------------------------|---------------------|------------------------|
+|   **Client – Required**   |       Signed        |         Signed         |
 | **Client – Not Required** | Signed 1 | Not Signed2 |
+
 
                                                                                  
 1 Default for domain controller SMB traffic
                                                                                  
 2 Default for all other SMB traffic
@@ -70,7 +72,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -93,9 +95,9 @@ SMB is the resource-sharing protocol that is supported by many Windows operating
 
 Enable **Microsoft network server: Digitally sign communications (always)**.
 
->[!NOTE]  
+>[!NOTE]  
 >An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
- 
+
 ### Potential impact
 
 Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
index ff37db315e..6e1da49f14 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings| Enabled |
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
index 853b30f236..e54608a533 100644
--- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
+++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
@@ -53,7 +53,7 @@ The default setting is Off.
 This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities.
 
 >**Note:**  All Windows operating systems support a client-side SMB component and a server-side SMB component.
- 
+ 
 ### Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -70,7 +70,7 @@ The following table lists the actual and effective default values for this polic
 | Domain controller effective default settings| Validation level check not implemented| 
 | Member server effective default settings | Validation level check not implemented| 
 | Effective GPO default settings on client computers | Validation level check not implemented| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index 3802271de3..a4c892bb3b 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | 1 day| 
 | Member server effective default settings | 1 day| 
 | Effective GPO default settings on client computers| 1 day| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index 57d6eddd0f..7917efbce4 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | 7 characters| 
 | Member server effective default settings | 7 characters| 
 | Effective GPO default settings on client computers | 0 characters| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
@@ -81,7 +81,7 @@ Configure the **** policy setting to a value of 8 or more. If the number of char
 In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack.
 
 >**Note:**  Some jurisdictions have established legal requirements for password length as part of establishing security regulations.
- 
+ 
 ### Potential impact
 
 Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
index eb57648109..d063da47e0 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
@@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
index e427f0eb81..7ad95e9f59 100644
--- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
+++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md
@@ -66,7 +66,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Adminstrators| 
 | Member Server Effective Default Settings | Adminstrators| 
 | Client Computer Effective Default Settings | Adminstrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
index dc224a5438..2e17d9dba9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
@@ -64,7 +64,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ### Operating system version differences
 
 The default value of this setting has changed between operating systems as follows:
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
index bdb6af5dd1..42270f6a74 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
index 7e9e7aa515..e957638eb9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 61135933c1..4078193cc3 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | Domain controller effective default settings| Not defined| 
 | Member server effective default settings | Not defined| 
 | Effective GPO default settings on client computers | Not defined| 
- 
+ 
 ### Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat
 Passwords that are cached can be accessed by the user when logged on to the device. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user.
 
 >**Note:**  The chances of success for this exploit and others that involve malicious software are reduced significantly for organizations that effectively implement and manage an enterprise antivirus solution combined with sensible software restriction policies.
- 
+ 
 Regardless of what encryption algorithm is used to encrypt the password verifier, a password verifier can be overwritten so that an attacker can authenticate as the user to whom the verifier belongs. Therefore, the administrator's password may be overwritten. This procedure requires physical access to the device. Utilities exist that can help overwrite the cached verifier. By using one of these utilities, an attacker can authenticate by using the overwritten value.
 
 Overwriting the administrator's password does not help the attacker access data that is encrypted by using that password. Also, overwriting the password does not help the attacker access any Encrypting File System (EFS) data that belongs to other users on that device. Overwriting the password does not help an attacker replace the verifier, because the base keying material is incorrect. Therefore, data that is encrypted by using Encrypting File System or by using the Data Protection API (DPAPI) will not decrypt.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
index 0ae965d782..3951aa3864 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
index c54e3eeabe..cfb1f5e23c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Netlogon, samr, lsarpc| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
@@ -86,7 +86,7 @@ You can restrict access over named pipes such as COMNAP and LOCATOR to help prev
 | LOCATOR | Remote Procedure Call Locator service named pipe.| 
 | TrlWks | Distributed Link Tracking Client named pipe.| 
 | TrkSvr | Distributed Link Tracking Server named pipe.| 
- 
+ 
 ### Countermeasure
 
 Configure the **Network access: Named Pipes that can be accessed anonymously** setting to a null value (enable the setting but do not specify named pipes in the text box).
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
index ef78867779..e06ab0c6cf 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | See the following registry key combination| 
 | Member Server Effective Default Settings | See the following registry key combination| 
 | Client Computer Effective Default Settings | See the following registry key combination| 
- 
+ 
 The combination of all the following registry keys apply to the previous settings:
 
 1.  System\\CurrentControlSet\\Control\\Print\\Printers
@@ -98,7 +98,7 @@ Configure the **Network access: Remotely accessible registry paths and sub-paths
 Remote management tools such as MBSA and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
 
 >**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.
- 
+ 
 ## Related topics
 
 - [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
index f1893755fc..b82dda2f41 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | See the following registry key combination| 
 | Member Server Effective Default Settings | See the following registry key combination| 
 | Client Computer Effective Default Settings | See the following registry key combination| 
- 
+ 
 The combination of all the following registry keys apply to the previous settings:
 
 1.  System\\CurrentControlSet\\Control\\ProductOptions
@@ -89,7 +89,7 @@ Configure the **Network access: Remotely accessible registry paths** setting to
 Remote management tools such as the Microsoft Baseline Security Analyzer (MBSA) and Configuration Manager require remote access to the registry to properly monitor and manage those computers. If you remove the default registry paths from the list of accessible ones, such remote management tools could fail.
 
 >**Note:**  If you want to allow remote access, you must also enable the Remote Registry service.
- 
+ 
 ## Related topics
 
 - [Security Options](security-options.md)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
index 77cf86170f..38608bdb4d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings | Enabled| 
 | Client Computer Effective Default Settings| Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 03afe90868..ecf8f9c8eb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -73,9 +73,9 @@ This is the only option to configure this setting by using a user interface (UI)
 On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. 
 To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed. 
 
-> [!NOTE] 
+> [!NOTE]
 > This policy is implemented similarly to other "Network access" policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. 
-
+> 
 > For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. 
 
 ## Default values
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
index e427116783..594926f1d8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md
@@ -53,7 +53,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
index 4670444a6e..4ec22d8d3f 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md
@@ -30,7 +30,7 @@ This policy setting determines how network logons that use local accounts are au
 
 >**Note:**  This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services.
 When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used.
- 
+ 
 When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This means that they will probably be unable to write to shared folders. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources.
 
 ### Possible values
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Classic (local users authenticate as themselves)| 
 | Member Server Effective Default Settings | Classic (local users authenticate as themselves)| 
 | Client Computer Effective Default Settings | Classic (local users authenticate as themselves)| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
index e089430b8f..0d0633f105 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md
@@ -37,7 +37,7 @@ When a service connects with the device identity, signing and encryption are sup
 | Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. |
 | Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.|
 |Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| 
- 
+ 
 ### Location
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -53,7 +53,7 @@ The following table lists the actual and effective default values for this polic
 | Domain controller effective default settings | Not applicable| 
 | Member server effective default settings | Not applicable| 
 | Effective GPO default settings on client computers | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
index 400ed10458..2a4db2ba09 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md
@@ -62,7 +62,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not applicable| 
 | Member server effective default settings | Not applicable |
 | Effective GPO default settings on client computers | Not applicable| 
- 
+ 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index c4fa01276f..40dcdcacb1 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -31,7 +31,7 @@ Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Su
 When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes.
 
 >**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**.
- 
+ 
 This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later.
 
 ### Possible values
@@ -66,7 +66,7 @@ The following table lists the actual and effective default values for this polic
 | Domain controller effective default settings | Disabled| 
 | Member server effective default settings | Disabled| 
 | Effective GPO default settings on client computers | Disabled| 
- 
+ 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 2e95612de8..66aa8cbcb8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -20,7 +20,7 @@ ms.date: 04/19/2017
 # Network security: Configure encryption types allowed for Kerberos
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
 
@@ -32,15 +32,16 @@ For more information, see [article 977321](https://support.microsoft.com/kb/9773
 
 The following table lists and explains the allowed encryption types.
 
-| Encryption type | Description and version support |
-| - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
                                                                                  Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES| by default.
-| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
                                                                                  Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
                                                                                  Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.|
-| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
                                                                                  Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
                                                                                  Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
- 
+
+|     Encryption type     |                                                                                                                                           Description and version support                                                                                                                                           |
+|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|       DES_CBC_CRC       |             Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
                                                                                  Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES             |
+|       DES_CBC_MD5       | Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
                                                                                  Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
+|      RC4_HMAC_MD5       |                          Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
                                                                                  Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.                           |
+|    AES128_HMAC_SHA1     |       Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
                                                                                  Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.       |
+|    AES256_HMAC_SHA1     |       Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
                                                                                  Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.       |
+| Future encryption types |                                                                                                                  Reserved by Microsoft for additional encryption types that might be implemented.                                                                                                                   |
+
 ### Possible values
 
 
@@ -53,7 +54,7 @@ The encryption type options include:
 -   AES256\_HMAC\_SHA1
 -   Future encryption types
 
-    As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented.
+    As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented.
 
 ### Best practices
 
@@ -64,6 +65,7 @@ You must analyze your environment to determine which encryption types will be su
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
 
 ### Default values
+
 | Server type or Group Policy Object (GPO) | Default value |
 | - | - |
 | Default domain policy| Not defined|
@@ -72,23 +74,23 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.|
 | Member server effective default settings | The default OS setting applies, DES suites are not supported by default.|
 | Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.|
- 
+
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
 
 ### Vulnerability
 
-Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
-Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
+Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
+Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
 
 ### Countermeasure
 
-Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites.
+Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites.
 
 ### Potential impact
 
-If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
+If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
 
 If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows.
 Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
index 11b9d703c3..17bf06d448 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings|Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
index 3e1910c2a6..de01e4af31 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index 554e70a0b1..2ec253e350 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -57,7 +57,7 @@ authentication level that servers accept. The following table identifies the pol
 | Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3| 
 | Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.| 4| 
 | Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.| 5| 
- 
+ 
 ### Best practices
 
 -   Best practices are dependent on your specific security and authentication requirements.
@@ -82,7 +82,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Send NTLMv2 response only| 
 | Member Server Effective Default Settings | Send NTLMv2 response only| 
 | Client Computer Effective Default Settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
index 9ec08a604c..5e40e6cd9c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Negotiate signing| 
 | Member Server Effective Default Settings | Negotiate signing| 
 | Client Computer Effective Default Settings | Negotiate signing| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
index ffc0677f4d..f4f8ccfc54 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Require 128-bit encryption| 
 | Member Server Effective Default Settings | Require 128-bit encryption| 
 | Client Computer Effective Default Settings | Require 128-bit encryption| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
index d3f136de4a..9bcc029641 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md
@@ -56,7 +56,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Require 128-bit encryption| 
 | Member Server Effective Default Settings | Require 128-bit encryption| 
 | Client Computer Effective Default Settings | Require 128-bit encryption| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
index 2ed998b6d9..0674395a3e 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md
@@ -64,7 +64,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not defined| 
 | Member server effective default settings | Not defined| 
 | Client computer effective default settings| Not defined| 
- 
+ 
 ## Policy management
 
 This section describes the features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
index 8daba87a47..bfc535dbd2 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md
@@ -63,7 +63,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not defined| 
 | Member server effective default settings | Not defined| 
 | Client computer effective default settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
index db01c9b14a..5fb5f5c0e0 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md
@@ -71,7 +71,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not defined| 
 | Member server effective default settings | Not defined| 
 | Client computer effective default settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
index 8f2df5a424..8c939ae9a5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md
@@ -68,7 +68,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not defined| 
 | Member server effective default settings | Not defined| 
 | Client computer effective default settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
index b296db863a..01de4dd73c 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md
@@ -65,7 +65,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not defined| 
 | Member server effective default settings | Not defined| 
 | Client computer effective default settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
index bf6964a460..ddad0a8565 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md
@@ -74,7 +74,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not configured| 
 | Member server effective default settings | Not configured | 
 | Client computer effective default settings | Not configured| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
index 04ad1fca83..c2a02e239d 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md
@@ -29,7 +29,7 @@ Describes the best practices, location, values, management aspects, and security
 The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system.
 
 >**Warning:**  Modifying this policy setting may affect compatibility with client computers, services, and applications.
- 
+ 
 ### Possible values
 
 -   **Allow all**
@@ -66,7 +66,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | Domain controller effective default settings | Not defined| 
 | Member server effective default settings | Not defined| 
 | Client computer effective default settings | Not defined| 
- 
+ 
 ## Policy management
 
 This section describes different features and tools available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index 2d5e912b47..253e07225b 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -81,7 +81,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | Enabled| 
 | Member server effective default settings | Enabled| 
 | Effective GPO default settings on client computers | Disabled| 
- 
+ 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index f4d4050e3c..daf285e8a4 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -52,9 +52,9 @@ The following topics provide a discussion of password policy implementation and
 | [Minimum password length](minimum-password-length.md) | Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.| 
 | [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) | Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.|
 | [Store passwords using reversible encryption](store-passwords-using-reversible-encryption.md) | Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.| 
- 
+ 
 ## Related topics
 
 - [Configure security policy settings](how-to-configure-security-policy-settings.md)
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
index 7a6ce057d9..185ef547a9 100644
--- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
+++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default policy values. Defaul
 | DC Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
index 2ad4fef99f..10841b338e 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings| Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
index d17294225c..8677916153 100644
--- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
+++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
index dd435992da..0695e1fc82 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md
@@ -64,7 +64,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
index 924e7a79e8..20d4c87bf7 100644
--- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
+++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
index 88cb699be1..a19803baed 100644
--- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
+++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
index 27437c561a..6b6b9fbf97 100644
--- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
+++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md
@@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Network Service
                                                                                  Local Service| 
 | Member Server Effective Default Settings | Network Service
                                                                                  Local Service| 
 | Client Computer Effective Default Settings | Network Service
                                                                                  Local Service| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index 35170571f9..7273232870 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | Not defined| 
 | Member server effective default settings | Not defined| 
 | Client computer effective default settings | Not applicable| 
- 
+ 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
index 012028406d..e1bc77d9c4 100644
--- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
+++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md
@@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Server Operators| 
 | Member Server Effective Default Settings | Administrators
                                                                                  Backup Operators| 
 | Client Computer Effective Default Settings | Administrators
                                                                                  Backup Operators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
@@ -92,7 +92,7 @@ This section describes how an attacker might exploit a feature or its configurat
 An attacker with the **Restore files and directories** user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the device
 
 >**Note:**  Even if the following countermeasure is configured, an attacker could restore data to a computer in a domain that is controlled by the attacker. Therefore, it is critical that organizations carefully protect the media that are used to back up data.
- 
+ 
 ### Countermeasure
 
 Ensure that only the local Administrators group is assigned the **Restore files and directories** user right unless your organization has clearly defined roles for backup and for restore personnel.
diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md
index cbb8a24c2f..91a7a91634 100644
--- a/windows/security/threat-protection/security-policy-settings/security-options.md
+++ b/windows/security/threat-protection/security-policy-settings/security-options.md
@@ -130,7 +130,7 @@ For info about setting security policies, see [Configure security policy setting
 | [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. |
 | [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. |
 | [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. |
- 
+ 
 ## Related topics
 
 - [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
index f746fa5c7b..a129a83f56 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md
@@ -37,5 +37,5 @@ Each policy setting described contains referential content such as a detailed ex
 | [Security Options](security-options.md) | Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting.| 
 | [Advanced security audit policy settings](secpol-advanced-security-audit-policy-settings.md) | Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.| 
 | [User Rights Assignment](user-rights-assignment.md) | Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.  |
- 
- 
+ 
+ 
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 7a0d0e0ce8..ea05d79cc2 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -53,7 +53,7 @@ The Security Settings extension of the Local Group Policy Editor includes the fo
     -   **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both).
         
         >**Note:**  For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies.
-         
+         
     -   **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device
     -   **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on.
 
@@ -84,7 +84,7 @@ Importing a security template to a GPO ensures that any accounts to which the GP
 offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred.
 
 >**Note:**  These refresh settings vary between versions of the operating system and can be configured.
- 
+ 
 By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future.
 
 ### Dependencies on other operating system technologies
@@ -378,7 +378,7 @@ Both Apply Group Policy and Read permissions are required to have the settings f
 By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU.
 
 **Note:**  Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it.
- 
+ 
 ### Migration of GPOs containing security settings
 
 In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings.
diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
index fc4f9baea1..ab59c99e00 100644
--- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
+++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md
@@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the
 | Domain Controller Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Server Operators
                                                                                  Print Operators| 
 | Member Server Effective Default Settings | Administrators
                                                                                  Backup Operators| 
 | Client Computer Effective Default Settings | Administrators
                                                                                  Backup Operators
                                                                                  Users| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
index 2d1fc4e80a..070f0d589a 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md
@@ -63,7 +63,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
index 80bb5800a9..e814cda2fd 100644
--- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
+++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md
@@ -59,7 +59,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat
 Important information that is kept in real memory may be written periodically to the paging file to help Windows handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different device and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file.
 
 >**Caution:**  An attacker who has physical access to the device could bypass this countermeasure by unplugging the computer from its power source.
- 
+ 
 ### Countermeasure
 
 Enable the **Shutdown: Clear virtual memory page file** setting. This configuration causes the operating system to clear the paging file when the device is shut down. The amount of time that is required to complete this process depends on the size of the page file. Because the process overwrites the storage area that is used by the page file several times, it could be several minutes before the device completely shuts down.
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
index 3dadafeb9f..fc1b6be023 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md
@@ -77,7 +77,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -108,7 +108,7 @@ Configure the settings as follows:
 In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
 >**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
- 
+ 
 ### Potential impact
 
 Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
index c00b498ec2..db0f82e3ff 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md
@@ -76,7 +76,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -108,7 +108,7 @@ Configure the settings as follows:
 In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
 >**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
- 
+ 
 ### Potential impact
 
 Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
index 1a3b2fff23..52f64c04aa 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md
@@ -80,7 +80,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Not defined| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -111,7 +111,7 @@ Configure the settings as follows:
 In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
 >**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
- 
+ 
 ### Potential impact
 
 Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
index d32181428a..71d2f7cacb 100644
--- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
+++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md
@@ -20,7 +20,7 @@ ms.date: 01/04/2019
 # SMBv1 Microsoft network server: Digitally sign communications (if client agrees)
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](https://support.microsoft.com/help/4034314/smbv1-is-not-installed-by-default-in-windows). 
 
@@ -70,15 +70,16 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
 
-| Server type or GPO Default value |
-| - | - |
-| Default Domain Policy| Not defined| 
-| Default Domain Controller Policy| Enabled| 
-| Stand-Alone Server Default Settings | Not defined| 
-| DC Effective Default Settings | Enabled| 
-| Member Server Effective Default Settings|Not defined| 
-| Client Computer Effective Default Settings | Disabled| 
- 
+
+|      Server type or GPO Default value      |
+|--------------------------------------------|
+|           Default Domain Policy            |
+|      Default Domain Controller Policy      |
+|    Stand-Alone Server Default Settings     |
+|       DC Effective Default Settings        |
+|  Member Server Effective Default Settings  |
+| Client Computer Effective Default Settings |
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
@@ -108,8 +109,8 @@ Configure the settings as follows:
 
 In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems.
 
->**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
- 
+>**Note:**  An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing.
+
 ### Potential impact
 
 SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server.
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index 7454781cd3..8541cc65f4 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -41,7 +41,7 @@ Information Services (IIS) also requires that you enable this policy setting.
 Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
 
 >**Note:**  Do not enable this policy setting unless business requirements outweigh the need to protect password information.
- 
+ 
 ### Location
 
 **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**
@@ -58,7 +58,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain controller effective default settings | Disabled| 
 | Member server effective default settings | Disabled| 
 | Effective GPO default settings on client computers | Disabled| 
- 
+ 
 ## Security considerations
 
 This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
index 11a22024c7..576180c4a9 100644
--- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
+++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
index 909e03d319..ba27c35ef2 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Not defined| 
 | Member Server Effective Default Settings | Not defined| 
 | Client Computer Effective Default Settings| Not defined| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index 00238048d3..3b79ce3312 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -74,7 +74,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ### Operating system version differences
 
 When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX.
@@ -87,7 +87,7 @@ When this setting is enabled, BitLocker generates recovery password or recovery
 | Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| 
 | Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| 
 | Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
index e211f9018f..6023a2ff25 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md
@@ -62,7 +62,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
index 6c1e055187..c2622812bc 100644
--- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md
@@ -54,7 +54,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
index 9b0f41818c..022104ca8d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | POSIX| 
 | Member Server Effective Default Settings| POSIX| 
 | Client Computer Effective Default Settings | POSIX| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
index 7105629c71..3e33a4112d 100644
--- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
+++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md
@@ -55,7 +55,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
index f41a74a650..be428efa89 100644
--- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul
 | Domain Controller Effective Default Settings | Administrators| 
 | Member Server Effective Default Settings | Administrators| 
 | Client Computer Effective Default Settings | Administrators| 
- 
+ 
 ## Policy management
 
 This section describes features, tools, and guidance to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
index 28a0a7694d..623538938f 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md
@@ -30,7 +30,7 @@ When the Admin Approval Mode is enabled, the local administrator account functio
 
 > [!NOTE]
 > If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled.
- 
+ 
 ### Possible values
 
 -   Enabled
@@ -66,7 +66,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
index c332522164..2a1576714a 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md
@@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for
 This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user.
 
 >**Note:**  This setting does not change the behavior of the UAC elevation prompt for administrators.
- 
+ 
 **Background**
 
 User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -83,7 +83,7 @@ Server type or GPO| Default value |
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
index b056a90e67..acd0f63ec6 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md
@@ -35,7 +35,7 @@ This policy setting determines the behavior of the elevation prompt for accounts
     Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required.
 
     **Note**  Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure.
-     
+     
 -   **Prompt for credentials on the secure desktop**
 
     When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
@@ -82,7 +82,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 | DC Effective Default Settings | Prompt for consent for non-Windows binaries| 
 | Member Server Effective Default Settings | Prompt for consent for non-Windows binaries| 
 | Client Computer Effective Default Settings | Prompt for consent for non-Windows binaries| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 40de4fc13c..c6c7912ae9 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -63,7 +63,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Prompt for credentials on the secure desktop| 
 | Member Server Effective Default Settings | Prompt for credentials on the secure desktop| 
 | Client Computer Effective Default Settings | Prompt for credentials on the secure desktop| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
index 5eef7f8a49..d0232771ba 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
index 2352eeab0f..aea0ba3bb8 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md
@@ -63,7 +63,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Disabled| 
 | Member Server Effective Default Settings | Disabled| 
 | Client Computer Effective Default Settings | Disabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
index 3a64fe4afa..7683b3beec 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md
@@ -33,7 +33,7 @@ This policy setting enforces the requirement that apps that request running with
 -   \\Program Files (x86)\\ including subdirectories for 64-bit versions of Windows
 
 >**Note:**  Windows enforces a PKI signature check on any interactive application that requests running with a UIAccess integrity level, regardless of the state of this security setting.
- 
+ 
 **Background**
 
 User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level.
@@ -80,7 +80,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
index 63e77430d0..6361e34ee2 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md
@@ -39,7 +39,7 @@ This policy setting determines the behavior of all User Account Control (UAC) po
     Admin Approval Mode and all related UAC policies are disabled.
 
     >**Note:**  If this security setting is configured to **Disabled**, the Security Center notifies the user that the overall security of the operating system has been reduced.
-     
+     
 ### Best practices
 
 -   Enable this policy to allow all other UAC features and policies to function.
@@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
index 2a460c4e2c..00ff2a4926 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md
@@ -63,7 +63,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
index 9f20a4eebc..3ec0475be4 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md
@@ -61,7 +61,7 @@ The following table lists the actual and effective default values for this polic
 | DC Effective Default Settings | Enabled| 
 | Member Server Effective Default Settings| Enabled| 
 | Client Computer Effective Default Settings | Enabled| 
- 
+ 
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 05fd16e55e..03d0a20cf4 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -78,7 +78,7 @@ The following table links to each security policy setting and provides the const
 | [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| 
 | [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| 
 | [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege| 
- 
+ 
 ## Related topics
 
 - [Security policy settings reference](security-policy-settings-reference.md)
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 06c4b9b5cf..44a4ae63d3 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -40,13 +40,13 @@ Here's an approximate scaling guide for WEF events:
 | 0 - 5,000           | SQL or SEM                 |
 | 5,000 - 50,000      | SEM                        |
 | 50,000+             | Hadoop/HDInsight/Data Lake |
- 
+ 
 Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system with regards to the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
 
 For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
 
 >**Note:**  These are only minimum values need to meet what the WEF subscription selects.
- 
+ 
 From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should have access to the Baseline subscription.
 
 This means you would create two base subscriptions:
@@ -122,7 +122,7 @@ This table outlines the built-in delivery options:
 | Normal | This option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. |
 | Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. |
 | Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. |
- 
+ 
 For more info about delivery options, see [Configure Advanced Subscription Settings](https://technet.microsoft.com/library/cc749167.aspx).
 
 The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt:
@@ -182,100 +182,100 @@ To gain the most value out of the baseline subscription we recommend to have the
 
 The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf).
 
--   Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log.
--   Security event log Process Create events.
--   AppLocker Process Create events (EXE, script, packaged App installation and execution).
--   Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
--   OS startup and shutdown
+- Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log.
+- Security event log Process Create events.
+- AppLocker Process Create events (EXE, script, packaged App installation and execution).
+- Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
+- OS startup and shutdown
 
-    -   Startup event include operating system version, service pack level, QFE version, and boot mode.
+  -   Startup event include operating system version, service pack level, QFE version, and boot mode.
 
--   Service install
+- Service install
 
-    -   Includes what the name of the service, the image path, and who installed the service.
+  -   Includes what the name of the service, the image path, and who installed the service.
 
--   Certificate Authority audit events
+- Certificate Authority audit events
 
-    -   This is only applicable on systems with the Certificate Authority role installed.
-    -   Logs certificate requests and responses.
+  -   This is only applicable on systems with the Certificate Authority role installed.
+  -   Logs certificate requests and responses.
 
--   User profile events
+- User profile events
 
-    -   Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind.
+  -   Use of a temporary profile or unable to create a user profile may indicate an intruder is interactively logging into a device but not wanting to leave a persistent profile behind.
 
--   Service start failure
+- Service start failure
 
-    -   Failure codes are localized, so you have to check the message DLL for values.
+  -   Failure codes are localized, so you have to check the message DLL for values.
 
--   Network share access events
+- Network share access events
 
-    -   Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
+  -   Filter out IPC$ and /NetLogon file shares, which are expected and noisy.
 
--   System shutdown initiate requests
+- System shutdown initiate requests
 
-    -   Find out what initiated the restart of a device.
+  -   Find out what initiated the restart of a device.
 
--   User initiated interactive logoff event
--   Remote Desktop Services session connect, reconnect, or disconnect.
--   EMET events, if EMET is installed.
--   Event forwarding plugin events
+- User initiated interactive logoff event
+- Remote Desktop Services session connect, reconnect, or disconnect.
+- EMET events, if EMET is installed.
+- Event forwarding plugin events
 
-    -   For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues.
+  -   For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues.
 
--   Network share create and delete
+- Network share create and delete
 
-    -   Enables detection of unauthorized share creation.
-        >**Note:**  All shares are re-created when the device starts.
-         
--   Logon sessions
+  - Enables detection of unauthorized share creation.
+    >**Note:**  All shares are re-created when the device starts.
+         
+- Logon sessions
 
-    -   Logon success for interactive (local and Remote Interactive/Remote Desktop)
-    -   Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
-    -   Logon success for batch sessions
-    -   Logon session close, which are logoff events for non-network sessions.
+  -   Logon success for interactive (local and Remote Interactive/Remote Desktop)
+  -   Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
+  -   Logon success for batch sessions
+  -   Logon session close, which are logoff events for non-network sessions.
 
--   Windows Error Reporting (Application crash events only)
+- Windows Error Reporting (Application crash events only)
 
-    -   This can help detect early signs of intruder not familiar with enterprise environment using targeted malware.
+  -   This can help detect early signs of intruder not familiar with enterprise environment using targeted malware.
 
--   Event log service events
+- Event log service events
 
-    -   Errors, start events, and stop events for the Windows Event Log service.
+  -   Errors, start events, and stop events for the Windows Event Log service.
 
--   Event log cleared (including the Security Event Log)
+- Event log cleared (including the Security Event Log)
 
-    -   This could indicate an intruder that are covering their tracks.
+  -   This could indicate an intruder that are covering their tracks.
 
--   Special privileges assigned to new logon
+- Special privileges assigned to new logon
 
-    -   This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator.
+  -   This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator.
 
--   Outbound Remote Desktop Services session attempts
+- Outbound Remote Desktop Services session attempts
 
-    -   Visibility into potential beachhead for intruder
+  -   Visibility into potential beachhead for intruder
 
--   System time changed
--   SMB Client (mapped drive connections)
--   Account credential validation
+- System time changed
+- SMB Client (mapped drive connections)
+- Account credential validation
 
-    -   Local accounts or domain accounts on domain controllers
+  -   Local accounts or domain accounts on domain controllers
 
--   A user was added or removed from the local Administrators security group.
--   Crypto API private key accessed
+- A user was added or removed from the local Administrators security group.
+- Crypto API private key accessed
 
-    -   Associated with signing objects using the locally stored private key.
+  -   Associated with signing objects using the locally stored private key.
 
--   Task Scheduler task creation and delete
+- Task Scheduler task creation and delete
 
-    -   Task Scheduler allows intruders to run code at specified times as LocalSystem.
+  -   Task Scheduler allows intruders to run code at specified times as LocalSystem.
 
--   Logon with explicit credentials
+- Logon with explicit credentials
 
-    -   Detect credential use changes by intruders to access additional resources.
+  -   Detect credential use changes by intruders to access additional resources.
 
--   Smartcard card holder verification events
+- Smartcard card holder verification events
 
-    -   This detects when a smartcard is being used.
+  -   This detects when a smartcard is being used.
 
 ### Suspect subscription
 
@@ -371,7 +371,7 @@ If your organizational audit policy enables additional auditing to meet its need
 | System             | Security State Change           | Success and Failure |
 | System             | Security System Extension       | Success and Failure |
 | System             | System Integrity                | Success and Failure |
- 
+ 
 ## Appendix B - Recommended minimum registry system ACL policy
 
 The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system.
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index 5b1dceeaf0..8ab757be7a 100644
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -83,9 +83,9 @@ It creates the following files in the malware's working directory:
 - *00000000.pky*
 - *00000000.res*
 - *274901494632976.bat*
-- *@Please_Read_Me@.txt*
-- *@WanaDecryptor@.bmp*
-- *@WanaDecryptor@.exe*
+- @Please_Read_Me@.txt
+- @WanaDecryptor@.bmp
+- @WanaDecryptor@.exe
 - *b.wnry*
 - *c.wnry*
 - *f.wnry*
@@ -147,7 +147,7 @@ It then searches the whole computer for any file with any of the following file
 
 WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*.
 
-This ransomware also creates the file *@Please_Read_Me@.txt* in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
+This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
 
 After completing the encryption process, the malware deletes the volume shadow copies by running the following command:
 `cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet`
diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
index 739e979763..f03034aac2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
@@ -37,23 +37,23 @@ The utility has the following commands:
 MpCmdRun.exe [command] [-options]
 ```
 
-Command | Description 
-:---|:---
-\-? **or** -h | Displays all available options​ for this tool​
-\-Scan [-ScanType #] [-File  [-DisableRemediation] [-BootSectorScan]]​ [-Timeout ]​ [-Cancel]​ | Scans for malicious software​
-\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing​
-\-GetFiles | Collects support information​
-\-GetFilesDiagTrack | Same as Getfiles but outputs to​ temporary DiagTrack folder​
-\-RemoveDefinitions [-All] | Restores the installed​ Security intelligence  to a previous backup copy or to​ the original default set
-\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically​ downloaded Security intelligence ​
-\-RemoveDefinitions [-Engine] | Restores the previous installed engine
-\-SignatureUpdate [-UNC \| -MMPC] | Checks for new Security intelligence updates​
-\-Restore  [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]] | Restores or list​s quarantined item(s)​
-\-AddDynamicSignature [-Path] | Loads dynamic Security intelligence ​
-\-ListAllDynamicSignatures | Lists the loaded dynamic Security intelligence ​
-\-RemoveDynamicSignature [-SignatureSetID] | Removes dynamic Security intelligence ​
-\-CheckExclusion -path  | Checks whether a path is excluded
 
+| Command                                                                                                 | Description                                                                                            |
+|:--------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------|
+| \-? **or** -h                                                                                           | Displays all available options for this tool                                                           |
+| \-Scan [-ScanType #] [-File  [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel] | Scans for malicious software                                                                           |
+| \-Trace [-Grouping #] [-Level #]                                                                        | Starts diagnostic tracing                                                                              |
+| \-GetFiles                                                                                              | Collects support information                                                                           |
+| \-GetFilesDiagTrack                                                                                     | Same as Getfiles but outputs to temporary DiagTrack folder                                             |
+| \-RemoveDefinitions [-All]                                                                              | Restores the installed Security intelligence  to a previous backup copy or to the original default set |
+| \-RemoveDefinitions [-DynamicSignatures]                                                                | Removes only the dynamically downloaded Security intelligence                                          |
+| \-RemoveDefinitions [-Engine]                                                                           | Restores the previous installed engine                                                                 |
+| \-SignatureUpdate [-UNC \| -MMPC]                                                                       | Checks for new Security intelligence updates                                                           |
+| \-Restore  [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]]               | Restores or lists quarantined item(s)                                                                  |
+| \-AddDynamicSignature [-Path]                                                                           | Loads dynamic Security intelligence                                                                    |
+| \-ListAllDynamicSignatures                                                                              | Lists the loaded dynamic Security intelligence                                                         |
+| \-RemoveDynamicSignature [-SignatureSetID]                                                              | Removes dynamic Security intelligence                                                                  |
+| \-CheckExclusion -path                                                                            | Checks whether a path is excluded                                                                      |
 
 ## Related topics
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 26f966d149..6f9408675c 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -94,17 +94,17 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
 
 3. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies:
 
-    1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
+   1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
 
-    2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
+   2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following:
 
-        - Send safe samples (1)
-        - Send all samples (3)
+      - Send safe samples (1)
+      - Send all samples (3)
 
         > [!WARNING]
         > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means block at first sight will not function.
 
-    3. Click **OK**.
+   3. Click **OK**.
 
 4. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**:
 
@@ -126,7 +126,7 @@ Block at first sight is automatically enabled as long as **Cloud-based protectio
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**:
 
- ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
+   ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
 
 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 55314bf6ef..bbad08d05e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -188,31 +188,31 @@ The following table describes how the wildcards can be used and provides some ex
         Use in file and file extension exclusions
         Use in folder exclusions
         Example use
-        Example matches>
+        Example matches>
     
     
-        \* (asterisk)
+         (asterisk)
         Replaces any number of characters. 
                                                                                  Only applies to files in the last folder defined in the argument. 
-        Replaces a single folder. 
                                                                                  Use multiple \* with folder slashes \\ to indicate multiple, nested folders. 
                                                                                  After matching to the number of wilcarded and named folders, all subfolders will also be included.
+        Replaces a single folder. 
                                                                                  Use multiple                                                                                    with folder slashes \ to indicate multiple, nested folders. 
                                                                                  After matching to the number of wilcarded and named folders, all subfolders will also be included.
         
             
                                                                                    
-                
                                                                                  1. C:\MyData\\\*.txt
                                                                                    2. 
-                
                                                                                  2. C:\somepath\\\*\Data
                                                                                    3. 
-                
                                                                                  3. C:\Serv\\\*\\\*\Backup
+                
                                                                                  4. C:\MyData\.txt
                                                                                    5. 
+                
                                                                                  5. C:\somepath\\Data
                                                                                    6. 
+                
                                                                                  6. C:\Serv\\\Backup
             
                                                                                  
         
         
             
                                                                                    
-                
                                                                                  1. C:\MyData\\notes.txt
                                                                                    2. 
+                
                                                                                  2. C:\MyData\notes.txt
                                                                                    3. 
                 
                                                                                  3. Any file in:
                     
                                                                                      
-                        
                                                                                    • C:\somepath\\Archives\Data and its subfolders
                                                                                      • 
-                        
                                                                                    • C:\somepath\\Authorized\Data and its subfolders
                                                                                      • 
+                        
                                                                                    • C:\somepath\Archives\Data and its subfolders
                                                                                      • 
+                        
                                                                                    • C:\somepath\Authorized\Data and its subfolders
                                                                                      • 
                     
                                                                                    
                 
                                                                                  4. Any file in:
                 
                                                                                      
-                    
                                                                                    • C:\Serv\\Primary\\Denied\Backup and its subfolders
                                                                                      • 
-                    
                                                                                    • C:\Serv\\Secondary\\Allowed\Backup and its subfolders
                                                                                      • 
+                    
                                                                                    • C:\Serv\Primary\Denied\Backup and its subfolders
                                                                                      • 
+                    
                                                                                    • C:\Serv\Secondary\Allowed\Backup and its subfolders
                                                                                      • 
                 
                                                                                    
             
                                                                                  
         
@@ -232,14 +232,14 @@ The following table describes how the wildcards can be used and provides some ex
         
             
                                                                                    
                 
                                                                                  1. C:\MyData\my?.zip
                                                                                    2. 
-                
                                                                                  2. C:\somepath\\?\Data
                                                                                    3. 
+                
                                                                                  3. C:\somepath\?\Data
                                                                                    4. 
                 
                                                                                  4. C:\somepath\test0?\Data
                                                                                    5. 
             
                                                                                  
         
         
             
                                                                                    
                 
                                                                                  1. C:\MyData\my1.zip
                                                                                    2. 
-                
                                                                                  2. Any file in C:\somepath\\P\Data and its subfolders
                                                                                    3. 
+                
                                                                                  3. Any file in C:\somepath\P\Data and its subfolders
                                                                                    4. 
                 
                                                                                  4. Any file in C:\somepath\test01\Data and its subfolders
                                                                                    5. 
             
                                                                                  
         
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index 249807ea26..2b5bb82466 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -51,12 +51,12 @@ Quarantine | Configure removal of items from Quarantine folder | Specify how man
 Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
 Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
 
->[!IMPORTANT]
->Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
->
                                                                                  
->If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md).
->
                                                                                  
->To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
+> [!IMPORTANT]
+> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
+> 
                                                                                  
+> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-windows-defender-antivirus.md).
+> 
                                                                                  
+> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md).
 
 Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) for more remediation-related settings.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 7cb55d2108..b1dc15b985 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -24,171 +24,134 @@ manager: dansimp
 
 In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
 
-Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware.
-
->[!NOTE]
->We've recently introduced a new feature that helps reduce the network and CPU overhead ov VMs when obtaining security intelligence updates. If you'd like to test this feature before it's released generally, [download the PDF guide for VDI performance improvement testing](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf).
-
-
-We recommend setting the following when deploying Windows Defender Antivirus in a VDI environment:
-
-Location | Setting | Suggested configuration
----|---|---
-Client interface | Enable headless UI mode | Enabled
-Client interface | Suppress all notifications | Enabled
-Scan | Specify the scan type to use for a scheduled scan | Enabled - Quick
-Root | Randomize scheduled task times | Enabled
-Signature updates | Turn on scan after signature update | Enabled
-Scan | Turn on catch up quick scan | Enabled
-
-For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for System Center Configuration Manager and Group Policy, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
-
 See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
 
 For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
 
-There are three main steps in this guide to help roll out Windows Defender Antivirus protection across your VDI:
+With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
 
-1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image)
-
-2. [Manage the base image and updates for your VMs](#manage-your-vms-and-base-image)
-
-3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including:
-
-    - [Randomize scheduled scans](#randomize-scheduled-scans)
-    - [Use quick scans](#use-quick-scans)
-    - [Prevent notifications](#prevent-notifications)
-    - [Disable scans from occurring after every update](#disable-scans-after-an-update)
-    - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
-
->[!IMPORTANT]
-> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
-
->[!NOTE]
->When you manage Windows with System Center Configuration Manager, Windows Defender Antivirus protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) for more information.
-
-## Create and deploy the base image
-
-The main steps in this section include:
-
-1. Create your standard base image according to your requirements
-2. Apply Windows Defender AV protection updates to your base image
-3. Seal or “lock” the image to create a “known-good” image
-4. Deploy your image to your VMs
-
-### Create the base image  
-
-First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
-
-### Apply protection updates to the base image
-
-After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender Antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
-
-### Seal the base image
-
-When the base image is fully updated, you should run a quick scan on the image.
-
-After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
-
-'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT'
-
-Remove the string found in the 'GUID' value
-
-This “sealing” or “locking” of the image helps Windows Defender Antivirus build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
-
-You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
-
->[!NOTE]
->Quick scan versus full scan
->Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
->Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only.
->A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
-
-### Deploy the base image
-
-You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
-
-The following references provide ways you can create and deploy the base image across your VDI:
-
-- [Single image management for Virtual Desktop Collections](https://blogs.technet.microsoft.com/enterprisemobility/2012/10/29/single-image-management-for-virtual-desktop-collections-in-windows-server-2012/)
-- [Using Hyper-V to create a Base OS image that can be used for VMs and VHDs](https://blogs.technet.microsoft.com/haroldwong/2011/06/12/using-hyper-v-to-create-a-base-os-image-that-can-be-used-for-vms-and-boot-to-vhd/)
-- [Plan for Hyper-V security in Windows Server 2016]( https://technet.microsoft.com/windows-server-docs/compute/hyper-v/plan/plan-for-hyper-v-security-in-windows-server-2016)
-- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v)
-- [Build Virtual Desktop templates]( https://technet.microsoft.com/library/dn645526(v=ws.11).aspx)
-
-## Manage your VMs and base image
-
-How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
-
-Because Windows Defender Antivirus downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.  
-
-Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing Security intelligence set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full Security intelligence download (which can average around 150 mb).
-
-### Manage updates for persistent VDIs
-
-If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:  
-
-1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
-
-2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
-
-3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
-
-4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
-
-5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
-
-6. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
-
-A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
-
-### Manage updates for non-persistent VDIs
-
-If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
-
-An example:  
-
-1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
-
-2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
-
-## Configure endpoints for optimal performance
-
-There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including:
+This guide will show you how to configure your VMs for optimal protection and performance, including how to:
 
+- [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share)
 - [Randomize scheduled scans](#randomize-scheduled-scans)
 - [Use quick scans](#use-quick-scans)
 - [Prevent notifications](#prevent-notifications)
 - [Disable scans from occurring after every update](#disable-scans-after-an-update)
 - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+- [Apply exclusions](#exclusions)
 
-These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network.
+You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf) which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
+
+>[!IMPORTANT]
+> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
+
+
+>[!NOTE]
+> There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
+
+
+
+### Set up a dedicated VDI file share
+
+In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines.
+
+You can set this feature with Intune, Group Policy, or PowerShell.
+
+Open the Intune management portal either by searching for Intune on https://portal.azure.com or going to https://devicemanagement.microsoft.com and logging in.
+
+1.	To create a group with only the devices or users you specify:
+1.	Go to **Groups**. Click **New group**. Use the following values:
+    1.	Group type: **Security**
+    2.	Group name: **VDI test VMs**
+    3.	Group description: *Optional*
+    4.	Membership type: **Assigned**
+    
+1.	Add the devices or users you want to be a part of this test and then click **Create** to save the group. It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
+
+1.	To create a group that will include any machine in your tenant that is a VM, even when they are newly created:
+
+1.	Go to **Groups**. Click **New group**. Use the following values:
+    1.	Group type: **Security**
+    2.	Group name: **VDI test VMs**
+    3.	Group description: *Optional*
+    4.	Membership type: **Dynamic Device**
+1.	Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. Click **Add query** and then **Create** to save the group.
+1.	Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. In this demo I’m going to create a new one by clicking **Create profile**.
+1.	Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type.
+1.	The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
+    1.	Name: **VDI shared sig location**
+    1.	Description: *Optional*
+    1.	OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
+    1.	Data type: **String**
+    1.	Value: **\\\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
+1.	Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
+1.	Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**. 
+1.	Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
+1.	The profile will now be deployed to the impacted devices. Note that this may take some time.
+    
+#### Use Group Policy to enable the shared security intelligence feature:
+1.	On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
+1.	In the **Group Policy Management Editor** go to **Computer configuration**.
+1.	Click **Administrative templates**.
+1.	Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
+1.	Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
+1.	Deploy the GPO to the VMs you want to test.
+    
+#### Use PowerShell to enable the shared security intelligence feature:
+Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
+    
+```PowerShell
+Set-MpPreference -SharedSignaturesPath \\\wdav-update
+```
+
+See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be.
+    
+### Download and unpackage the latest updates
+Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
+    
+```PowerShell
+$vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-'
+$vdmpathtime = Get-Date -format "yMMddHHmmss"
+$vdmpath = $vdmpathbase + $vdmpathtime + '}'
+$vdmpackage = $vdmpath + '\mpam-fe.exe'
+$args = @("/x")
+
+New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
+
+Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
+
+cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" 
+```
+
+You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. 
+We suggest starting with once a day – but you should experiment with increasing or decreasing the frequency to understand the impact. 
+Note that security intelligence packages are typically published once every three to four hours, so setting a frequency shorter than four hours isn’t advised as it will increase the network overhead on your management machine for no benefit.
+
+#### Set a scheduled task to run the powershell script
+1.	On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
+1.	Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
+1.	Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter 
+
+    *-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1* 
+
+in the **Add arguments** field. Click **OK**. You can choose to configure additional settings if you wish. Click OK to save the scheduled task.
+ 
+
+You can initiate the update manually by right-clicking on the task and clicking **Run**.
+
+#### Download and unpackage manually
+If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
+1.	Create a new folder on the system root called *wdav_update* to store intelligence updates, for example, create the folder *c:\wdav_update*
+1.	Create a subfolder under *wdav_update* with a GUID name, such as *{00000000-0000-0000-0000-000000000000}*; for example *c:\wdav_update\{00000000-0000-0000-0000-000000000000}* (note, in the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time)
+1.	Download a security intelligence package from https://www.microsoft.com/en-us/wdsi/definitions  into the GUID folder. The file should be named *mpam-fe.exe*.
+1.	Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example **mpam-fe.exe /X**.
+Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
 
 ### Randomize scheduled scans
 
-Windows Defender Antivirus supports the randomization of scheduled scans and Security intelligence updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline).
-
 Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md).
 
-The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime.  
- 
-
-
-**Use Group Policy to randomize scheduled scan start times:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Policies** then **Administrative templates**.
-
-4. Expand the tree to **Windows components > Windows Defender** and configure the following setting:
-
-    - Double-click **Randomize scheduled task times** and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the Security intelligence update. For example, if the schedule start time was set at 2.30pm, then enabling this setting  could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm.
-
-**Use Configuration Manager to randomize scheduled scans:**
-
-See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch).
+The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Windows Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
 
 See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
 
@@ -197,54 +160,17 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
 You can specify the type of scan that should be performed during a scheduled scan.
 Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
 
-**Use Group Policy to specify the type of scheduled scan:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Policies** then **Administrative templates**.
-
-4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:  
+1. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:  
 
     - Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. Click **OK**.
 
-**Use Configuration Manager to specify the type of scheduled scan:**
-
-See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch).
-
-See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
-
 ### Prevent notifications
 
 Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
 
-**Use Group Policy to hide notifications:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Policies** then **Administrative templates**.
-
-4. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
+1. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
 
    - Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
-   - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
-
-**Use Configuration Manager to hide notifications:**
-
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-
-2. Go to the **Advanced** section and configure the following settings:
-
-   1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface.
-
-   2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing.
-
-   3. Click **OK**.
-
-3. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
 ### Disable scans after an update
 
@@ -253,62 +179,27 @@ This setting will prevent a scan from occurring after receiving an update. You c
 >[!IMPORTANT]
 >Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
 
-**Use Group Policy to disable scans after an update:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Policies** then **Administrative templates**.
-
-4. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
+1. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
 
    - Double-click **Turn on scan after signature update** and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
 
-**Use Configuration Manager to disable scans after an update:**
-
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-
-2. Go to the **Scheduled scans** section and configure the following setting:
-
-3. Set **Check for the latest Security intelligence updates before running a scan** to **No**. This prevents a scan after an update.
-
-4. Click **OK**.
-
-5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
-
 ### Scan VMs that have been offline 
 
-This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan.
+1. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
 
-**Use Group Policy to enable a catch-up scan:**
+1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
 
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
+### Enable headless UI mode
+   - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
 
-3. Click **Policies** then **Administrative templates**.
 
-4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
-
-5. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
-
-**Use Configuration Manager to disable scans after an update:**
-
-1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
-
-2. Go to the **Scheduled scans** section and configure the following setting:
-
-3. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
-
-4. Click **OK**.
-
-5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
 ### Exclusions
 On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
 - [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
 
+
 ## Additional resources
 
 - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index a2c56e2b7c..ca65e8d570 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -85,27 +85,27 @@ The procedures in this article first describe how to set the order, and then how
 
 **Use Group Policy to manage the update location:**
 
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
-3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+2. In the **Group Policy Management Editor** go to **Computer configuration**.
 
-4.  Click **Policies** then **Administrative templates**.
+3. Click **Policies** then **Administrative templates**.
 
-5.  Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
+4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
 
-    1.  Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
+   1.  Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
 
-    2.  Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
+   2.  Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
 
-    ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
+   ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
 
-    3.  Click **OK**. This will set the order of protection update sources.
+   3. Click **OK**. This will set the order of protection update sources.
 
-    1.  Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
+   4. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
 
-    2.  Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
+   5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
 
-    3.  Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
+   6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
 
 
 **Use Configuration Manager to manage the update location:**
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index 085fb69111..a4c209b5bd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -30,12 +30,12 @@ The tables list:
 - [Windows Defender Antivirus client error codes](#error-codes)
 - [Internal Windows Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
 
->[!TIP]
->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
-
->- Cloud-delivered protection
->- Fast learning (including Block at first sight)
->- Potentially unwanted application blocking
+> [!TIP]
+> You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+> 
+> - Cloud-delivered protection
+> - Fast learning (including Block at first sight)
+> - Potentially unwanted application blocking
 
 
 ## Windows Defender Antivirus event IDs
@@ -99,7 +99,7 @@ Description:
                                                                                Scan Resources: <Resources (such as files/directories/BHO) that were scanned.>
                                                                                -
                                                                                User: <Domain>\\<User>
                                                                                +
                                                                                User: <Domain>\<User>
                                                                                @@ -140,7 +140,7 @@ Description:
                                                                              • Customer scan
                                                                              -
                                                                              User: <Domain>\\<User>
                                                                              +
                                                                              User: <Domain>\<User>
                                                                              Scan Time: <The duration of a scan.>
                                                                              @@ -184,7 +184,7 @@ Description:
                                                                            • Customer scan
                                                                            -
                                                                            User: <Domain>\<User>
                                                                            +
                                                                            User: <Domain>&lt;User>
                                                                            Scan Time: <The duration of a scan.>
                                                                            @@ -228,7 +228,7 @@ Description:
                                                                          • Customer scan
                                                                          -
                                                                          User: <Domain>\\<User>
                                                                          +
                                                                          User: <Domain>\<User>
                                                                          @@ -271,7 +271,7 @@ Description:
                                                                        • Customer scan
                                                                        -
                                                                        User: <Domain>\\<User>
                                                                        +
                                                                        User: <Domain>\<User>
                                                                        @@ -314,7 +314,7 @@ Description:
                                                                      • Customer scan
                                                                      -
                                                                      User: <Domain>\\<User>
                                                                      +
                                                                      User: <Domain>\<User>
                                                                      Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
                                                                      Error Description: <Error description> @@ -403,7 +403,7 @@ For more information please see the following:
                                                                    Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
                                                                    Status: <Status>
                                                                    -
                                                                    User: <Domain>\\<User>
                                                                    +
                                                                    User: <Domain>\<User>
                                                                    Process Name: <Process in the PID>
                                                                    Signature Version: <Definition version>
                                                                    Engine Version: <Antimalware Engine version>
                                                                    @@ -437,7 +437,7 @@ Description: Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
                                                                    -
                                                                    User: <Domain>\\<User>
                                                                    +
                                                                    User: <Domain>\<User>
                                                                    Name: <Threat name>
                                                                    ID: <Threat ID>
                                                                    Severity: <Severity>, for example:
                                                                      @@ -489,7 +489,7 @@ Description: Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
                                                                      -
                                                                      User: <Domain>\\<User>
                                                                      +
                                                                      User: <Domain>\<User>
                                                                      Name: <Threat name>
                                                                      ID: <Threat ID>
                                                                      Severity: <Severity>, for example:
                                                                        @@ -559,7 +559,7 @@ Windows Defender Antivirus has restored an item from quarantine. For more inform
                                                                      Category: <Category description>, for example, any threat or malware type.
                                                                      Path: <File path>
                                                                      -
                                                                      User: <Domain>\\<User>
                                                                      +
                                                                      User: <Domain>\<User>
                                                                      Signature Version: <Definition version>
                                                                      Engine Version: <Antimalware Engine version>
                                                                      @@ -603,7 +603,7 @@ Windows Defender Antivirus has encountered an error trying to restore an item fr
                                                                    Category: <Category description>, for example, any threat or malware type.
                                                                    Path: <File path>
                                                                    -
                                                                    User: <Domain>\\<User>
                                                                    +
                                                                    User: <Domain>\<User>
                                                                    Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
                                                                    Error Description: <Error description> @@ -637,8 +637,7 @@ Message: Description: -Windows Defender Antivirus has deleted an item from quarantine. -For more information please see the following: +Windows Defender Antivirus has deleted an item from quarantine.
                                                                    For more information please see the following:
                                                                    Name: <Threat name>
                                                                    ID: <Threat ID>
                                                                    @@ -651,7 +650,7 @@ For more information please see the following:
                                                                    Category: <Category description>, for example, any threat or malware type.
                                                                    Path: <File path>
                                                                    -
                                                                    User: <Domain>\\<User>
                                                                    +
                                                                    User: <Domain>\<User>
                                                                    Signature Version: <Definition version>
                                                                    Engine Version: <Antimalware Engine version>
                                                                    @@ -695,7 +694,7 @@ For more information please see the following:
                                                                    Category: <Category description>, for example, any threat or malware type.
                                                                    Path: <File path>
                                                                    -
                                                                    User: <Domain>\\<User>
                                                                    +
                                                                    User: <Domain>\<User>
                                                                    Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
                                                                    Error Description: <Error description> @@ -732,7 +731,7 @@ Description: Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
                                                                    Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
                                                                    -
                                                                    User: <Domain>\\<User>
                                                                    +
                                                                    User: <Domain>\<User>
                                                                    @@ -763,7 +762,7 @@ Description: Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
                                                                    Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
                                                                    -
                                                                    User: <Domain>\\<User>
                                                                    +
                                                                    User: <Domain>\<User>
                                                                    Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
                                                                    Error Description: <Error description> @@ -795,8 +794,7 @@ Message: Description: -Windows Defender Antivirus has detected a suspicious behavior. -For more information please see the following: +Windows Defender Antivirus has detected a suspicious behavior.
                                                                    For more information please see the following:
                                                                    Name: <Threat name>
                                                                    ID: <Threat ID>
                                                                    @@ -838,7 +836,7 @@ For more information please see the following:
                                                                  Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
                                                                  Status: <Status>
                                                                  -
                                                                  User: <Domain>\\<User>
                                                                  +
                                                                  User: <Domain>\<User>
                                                                  Process Name: <Process in the PID>
                                                                  Signature ID: Enumeration matching severity.
                                                                  Signature Version: <Definition version>
                                                                  @@ -873,8 +871,7 @@ Message: Description: -Windows Defender Antivirus has detected malware or other potentially unwanted software. -For more information please see the following: +Windows Defender Antivirus has detected malware or other potentially unwanted software.
                                                                  For more information please see the following:
                                                                  Name: <Threat name>
                                                                  ID: <Threat ID>
                                                                  @@ -915,7 +912,7 @@ For more information please see the following:
                                                                • Remote attestation
                                                                Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC -
                                                                User: <Domain>\\<User>
                                                                +
                                                                User: <Domain>\<User>
                                                                Process Name: <Process in the PID>
                                                                Signature Version: <Definition version>
                                                                Engine Version: <Antimalware Engine version>
                                                                @@ -955,8 +952,7 @@ Message: Description: -Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. -For more information please see the following: +Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
                                                                For more information please see the following:
                                                                Name: <Threat name>
                                                                ID: <Threat ID>
                                                                @@ -997,7 +993,7 @@ For more information please see the following:
                                                              • Remote attestation
                                                              Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC -
                                                              User: <Domain>\\<User>
                                                              +
                                                              User: <Domain>\<User>
                                                              Process Name: <Process in the PID>
                                                              Action: <Action>, for example:
                                                              • Clean: The resource was cleaned
                                                                • @@ -1083,8 +1079,7 @@ Message: Description: -Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software. -For more information please see the following: +Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
                                                                For more information please see the following:
                                                                Name: <Threat name>
                                                                ID: <Threat ID>
                                                                @@ -1125,7 +1120,7 @@ For more information please see the following:
                                                              • Remote attestation
                                                              Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
                                                              -
                                                              User: <Domain>\\<User>
                                                              +
                                                              User: <Domain>\<User>
                                                              Process Name: <Process in the PID>
                                                              Action: <Action>, for example:
                                                              • Clean: The resource was cleaned
                                                                • @@ -1179,8 +1174,7 @@ Message: Description: -Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software. -For more information please see the following: +Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
                                                                For more information please see the following:
                                                                Name: <Threat name>
                                                                ID: <Threat ID>
                                                                @@ -1221,7 +1215,7 @@ For more information please see the following:
                                                              • Remote attestation
                                                              Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
                                                              -
                                                              User: <Domain>\\<User>
                                                              +
                                                              User: <Domain>\<User>
                                                              Process Name: <Process in the PID>
                                                              Action: <Action>, for example:
                                                              • Clean: The resource was cleaned
                                                                • @@ -1287,7 +1281,7 @@ Verify that the user has permission to access the necessary resources. - + If this event persists:
                                                                1. Run the scan again.
                                                                2. If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
                                                                  3. @@ -1330,7 +1324,7 @@ Windows Defender Antivirus client is up and running in a healthy state. -
                                                                  Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
                                                                  +
                                                                  Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
                                                                  @@ -1419,10 +1413,10 @@ Antivirus client health report.
                                                                  Antispyware signature creation time: ?<Antispyware signature creation time>
                                                                  Last quick scan start time: ?<Last quick scan start time>
                                                                  Last quick scan end time: ?<Last quick scan end time>
                                                                  -
                                                                  Last quick scan source: <Last quick scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
                                                                  +
                                                                  Last quick scan source: <Last quick scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
                                                                  Last full scan start time: ?<Last full scan start time>
                                                                  Last full scan end time: ?<Last full scan end time>
                                                                  -
                                                                  Last full scan source: <Last full scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
                                                                  +
                                                                  Last full scan source: <Last full scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
                                                                  Product status: For internal troubleshooting @@ -1465,7 +1459,7 @@ Antivirus signature version has been updated.
                                                              Update Type: <Update type>, either Full or Delta.
                                                              -
                                                              User: <Domain>\\<User>
                                                              +
                                                              User: <Domain>\<User>
                                                              Current Engine Version: <Current engine version>
                                                              Previous Engine Version: <Previous engine version>
                                                              @@ -1532,7 +1526,7 @@ Windows Defender Antivirus has encountered an error trying to update signatures.
                                                            Update Type: <Update type>, either Full or Delta.
                                                            -
                                                            User: <Domain>\\<User>
                                                            +
                                                            User: <Domain>\<User>
                                                            Current Engine Version: <Current engine version>
                                                            Previous Engine Version: <Previous engine version>
                                                            Error Code: <Error code> @@ -1550,7 +1544,7 @@ User action: This error occurs when there is a problem updating definitions. To troubleshoot this event:
                                                              -
                                                            1. [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
                                                              2. +
                                                            2. Update definitions and force a rescan directly on the endpoint.
                                                            3. Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.
                                                            4. Contact Microsoft Technical Support.
                                                              5. @@ -1586,7 +1580,7 @@ Windows Defender Antivirus engine version has been updated.
                                                              Current Engine Version: <Current engine version>
                                                              Previous Engine Version: <Previous engine version>
                                                              Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
                                                              -
                                                              User: <Domain>\\<User>
                                                              +
                                                              User: <Domain>\<User>
                                                              @@ -1627,7 +1621,7 @@ Windows Defender Antivirus has encountered an error trying to update the engine.
                                                              New Engine Version:
                                                              Previous Engine Version: <Previous engine version>
                                                              Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
                                                              -
                                                              User: <Domain>\\<User>
                                                              +
                                                              User: <Domain>\<User>
                                                              Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
                                                              Error Description: <Error description> @@ -1643,7 +1637,7 @@ User action: The Windows Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update. To troubleshoot this event:
                                                                -
                                                              1. [Update definitions](manage-updates-baselines-windows-defender-antivirus.md) and force a rescan directly on the endpoint.
                                                                2. +
                                                              2. Update definitions and force a rescan directly on the endpoint.
                                                              3. Contact Microsoft Technical Support.
                                                              @@ -2290,8 +2284,8 @@ Description of the error.
                                                              User action: -You should restart the system then run a full scan because it's possible the system was not protected for some time. -The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. +You should restart the system then run a full scan because it's possible the system was not protected for some time. +The Windows Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. @@ -2849,8 +2843,7 @@ Run a full system scan. This error indicates that manual steps are required to complete threat removal. Resolution -Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history. - +Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history.
                                                              Error code: 0x80508026 @@ -2908,14 +2901,12 @@ Run offline Windows Defender Antivirus. You can read about how to do this in the Error code: 0x80508031 Message -ERROR_MP_PLATFORM_OUTDATED - +ERROR_MP_PLATFORM_OUTDATED
                                                               Possible reason This error indicates that Windows Defender Antivirus does not support the current version of the platform and requires a new version of the platform. Resolution -You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection. - +You can only use Windows Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
                                                              diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 9d6241c98a..de8f61a435 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -30,17 +30,17 @@ If you are also using Microsoft Defender Advanced Threat Protection, then Window The following matrix illustrates the states that Windows Defender AV will enter when third-party antivirus products or Microsoft Defender ATP are also used. -Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender AV state --|-|-|- -Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode -Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode -Windows 10 | Windows Defender AV | Yes | Active mode -Windows 10 | Windows Defender AV | No | Active mode -Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] -Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] -Windows Server 2016 | Windows Defender AV | Yes | Active mode -Windows Server 2016 | Windows Defender AV | No | Active mode +| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender AV state | +|---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------| +| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | Windows Defender AV | Yes | Active mode | +| Windows 10 | Windows Defender AV | No | Active mode | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | +| Windows Server 2016 | Windows Defender AV | Yes | Active mode | +| Windows Server 2016 | Windows Defender AV | No | Active mode | (1) On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [uninstall Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) to prevent problems caused by having multiple antivirus products installed on a machine. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 0486cb004f..86c295cf9e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -27,14 +27,14 @@ This topic for IT professionals provides links to specific procedures to use whe AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can: -- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. -- Assign a rule to a security group or an individual user. -- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe). -- Use audit-only mode to deploy the policy and understand its impact before enforcing it. -- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten. -- Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets. -> **Note**  For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). -  +- Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file. +- Assign a rule to a security group or an individual user. +- Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe). +- Use audit-only mode to deploy the policy and understand its impact before enforcing it. +- Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten. +- Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets. + > **Note** For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md). + ## In this section | Topic | Description | diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index d689765151..c12a1e59ac 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -49,11 +49,11 @@ AppLocker and SRP use the security level IDs to stipulate the access requirement | SAFER_LEVELID_CONSTRAINED | Supported | Not supported | | SAFER_LEVELID_UNTRUSTED | Supported | Not supported | | SAFER_LEVELID_DISALLOWED | Supported | Supported | -  + In addition, URL zone ID is not supported in AppLocker. ## Related topics - [AppLocker technical reference](applocker-technical-reference.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 5e9a6089cc..37045a74e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -91,7 +91,7 @@ AppLocker rules can be created on domain controllers. AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC). > **Note:**  The GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature. -  + ### Using AppLocker on Server Core AppLocker on Server Core installations is not supported. @@ -132,7 +132,7 @@ For reference in your security planning, the following table identifies the base | Security Policies | None required. AppLocker creates security policies. | | System Services required |Application Identity service (appidsvc) runs under LocalServiceAndNoImpersonation. | | Storage of credentials | None | -  + ## In this section | Topic | Description | diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index ae5f3d7430..c02fce9a90 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -36,7 +36,7 @@ The following table describes the settings and values used by AppLocker. | Network ports | Not applicable | | Service accounts | Not applicable | | Performance counters | Not applicable | -  + ## Related topics - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index a339d80d4f..24f5aeb1ef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -26,7 +26,7 @@ ms.date: 09/21/2017 This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. >**Note:**  When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. -  + For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index c964253fb2..52899e5621 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -35,13 +35,13 @@ An AppLocker reference device that is used for the development and deployment of The reference device does not need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). >**Warning:**  Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an app, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another app, there is a chance that duplicate rule GUIDs can be created. If duplicate GUIDs are present, AppLocker policies will not work as expected. -  + **To configure a reference device** 1. If the operating system is not already installed, install one of the supported editions of Windows on the device. >**Note:**  If you have the Group Policy Management Console (GPMC) installed on another device to test your implementation of AppLocker policies, you can export the policies to that device -   + 2. Configure the administrator account. To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO). @@ -54,5 +54,5 @@ The reference device does not need to be joined to a domain, but it must be able - After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see [Working with AppLocker rules](working-with-applocker-rules.md). - [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 36652da246..fffa53c756 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -28,7 +28,7 @@ This topic for IT professionals shows how to configure the Application Identity The Application Identity service determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. >**Important:**  When using Group Policy, you must configure it to start automatically in at least one Group Policy Object (GPO) that applies AppLocker rules. This is because AppLocker uses this service to verify the attributes of a file. -  + **To start the Application Identity service automatically using Group Policy** 1. On the **Start** screen, type **gpmc.msc** to open the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 99d548b3cd..7d7608f7c8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -28,7 +28,7 @@ This topic for IT professionals shows how to create an AppLocker rule with a pat The path condition identifies an app by its location in the file system of the computer or on the network. >**Important:**  When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles. -  + For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). @@ -43,7 +43,7 @@ You can perform this task by using the Group Policy Management Console for an Ap 6. Click **Browse Files** to locate the targeted folder for the app. >**Note:**  When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). -   + 7. Click **Next**. 8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**. 9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 6f40120966..8f20bf3c9a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -28,7 +28,7 @@ This topic for IT professionals describes the steps to create a standard set of AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run. >**Important:**  You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types. -  + You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). **To create default rules** diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 73eb68a530..7afc539899 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -49,7 +49,7 @@ initially. Therefore, you should continue your evaluation until you can verify t >**Tip:**  If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console. -  + The following topics in the [AppLocker Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=160261) describe how to perform each method: - [Automatically generating executable rules from a reference computer](https://go.microsoft.com/fwlink/p/?LinkId=160264) @@ -76,5 +76,5 @@ To do this, see the following topics: - [Select the types of rules to create](select-types-of-rules-to-create.md) - [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 87b83f3e4a..6fb52b2843 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -44,7 +44,7 @@ You can use a reference device to automatically create a set of default rules fo You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group. >**Note:**  AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md). -  + For information about performing this task, see: 1. [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 708dc28afe..84e53cfb2d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -48,10 +48,10 @@ When this procedure is performed on the local device, the AppLocker policy takes Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents: + + + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index b916ca2446..0fe96e42aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -47,7 +47,7 @@ You can edit an AppLocker policy by adding, changing, or removing rules. However Microsoft Desktop Optimization Pack. >**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. -  + For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). @@ -59,5 +59,5 @@ When a policy is deployed, it is important to monitor the actual implementation ## Additional resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 2142b6e5ef..2226a672dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -32,7 +32,7 @@ This overview topic describes the process to follow when you are planning to dep | [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md) | This topic describes the AppLocker enforcement settings for rule collections. | | [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| | [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. | -  + When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following: - Whether you are creating new GPOs or using existing GPOs diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index f2db2b18f5..e1b0bef761 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -48,7 +48,7 @@ Use the following table to develop your own objectives and determine which appli

                                                              Scope

                                                              SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.

                                                              -

                                                              AppLocker policies apply only to the support versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).

                                                              +

                                                              AppLocker policies apply only to the support versions of Windows listed in Requirements to use AppLocker.

                                                              Policy creation

                                                              @@ -163,5 +163,5 @@ Use the following table to develop your own objectives and determine which appli -  -For more general info, see [AppLocker](applocker-overview.md). + +For more general info, see AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index cdeec9d060..60741a87ed 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -40,11 +40,11 @@ The following table lists the default rules that are available for the DLL rule | Everyone | Path: %windir%\*| | Allow all users to run DLLs in the Program Files folder | (Default Rule) All DLLs located in the Program Files folder| | Everyone | Path: %programfiles%\*| -  ->**Important:**  If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps -  ->**Caution:**  When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used. -  + +> **Important:** If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps +> +> **Caution:** When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used. + ## Related topics - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 059ee9eecf..415d381cc4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -109,7 +109,7 @@ The following table includes the sample data that was collected when you determi

                                                              Internet Explorer 7

                                                              -

                                                              C:\Program Files\Internet Explorer\

                                                              +

                                                              C:\Program Files\Internet Explorer</p>

                                                              File is signed; create a publisher condition

                                                              Deny

                                                              @@ -126,11 +126,11 @@ The following table includes the sample data that was collected when you determi -  + ## Next steps After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index 57f8f1ac1b..1ea62b509f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -87,7 +87,7 @@ The following table provides an example of how to list applications for each bus

                                                              Internet Explorer 7

                                                              -

                                                              C:\Program Files\Internet Explorer\

                                                              +

                                                              C:\Program Files\Internet Explorer</p>

                                                              @@ -98,10 +98,10 @@ The following table provides an example of how to list applications for each bus -  ->**Note:**  AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. -  -**Event processing** + +>Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. + +Event processing As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index a054a46a46..a748a0fb9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -103,7 +103,7 @@ The following table details sample data for documenting rule type and rule condi

                                                              Internet Explorer 7

                                                              -

                                                              C:\Program Files\Internet Explorer\

                                                              +

                                                              C:\Program Files\Internet Explorer</p>

                                                              File is signed; create a publisher condition

                                                              @@ -118,7 +118,7 @@ The following table details sample data for documenting rule type and rule condi -  + ## Next steps For each rule, determine whether to use the allow or deny option. Then, three tasks remain: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index 8b732af9da..09e13411bb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -32,7 +32,7 @@ AppLocker defines executable rules as any files with the .exe and .com extension | Allow members of the local Administrators group access to run all executable files | (Default Rule) All files| BUILTIN\Administrators | Path: * | | Allow all users to run executable files in the Windows folder| (Default Rule) All files located in the Windows folder| Everyone| Path: %windir%\*| | Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder| Everyone | Path: %programfiles%\*| -  + ## Related topics - [Understanding AppLocker Default Rules](understanding-applocker-default-rules.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index ff4a0defa6..cd3f2ab32d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -30,7 +30,7 @@ Before completing this procedure, you should have exported an AppLocker policy. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. >**Caution:**  Importing a policy will overwrite the existing policy on that computer. -  + **To import an AppLocker policy** 1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index b50fe81205..07ffba8bd0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -27,7 +27,7 @@ This topic for IT professionals describes the steps to import an AppLocker polic AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). >**Important:**  Follow your organization's standard procedures for updating GPOs. For info about specific steps to follow for AppLocker policies, see [Maintain AppLocker policies](maintain-applocker-policies.md). -  + To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. **To import an AppLocker policy into a GPO** diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 04f315cf70..bd4497b964 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -31,7 +31,7 @@ Packaged apps, also known as Universal Windows apps, are based on a model that e With packaged apps, it is possible to control the entire app by using a single AppLocker rule. >**Note:**  AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps. -  + Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software’s publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule. ### Comparing classic Windows apps and packaged apps @@ -54,7 +54,7 @@ For more info about packaged apps, see [Packaged apps and packaged app installer You can use two methods to create an inventory of packaged apps on a computer: the AppLocker console or the **Get-AppxPackage** Windows PowerShell cmdlet. >**Note:**  Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). -  + For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/library/hh847210.aspx). For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index dbf4eb81d8..0ccb16202c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -36,7 +36,7 @@ The AppLocker policy is saved in XML format, and the exported policy can be edit | Script rules | Script| | DLL rules | Dll| | Packaged apps and packaged app installers|Appx| -  + Rule enforcement is specified with the **EnforcementMode** element. The three enforcement modes in the XML correspond to the three enforcement modes in the AppLocker console, as shown in the following table: | XML enforcement mode |Enforcement mode in Group Policy | @@ -44,7 +44,7 @@ Rule enforcement is specified with the **EnforcementMode** element. The three en | NotConfigured | Not configured (rules are enforced)| | AuditOnly | Audit only| | Enabled | Enforce rules| -  + Each of the three condition types use specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 713fe389a9..72378b52ca 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -62,7 +62,7 @@ For both event subscriptions and local events, you can use the **Get-AppLockerFi Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. >**Note:**  If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file. -  + **To review AppLocker events with Get-AppLockerFileInformation** 1. At the command prompt, type **PowerShell**, and then press ENTER. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 2ffe4c26cb..d0e2f069fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -82,7 +82,7 @@ As new apps are deployed or existing apps are updated by the software publisher, You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013). >**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. -  + **New version of a supported app** When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. @@ -213,7 +213,7 @@ The following table contains the added sample data that was collected when deter

                                                              Internet Explorer 7

                                                              -

                                                              C:\Program Files\Internet Explorer\

                                                              +

                                                              C:\Program Files\Internet Explorer</p>

                                                              File is signed; create a publisher condition

                                                              Deny

                                                              @@ -233,7 +233,7 @@ The following table contains the added sample data that was collected when deter -  + The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies. **Event processing policy** @@ -276,8 +276,8 @@ The following table is an example of what to consider and record. -  -**Policy maintenance policy** + +Policy maintenance policy When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. The following table is an example of what to consider and record. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 3926266771..b1187d6b13 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -111,7 +111,7 @@ An AppLocker policy deployment plan is the result of investigating which applica - + @@ -130,8 +130,8 @@ An AppLocker policy deployment plan is the result of investigating which applica

                                                              Internet Explorer 7

                                                              C:\Program Files\Internet Explorer\

                                                              C:\Program Files\Internet Explorer</p>

                                                              File is signed; create a publisher condition

                                                              Deny

                                                              -  -**Event processing policy** + +Event processing policy @@ -168,8 +168,8 @@ An AppLocker policy deployment plan is the result of investigating which applica
                                                              -  -**Policy maintenance policy** + +Policy maintenance policy @@ -210,7 +210,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
                                                              -  + ### Supported operating systems AppLocker is supported only on certain operating systems. Some features are not available on all operating systems. For more information, see [Requirements to use AppLocker](requirements-to-use-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 494a3fffc4..edcc2be0d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -34,7 +34,7 @@ To use AppLocker, you need: - Devices running a supported operating system to enforce the AppLocker rules that you create. >**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md). -  + ## Operating system requirements The following table show the on which operating systems AppLocker features are supported. @@ -56,7 +56,7 @@ The following table show the on which operating systems AppLocker features are s | Windows 7 Ultimate| Yes| Yes| Executable
                                                              Windows Installer
                                                              Script
                                                              DLL| Packaged app rules will not be enforced.| | Windows 7 Enterprise| Yes| Yes| Executable
                                                              Windows Installer
                                                              Script
                                                              DLL| Packaged app rules will not be enforced.| | Windows 7 Professional| Yes| No| Executable
                                                              Windows Installer
                                                              Script
                                                              DLL| No AppLocker rules are enforced.| -  + AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index efbec669a4..a0a509e1ae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -31,20 +31,20 @@ You can perform this task by using the Group Policy Management Console for an Ap **To automatically generate rules** -1. Open the AppLocker console. -2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules. -3. Click **Automatically Generate Rules**. -4. On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this is the Program Files folder. -5. Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group. -6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**. -7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). +1. Open the AppLocker console. +2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules. +3. Click **Automatically Generate Rules**. +4. On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this is the Program Files folder. +5. Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group. +6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**. +7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). - >**Note:**  The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: + >**Note:** The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: - - One publisher condition is created for all files that have the same publisher and product name. - - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. - - One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file. -   -8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**. + - One publisher condition is created for all files that have the same publisher and product name. + - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. + - One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file. + +8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**. >**Note:**  If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 931605336a..068f4f5786 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -39,7 +39,7 @@ The following table lists the default rules that are available for the script ru | Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *| | Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*| | Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*| -  + ## Related topics - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 10120fb432..2fbfbf63aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -45,13 +45,13 @@ You cannot use AppLocker (or Software Restriction Policies) to prevent code from AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros. >**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. -  + AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. >**Note:**  Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. You can block the Windows Subsystem for Linux by blocking LxssManager.dll. -  + ## Related topics - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index dfb7c39dff..74fe7bc8ec 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -59,7 +59,7 @@ A rule condition is criteria upon which an AppLocker rule is based and can only | Publisher | To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate. Rules that are specified to the version level might have to be updated when a new version of the file is released.|For more info about this rule condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md). | Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). | | File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). | -  + In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. ### Determine how to allow system files to run diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 9f3bd1861f..38e080a194 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -32,7 +32,7 @@ Rule enforcement is applied only to a collection of rules, not to individual rul | Not configured | By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| | Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.| | Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.| -  + For the AppLocker policy to be enforced on a device, the Application Identity service must be running. For more info about the Application Identity service, see [Configure the Application Identity service](configure-the-application-identity-service.md). When AppLocker policies from various GPOs are merged, the enforcement modes are merged by using the standard Group Policy order of inheritance, which is local, domain, site, and organizational unit (OU). The Group Policy setting that was last written or applied by order of inheritance is used for the enforcement mode, and all rules from linked GPOs are applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index e8aba7cef4..29a92cb366 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -20,7 +20,7 @@ ms.date: 10/13/2017 # Understand AppLocker policy design decisions **Applies to** - - Windows 10 + - Windows 10 - Windows Server This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. @@ -50,24 +50,24 @@ You might need to control a limited number of apps because they access sensitive | Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.| | Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| |Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.| -  ->**Important:**  The following list contains files or types of files that cannot be managed by AppLocker: -- AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. +>**Important:** The following list contains files or types of files that cannot be managed by AppLocker: -- You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. +- AppLocker does not protect against running 16-bit DOS binaries in a NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. + +- You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. - AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros. - >**Important:**  You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. -   + >**Important:** You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. + - AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. - + For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md). -  + ### Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions -AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: +AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: - All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. - Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. @@ -88,7 +88,7 @@ Most organizations have evolved app control policies and methods over time. With | Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.| | Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.| | Other | Using AppLocker requires a complete app control policy evaluation and implementation.| -  + ### Which Windows desktop and server operating systems are running in your organization? If your organization supports multiple Windows operating systems, app control policy planning becomes more complex. Your initial design decisions should consider the security and management priorities of applications that are installed on each version of the operating system. @@ -105,44 +105,43 @@ If your organization supports multiple Windows operating systems, app control po -

                                                              Your organization's computers are running a combination of the following operating systems:

                                                              +

                                                              Your organization's computers are running a combination of the following operating systems:

                                                                -

                                                              • Windows 10

                                                                • +

                                                              • Windows 10

                                                              • Windows 8

                                                                • -

                                                              • Windows 7

                                                                • -

                                                              • Windows Vista

                                                                • -

                                                              • Windows XP

                                                                • +

                                                              • Windows 7

                                                                • +

                                                              • Windows Vista

                                                                • +

                                                              • Windows XP

                                                              • Windows Server 2012

                                                                • -

                                                              • Windows Server 2008 R2

                                                                • -

                                                              • Windows Server 2008

                                                                • -

                                                              • Windows Server 2003

                                                                • +

                                                              • Windows Server 2008 R2

                                                                • +

                                                              • Windows Server 2008

                                                                • +

                                                              • Windows Server 2003

                                                              -

                                                              AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

                                                              +

                                                              AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see Requirements to use AppLocker.

                                                              -Note   -

                                                              If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

                                                              +Note

                                                              If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

                                                              -  +

                                                              AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.

                                                              -

                                                              Your organization's computers are running only the following operating systems:

                                                              +

                                                              Your organization's computers are running only the following operating systems:

                                                                -

                                                              • Windows 10

                                                                • +

                                                              • Windows 10

                                                              • Windows 8.1

                                                              • Windows 8

                                                                • -

                                                              • Windows 7

                                                                • +

                                                              • Windows 7

                                                              • Windows Server 2012 R2

                                                              • Windows Server 2012

                                                                • -

                                                              • Windows Server 2008 R2

                                                                • +

                                                              • Windows Server 2008 R2

                                                              Use AppLocker to create your application control policies.

                                                              -  + ### Are there specific groups in your organization that need customized application control policies? Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. @@ -151,7 +150,7 @@ Most business groups or departments have specific security requirements that per | - | - | | Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
                                                              If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| | No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| -  + ### Does your IT department have resources to analyze application usage, and to design and manage the policies? The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance. @@ -160,7 +159,7 @@ The time and resources that are available to you to perform the research and ana | - | - | | Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| | No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | -  + ### Does your organization have Help Desk support? Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. @@ -170,7 +169,7 @@ Preventing your users from accessing known, deployed, or personal applications w | Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. | | No | Invest time in developing online support processes and documentation before deployment. | -  + ### Do you know what applications require restrictive policies? Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data. @@ -178,7 +177,7 @@ Any successful application control policy implementation is based on your knowle | - | - | | Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | | No | You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.| -  + ### How do you deploy or sanction applications (upgraded or new) in your organization? Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies. @@ -189,7 +188,7 @@ Implementing a successful application control policy is based on your knowledge | Strict written policy or guidelines to follow | You need to develop AppLocker rules that reflect those policies, and then test and maintain the rules. | | No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. | -  + ### Does your organization already have SRP deployed? Although SRP and AppLocker have the same goal, AppLocker is a major revision of SRP. @@ -198,7 +197,7 @@ Although SRP and AppLocker have the same goal, AppLocker is a major revision of | - | - | | Yes | You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

                                                              **Note:** If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.| | No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. | -  + ### What are your organization's priorities when implementing application control policies? Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of AppLocker. @@ -208,7 +207,7 @@ Some organizations will benefit from application control policies as shown by an | Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | | Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps| | Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.| -  + ### How are apps currently accessed in your organization? AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules. @@ -218,17 +217,17 @@ AppLocker is very effective for organizations that have application restriction | Users run without administrative rights. | Apps are installed by using an installation deployment technology.| | AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.
                                                              **Note: **AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. | Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.| -  + ### Is the structure in Active Directory Domain Services based on the organization's hierarchy? -Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. +Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. | Possible answers | Design considerations | | - | - | -| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.| +| Yes | AppLocker rules can be developed and implemented through Group Policy, based on your AD DS structure.| | No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.| -  + ## Record your findings The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, you can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 8040665b59..6f06fb76e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -40,9 +40,9 @@ Although you can use AppLocker to create a rule to allow all files to run and th | Publisher | A user could modify the properties of a file (for example, re-signing the file with a different certificate).| | File hash | A user could modify the hash for a file.| | Path | A user could move the denied file to a different location and run it from there.| -  + >**Important:**  If you choose to use the deny action on rules, you must ensure that you first create rules that allow the Windows system files to run. AppLocker enforces rules for allowed applications by default, so after one or more rules have been created for a rule collection (affecting the Windows system files), only the apps that are listed as being allowed will be permitted to run. Therefore, creating a single rule in a rule collection to deny a malicious file from running will also deny all other files on the computer from running. -  + ## Related topics - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 0fd68d8a38..aab40287b6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -28,7 +28,7 @@ This topic for IT professional describes the set of rules that can be used to en AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. >**Important:**  You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. -  + If you require additional app security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: @@ -47,7 +47,7 @@ These permissions settings are applied to this folder for app compatibility. How | [Script rules in AppLocker](script-rules-in-applocker.md) | This topic describes the file formats and available default rules for the script rule collection.| | [DLL rules in AppLocker](dll-rules-in-applocker.md) | This topic describes the file formats and available default rules for the DLL rule collection.| | [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md) | This topic explains the AppLocker rule collection for packaged app installers and packaged apps.| -  + ## Related topics - [How AppLocker works](how-applocker-works-techref.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index cff46dda28..f2788d4bfc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -36,7 +36,7 @@ An AppLocker rule collection is a set of rules that apply to one of five types: If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. >**Important:**  Each app can load several DLLs, and AppLocker must check each DLL before it is allowed to run. Therefore, creating DLL rules might cause performance problems on some computers. Denying some DLLs from running can also create app compatibility problems. As a result, the DLL rule collection is not enabled by default. -  + For info about how to enable the DLL rule collection, see [Enable the DLL rule collection](enable-the-dll-rule-collection.md). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 57d08935c5..3bb3ba52c4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -30,7 +30,7 @@ File hash rules use a system-computed cryptographic hash of the identified file. | File hash condition advantages | File hash condition disadvantages | | - | - | | Because each file has a unique hash, a file hash condition applies to only one file. | Each time that the file is updated (such as a security update or upgrade), the file's hash will change. As a result, you must manually update file hash rules.| -  + For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 6c147f51f9..0e59ec885b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -20,7 +20,7 @@ ms.date: 09/21/2017 # Understanding the path rule condition in AppLocker **Applies to** - - Windows 10 + - Windows 10 - Windows Server This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. @@ -53,22 +53,23 @@ When creating a rule that uses a deny action, path conditions are less secure th -  + AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule. AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. -| Windows directory or drive | AppLocker path variable | Windows environment variable | -| - | - | - | -| Windows | %WINDIR% | %SystemRoot% | -| System32 and sysWOW64 | %SYSTEM32%| %SystemDirectory%| -| Windows installation directory | %OSDRIVE%|%SystemDrive%| -| Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| -| Removable media (for example, CD or DVD) | %REMOVABLE%| | -| Removable storage device (for example, USB flash drive)| %HOT%||| -  + +| Windows directory or drive | AppLocker path variable | Windows environment variable | +|---------------------------------------------------------|-------------------------|----------------------------------------| +| Windows | %WINDIR% | %SystemRoot% | +| System32 and sysWOW64 | %SYSTEM32% | %SystemDirectory% | +| Windows installation directory | %OSDRIVE% | %SystemDrive% | +| Program Files | %PROGRAMFILES% | %ProgramFiles% and %ProgramFiles(x86)% | +| Removable media (for example, CD or DVD) | %REMOVABLE% | | +| Removable storage device (for example, USB flash drive) | %HOT% | | + For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index f0c3ab6665..52259c9248 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -55,7 +55,7 @@ of the publisher condition. -  + Wildcard characters can be used as values in the publisher rule fields according to the following specifications: - **Publisher** @@ -90,7 +90,7 @@ The following table describes how a publisher condition is applied. | **Publisher, product name, file name, and file version** | **And above**
                                                              The specified version of the named file and any new releases for the product that are signed by the publisher.| | **Publisher, product name, file name, and file version**| **And below**
                                                              The specified version of the named file and any older versions for the product that are signed by the publisher.| | **Custom** | You can edit the **Publisher**, **Product name**, **File name**, and **Version** fields to create a custom rule.| -  + For an overview of the three types of AppLocker rule conditions and explanations of the advantages and disadvantages of each, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index ccb8703691..9c5076e4c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -33,7 +33,7 @@ An AppLocker reference device is a baseline device you can use to configure poli An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment. >**Important:**  The reference device must be running one of the supported editions of Windows. For information about operating system requirements for AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). -  + You can perform AppLocker policy testing on the reference device by using the **Audit only** enforcement setting or Windows PowerShell cmdlets. You can also use the reference device as part of a testing configuration that includes policies that are created by using Software Restriction Policies. ## Step 1: Automatically generate rules on the reference device @@ -41,13 +41,13 @@ You can perform AppLocker policy testing on the reference device by using the ** With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). >**Note:**  If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules. -  + ## Step 2: Create the default rules on the reference device AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For info about default rules and considerations for using them, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md). For the procedure to create default rules, see [Create AppLocker default rules](create-applocker-default-rules.md). >**Important:**  You can use the default rules as a template when you create your own rules. This allows files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. -  + ## Step 3: Modify rules and the rule collection on the reference device If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: @@ -69,7 +69,7 @@ You should test each set of rules to ensure that they perform as intended. The * - [Discover the Effect of an AppLocker Policy](https://technet.microsoft.com/library/ee791823(WS.10).aspx) >**Caution:**  If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect. -  + ## Step 5: Export and import the policy into production When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index df2a44b813..6fa4d92a72 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -63,9 +63,9 @@ The following table contains information about the events that you can use to de | 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| | 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| | 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| -  + ## Related topics - [Tools to use with AppLocker](tools-to-use-with-applocker.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index e51beed650..3583e3fd1b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -34,7 +34,7 @@ You might want to deploy application control policies in Windows operating syste SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). >**Important:**  As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO. -  + The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO. | Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP | @@ -42,9 +42,9 @@ The following scenario provides an example of how each type of policy would affe | Windows 10, Windows 8.1, Windows 8,and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| | Windows Vista| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| | Windows XP| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| -  + >**Note:**  For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md). -  + ## Test and validate SRPs and AppLocker policies that are deployed in the same environment Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index 724967ce85..a3c525fbfa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -20,7 +20,7 @@ ms.date: 09/21/2017 # What Is AppLocker? **Applies to** - - Windows 10 + - Windows 10 - Windows Server This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. @@ -118,8 +118,8 @@ The following table compares AppLocker to Software Restriction Policies. -  -**Application control function differences** + +Application control function differences The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker. @@ -138,14 +138,13 @@ The following table compares the application control functions of Software Restr - - + @@ -177,7 +176,7 @@ The following table compares the application control functions of Software Restr - + @@ -187,9 +186,9 @@ The following table compares the application control functions of Software Restr

                                                              Operating system scope

                                                              SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.

                                                              AppLocker policies apply only to those supported operating system versions and editions listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). But these systems can also use SRP.

                                                              +

                                                              SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.

                                                              AppLocker policies apply only to those supported operating system versions and editions listed in Requirements to use AppLocker. But these systems can also use SRP.

                                                              -Note   -

                                                              Use different GPOs for SRP and AppLocker rules.

                                                              +Note

                                                              Use different GPOs for SRP and AppLocker rules.

                                                              -  +

                                                              Manage all software on the computer

                                                              All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.

                                                              All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.

                                                              Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.
                                                              -  + ## Related topics - [AppLocker technical reference](applocker-technical-reference.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 6e79e9bc8e..a853be9f44 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -38,9 +38,9 @@ The purpose of this collection is to allow you to control the installation of fi | Allow members of the local Administrators group to run all Windows Installer files| (Default Rule) All Windows Installer files| BUILTIN\Administrators| Path: *| | Allow all users to run Windows Installer files that are digitally signed | (Default Rule) All digitally signed Windows Installer files| Everyone| Publisher: * (all signed files)| | Allow all users to run Windows Installer files that are located in the Windows Installer folder | (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer| Everyone| Path: %windir%\Installer\*| -  + ## Related topics - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 4a6cab1938..c899126846 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -38,7 +38,7 @@ This topic for IT professionals describes AppLocker rule types and how to work w | [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.| | [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.| | [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.| -  + The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence. | Enforcement mode | Description | @@ -59,7 +59,7 @@ The AppLocker console is organized into rule collections, which are executable f | Windows Installer files | .msi
                                                              .msp
                                                              .mst| | Packaged apps and packaged app installers | .appx| | DLL files | .dll
                                                              .ocx| -  + >**Important:**  If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps. When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. @@ -67,7 +67,7 @@ When DLL rules are used, AppLocker must check each DLL that an application loads The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file. -  + ## Rule conditions Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash. @@ -80,14 +80,14 @@ Rule conditions are criteria that help AppLocker identify the apps to which the This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. ->**Note:**  Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers. -  ->**Note:**  Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files. -  +> **Note:** Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers. +> +> **Note:** Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files. + When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields. >**Note:**  To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider. -  + The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options: - **Exactly.** The rule applies only to this version of the app @@ -124,9 +124,9 @@ The following table details these path variables. | Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% | | Removable media (for example, a CD or DVD)| %REMOVABLE%| | | Removable storage device (for example, a USB flash drive)| %HOT% | | -  + >**Important:**  Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile. -  + ### File hash When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules. @@ -172,10 +172,10 @@ A rule can be configured to use allow or deny actions: - **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. - **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. ->**Important:**  For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented. -  ->**Important:**  If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection. -  +> **Important:** For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented. +> +> **Important:** If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection. + ## Rule exceptions You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor. @@ -196,7 +196,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 4. Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**. >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps. -   + ## AppLocker wizards You can create rules by using two AppLocker wizards: diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index d92ef46513..6cfc8124c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -27,31 +27,31 @@ Before you begin this process, you need to create a WDAC policy binary file. If **To audit a Windows Defender Application Control policy with local policy:** -1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to C:\\Windows\\System32\\CodeIntegrity. +1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to C:\\Windows\\System32\\CodeIntegrity. -2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**. +2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**. - > [!Note] + > [!Note] + > + > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or malware to run. + > + > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. - > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or malware to run. - - > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. - -3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. +3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. - > [!Note] - - > - You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy them to every system. - - > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository. + > [!Note] + > + > - You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy them to every system. + > + > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository. ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig22-deploycode.png) Figure 1. Deploy your Windows Defender Application Control policy -4. Restart the reference system for the WDAC policy to take effect. +4. Restart the reference system for the WDAC policy to take effect. -5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed WDAC policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2. +5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed WDAC policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2. ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png) @@ -69,30 +69,30 @@ Use the following procedure after you have been running a computer with a WDAC p -1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications. +1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications. - Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md) in "Deploy Windows Defender Application Control: policy rules and file rules." + Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md) in "Deploy Windows Defender Application Control: policy rules and file rules." - Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure. + Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure. -2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**: +2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + ` $CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` + ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` -3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. +3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. - ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` + ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` - > [!Note] - > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. + > [!Note] + > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. -4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following: +4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following: - - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file. + - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file. - - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run. + - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run. You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 2480d774a1..b9905868db 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -38,35 +38,35 @@ You can remove or disable such software on the reference computer. To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order: -1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created: +1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + ` $CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` -2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: +2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: - ```powershell - New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt - ``` + ```powershell + New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt + ``` - > [!Note] - - > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - - > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). + > [!Note] + > + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + > + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). + > + > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. + > + > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. - > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. - - > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: -3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: - - ```powershell - ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin - ``` + ```powershell + ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin + ``` After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md index ef0401578e..abaa31c6ff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md @@ -88,8 +88,8 @@ You can use the following form to construct your own WDAC planning document. -  -**Rules** + +Rules @@ -130,8 +130,8 @@ You can use the following form to construct your own WDAC planning document.
                                                              -  -**Event processing** + +Event processing @@ -160,8 +160,8 @@ You can use the following form to construct your own WDAC planning document.
                                                              -  -**Policy maintenance** + +Policy maintenance @@ -191,7 +191,7 @@ You can use the following form to construct your own WDAC planning document.
                                                              -  + ### Example of a WDAC planning document **Rules** @@ -272,7 +272,7 @@ You can use the following form to construct your own WDAC planning document.

                                                              Internet Explorer 7

                                                              -

                                                              C:\Program Files\Internet Explorer\

                                                              +

                                                              C:\Program Files\Internet Explorer</p>

                                                              File is signed; create a publisher condition

                                                              Deny

                                                              @@ -292,8 +292,8 @@ You can use the following form to construct your own WDAC planning document. -  -**Event processing** + +Event processing @@ -329,8 +329,8 @@ You can use the following form to construct your own WDAC planning document.
                                                              -  -**Policy maintenance** + +Policy maintenance @@ -374,9 +374,9 @@ You can use the following form to construct your own WDAC planning document.
                                                              -  + ### Additional resources - [Windows Defender Application Control](windows-defender-application-control.md) -  -  + + diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 1bc99cc9f5..98d3710250 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -45,7 +45,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must > [!NOTE] > Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer. -   + 3. Copy the installation media to the local drive (typically drive C). By copying the installation media to the local drive, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future WDAC policy may allow the application to run but not to be installed. @@ -114,31 +114,31 @@ To sign a catalog file you generated by using PackageInspector.exe, you need the To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session. -1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed: +1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed: - ` $ExamplePath=$env:userprofile+"\Desktop"` + ` $ExamplePath=$env:userprofile+"\Desktop"` - ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` + ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` -2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. +2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. -3. Sign the catalog file with Signtool.exe: +3. Sign the catalog file with Signtool.exe: - ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` + ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` - > **Note**  The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. + > **Note**  The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. + > + > **Note**  For additional information about Signtool.exe and all additional switches, visit the [Sign Tool page](https://docs.microsoft.com/dotnet/framework/tools/signtool-exe). + +4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. - > **Note**  For additional information about Signtool.exe and all additional switches, visit the [Sign Tool page](https://docs.microsoft.com/dotnet/framework/tools/signtool-exe). -   -4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1. + ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png) - ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png) + Figure 1. Verify that the signing certificate exists - Figure 1. Verify that the signing certificate exists +5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}. -5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}. - - For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as System Center Configuration Manager. Doing this also simplifies the management of catalog versions. + For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as System Center Configuration Manager. Doing this also simplifies the management of catalog versions. ## Add a catalog signing certificate to a Windows Defender Application Control policy @@ -165,44 +165,44 @@ To simplify the management of catalog files, you can use Group Policy preference **To deploy a catalog file with Group Policy:** -1. From either a domain controller or a client computer that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management. +1. From either a domain controller or a client computer that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management. -2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2. +2. Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2. - > [!NOTE] - > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate). + > [!NOTE] + > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate). ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png) Figure 2. Create a new GPO -3. Give the new GPO a name, for example, **Contoso DG Catalog File GPO Test**, or any name you prefer. +3. Give the new GPO a name, for example, **Contoso DG Catalog File GPO Test**, or any name you prefer. -4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. +4. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. -5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3. +5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3. - ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png) + ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png) - Figure 3. Create a new file + Figure 3. Create a new file -6. Configure the catalog file share. +6. Configure the catalog file share. - To use this setting to provide consistent deployment of your catalog file (in this example, LOBApp-Contoso.cat), the source file should be on a share that is accessible to the computer account of every deployed computer. This example uses a share (on a computer running Windows 10) called \\\\Contoso-Win10\\Share. The catalog file being deployed is copied to this share. + To use this setting to provide consistent deployment of your catalog file (in this example, LOBApp-Contoso.cat), the source file should be on a share that is accessible to the computer account of every deployed computer. This example uses a share (on a computer running Windows 10) called \\\\Contoso-Win10\\Share. The catalog file being deployed is copied to this share. -7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used. +7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used. - ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png) + ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png) - Figure 4. Set the new file properties + Figure 4. Set the new file properties -8. In the **Source file(s)** box, type the name of your accessible share, with the catalog file name included (for example, \\\\Contoso-Win10\\share\\LOBApp-Contoso.cat). +8. In the **Source file(s)** box, type the name of your accessible share, with the catalog file name included (for example, \\\\Contoso-Win10\\share\\LOBApp-Contoso.cat). -9. In the **Destination File** box, type a path and file name, for example: +9. In the **Destination File** box, type a path and file name, for example: - **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat** + **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat** - For the catalog file name, use the name of the catalog you are deploying. + For the catalog file name, use the name of the catalog you are deploying. 10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Doing this ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application. diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md index cb1c175489..6a6df72992 100644 --- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md +++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md @@ -29,8 +29,8 @@ This planning topic describes the Windows Defender Application Control (WDAC) po To complete this planning document, you should first complete the following steps: -3. [Select the types of rules to create](select-types-of-rules-to-create.md) -5. [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) +3. [Select the types of rules to create](select-types-of-rules-to-create.md) +4. [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) The three key areas to determine for WDAC policy management are: @@ -124,7 +124,7 @@ The following table contains the added sample data that was collected when deter

                                                              Internet Explorer 7

                                                              -

                                                              C:\Program Files\Internet Explorer\

                                                              +

                                                              C:\Program Files\Internet Explorer</p>

                                                              File is signed; create a publisher condition

                                                              Deny

                                                              @@ -144,7 +144,7 @@ The following table contains the added sample data that was collected when deter -  + The following two tables illustrate examples of documenting considerations to maintain and manage WDAC policies. **Event processing policy** @@ -187,8 +187,8 @@ The following table is an example of what to consider and record. -  -**Policy maintenance policy** + +Policy maintenance policy When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. The following table is an example of what to consider and record. @@ -233,7 +233,7 @@ The following table is an example of what to consider and record.
                                                              -  + ## Next steps After you determine your application control management strategy for each business group, [create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 589507b72d..3ae5f202a5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -26,18 +26,18 @@ Every WDAC policy is created with audit mode enabled. After you have successfull > [!Note] > Every WDAC policy should be tested in audit mode first. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md), earlier in this topic. -1. Initialize the variables that will be used: +1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + ` $CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" ` + ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" ` - ` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"` + ` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"` - ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` + ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` - > [!Note] - > The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. + > [!Note] + > The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. 2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the WDAC policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options. @@ -47,19 +47,19 @@ Every WDAC policy is created with audit mode enabled. After you have successfull ` Set-RuleOption -FilePath $InitialCIPolicy -Option 10` -3. Copy the initial file to maintain an original copy: +3. Copy the initial file to maintain an original copy: - ` copy $InitialCIPolicy $EnforcedCIPolicy` + ` copy $InitialCIPolicy $EnforcedCIPolicy` -4. Use Set-RuleOption to delete the audit mode rule option: +4. Use Set-RuleOption to delete the audit mode rule option: - ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` + ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` - > [!Note] - > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy. + > [!Note] + > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy. -5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary format: +5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary format: - ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin` + ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin` Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). You can also use other client management software to deploy and manage the policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 78868ff6b2..8fb9a6ccaf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -27,7 +27,7 @@ This topic for IT professionals describes concepts and lists procedures to help Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. With packaged apps, it is possible to control the entire app by using a single WDAC rule. -  + Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, these components don't always share common attributes such as the software’s publisher name, product name, and product version. Therefore, WDAC controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule. ### Comparing classic Windows Apps and Packaged Apps @@ -106,30 +106,30 @@ Below are the list of steps you can follow to block one or more packaged apps in ```powershell Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = "C:\compiledpolicy.bin"} ``` -### Blocking Packaged Apps Which Are Not Installed on the System + ### Blocking Packaged Apps Which Are Not Installed on the System If the app you intend to block is not installed on the system you are using the WDAC PowerShell cmdlets on, then follow the steps below: -1. Create a dummy rule using Steps 1-5 in the Blocking Packaged Apps Which Are Installed on the System section above +1. Create a dummy rule using Steps 1-5 in the Blocking Packaged Apps Which Are Installed on the System section above -2. Navigate to the app you want to block on the Store website +2. Navigate to the app you want to block on the Store website 3. Copy the GUID in the URL for the app - Example: the GUID for the Microsoft To-Do app is 9nblggh5r558 - https://www.microsoft.com/en-us/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab -4. Use the GUID in the following REST query URL to retrieve the identifiers for the app - - Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata - - The URL will return: +4. Use the GUID in the following REST query URL to retrieve the identifiers for the app + - Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata + - The URL will return: ``` { "packageFamilyName": "Microsoft.Todos_8wekyb3d8bbwe", - "packageIdentityName": "Microsoft.Todos", - "windowsPhoneLegacyId": "6088f001-776c-462e-984d-25b6399c6607", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + "packageIdentityName": "Microsoft.Todos", + "windowsPhoneLegacyId": "6088f001-776c-462e-984d-25b6399c6607", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" } ``` -5. Use the value returned by the query URL for the packageFamilyName to replace the package name generated earlier in the dummy rule from Step 1. +5. Use the value returned by the query URL for the packageFamilyName to replace the package name generated earlier in the dummy rule from Step 1. ## Allowing Packaged Apps The method for allowing specific packaged apps is similar to the method outlined above for blocking packaged apps, with the only difference being the parameter to the New-CIPolicyRule cmdlet. diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index 99037fc767..dd55f99c21 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -28,28 +28,28 @@ Because each computer running Windows 10 can have only one WDAC policy, you will To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session: -1. Initialize the variables that will be used: +1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + ` $CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` + ` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` - ` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"` + ` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"` - ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"` + ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"` - > [!Note] - > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly. + > [!Note] + > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly. -2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy: +2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy: - ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy` + ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy` -3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format: +3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format: - ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin ` + ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin ` Now that you have created a new WDAC policy, you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md index a2ab14b8d2..cc6289cb8a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md +++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md @@ -41,47 +41,47 @@ To sign a WDAC policy with SignTool.exe, you need the following components: If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: -1. Initialize the variables that will be used: +1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + ` $CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` > [!Note] > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. -2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). -3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. +3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. -4. Navigate to your desktop as the working directory: +4. Navigate to your desktop as the working directory: - ` cd $env:USERPROFILE\Desktop ` + ` cd $env:USERPROFILE\Desktop ` -5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: +5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` + ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` > [!Note] > should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. + Also, adding update signers is crucial to being able to modify or disable this policy in the future. -6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: +6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` + ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` -7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: +7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` + ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` -8. Sign the WDAC policy by using SignTool.exe: +8. Sign the WDAC policy by using SignTool.exe: - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` + ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` > [!Note] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). +9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 3c99e01b7e..5f6b6c7849 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -60,7 +60,7 @@ Most organizations have evolved app control policies and methods over time. With | Managed usage by group or OU | Using WDAC requires a complete app control policy evaluation and implementation.| | Authorization Manager or other role-based access technologies | Using WDAC requires a complete app control policy evaluation and implementation.| | Other | Using WDAC requires a complete app control policy evaluation and implementation.| -  + ### Are there specific groups in your organization that need customized application control policies? Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. @@ -69,7 +69,7 @@ Most business groups or departments have specific security requirements that per | - | - | | Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
                                                              If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply WDAC rules in a GPO to specific user groups.| | No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| -  + ### Does your IT department have resources to analyze application usage, and to design and manage the policies? The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance. @@ -78,7 +78,7 @@ The time and resources that are available to you to perform the research and ana | - | - | | Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| | No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | -  + ### Does your organization have Help Desk support? Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. @@ -88,7 +88,7 @@ Preventing your users from accessing known, deployed, or personal applications w | Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. | | No | Invest time in developing online support processes and documentation before deployment. | -  + ### Do you know what applications require restrictive policies? Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data. @@ -96,7 +96,7 @@ Any successful application control policy implementation is based on your knowle | - | - | | Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | | No | You will have to perform an audit and requirements gathering project to discover the application usage. WDAC provides the means to deploy policies in audit mode.| -  + ### How do you deploy or sanction applications (upgraded or new) in your organization? Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies. @@ -106,7 +106,7 @@ Implementing a successful application control policy is based on your knowledge | Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.| | Strict written policy or guidelines to follow | You need to develop WDAC rules that reflect those policies, and then test and maintain the rules. | | No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. | -  + ### What are your organization's priorities when implementing application control policies? Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of WDAC. @@ -116,7 +116,7 @@ Some organizations will benefit from application control policies as shown by an | Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | | Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. WDAC policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps| | Security: The organization must protect data in part by ensuring that only approved apps are used. | WDAC can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.| -  + ### How are apps currently accessed in your organization? WDAC is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, WDAC can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from WDAC policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules. @@ -126,7 +126,7 @@ WDAC is very effective for organizations that have application restriction requi | Users run without administrative rights. | Apps are installed by using an installation deployment technology.| | WDAC can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using WDAC to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.
                                                              **Note: **WDAC can also be effective in helping create standardized desktops in organizations where users run as administrators. | Users must be able to install applications as needed. | Users currently have administrator access, and it would be difficult to change this.|Enforcing WDAC rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using WDAC or to implement the audit only enforcement setting.| -  + ### Is the structure in Active Directory Domain Services based on the organization's hierarchy? Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. @@ -136,7 +136,7 @@ Because the effectiveness of application control policies is dependent on the ab | - | - | | Yes | WDAC rules can be developed and implemented through Group Policy, based on your AD DS structure.| | No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.| -  + ## Record your findings The next step in the process is to record and analyze your answers to the preceding questions. If WDAC is the right solution for your goals, you can set your application control policy objectives and plan your WDAC rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index f3425b674f..363c9d9fe3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -43,47 +43,47 @@ To sign a WDAC policy with SignTool.exe, you need the following components: If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: -1. Initialize the variables that will be used: +1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + ` $CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` > [!Note] > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. -2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). -3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. +3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. -4. Navigate to your desktop as the working directory: +4. Navigate to your desktop as the working directory: - ` cd $env:USERPROFILE\Desktop ` + ` cd $env:USERPROFILE\Desktop ` -5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: +5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` + ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` > [!Note] > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows). + Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows). -6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: +6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` + ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` -7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: +7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` + ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` -8. Sign the WDAC policy by using SignTool.exe: +8. Sign the WDAC policy by using SignTool.exe: - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` + ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` > [!Note] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). +9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index e9fb2f079a..38cfd605db 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -28,24 +28,24 @@ This topic provides a roadmap for planning and getting started on the Windows De 3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create: - - How standardized is the hardware?
                                                              This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. + - How standardized is the hardware?
                                                              This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. - - What software does each department or role need? Should they be able to install and run other departments’ software?
                                                              If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management. + - What software does each department or role need? Should they be able to install and run other departments’ software?
                                                              If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management. - - Are there departments or roles where unique, restricted software is used?
                                                              If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy. + - Are there departments or roles where unique, restricted software is used?
                                                              If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy. - - Is there already a list of accepted applications?
                                                              A list of accepted applications can be used to help create a baseline WDAC policy.
                                                              As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). + - Is there already a list of accepted applications?
                                                              A list of accepted applications can be used to help create a baseline WDAC policy.
                                                              As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? - In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. + - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? + In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. - Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC. + Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC. - For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. + For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. - Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Microsoft recommended block rules](microsoft-recommended-block-rules.md). + Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Microsoft recommended block rules](microsoft-recommended-block-rules.md). -4. Identify LOB applications that are currently unsigned. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. +4. Identify LOB applications that are currently unsigned. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. ## Getting started on the deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 853e46ebd3..44ff0aa926 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -32,6 +32,6 @@ This guide covers design and planning for Windows Defender Application Control ( | [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | | [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | | [Create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md) | This planning topic summarizes the information you need to research and include in your planning document. | -  + After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. -  + diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 0c54d99eb4..f6904fc6f0 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -29,11 +29,11 @@ These settings, located at **Computer Configuration\Administrative Templates\Net >You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. -|Policy name|Supported versions|Description| -|-----------|------------------|-----------| -|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | -|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| +| Policy name | Supported versions | Description | +|-------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. | +| Enterprise resource domains hosted in the cloud | At least Windows Server 2012, Windows 8, or Windows RT | A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | +| Domains categorized as both work and personal | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. | ## Application-specific settings These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 3ae6d372a3..8a0d017824 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -22,65 +22,84 @@ Answering frequently asked questions about Windows Defender Application Guard (A ## Frequently Asked Questions -| | | -|---|----------------------------| -|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?| -|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | -||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | -||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.| -||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.| +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Can I enable Application Guard on machines equipped with 4GB RAM? | +| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | +| | HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | +| | HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. | +| | HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| -|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

                                                              In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| + +| | | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Can employees download documents from the Application Guard Edge session onto host devices? | +| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

                                                              In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?| -|**A:** |Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.| + +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Can employees copy and paste between the host device and the Application Guard Edge session? | +| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?| -|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.| + +| | | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Why don't employees see their Favorites in the Application Guard Edge session? | +| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?| -|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.| + +| | | +|--------|---------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Why aren’t employees able to see their Extensions in the Application Guard Edge session? | +| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?| -|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.| + +| | | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? | +| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Which Input Method Editors (IME) in 19H1 are not supported?| -|**A:** |The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in WDAG.
                                                              Vietnam Telex keyboard
                                                              Vietnam number key-based keyboard
                                                              Hindi phonetic keyboard
                                                              Bangla phonetic keyboard
                                                              Marathi phonetic keyboard
                                                              Telugu phonetic keyboard
                                                              Tamil phonetic keyboard
                                                              Kannada phonetic keyboard
                                                              Malayalam phonetic keyboard
                                                              Gujarati phonetic keyboard
                                                              Odia phonetic keyboard
                                                              Punjabi phonetic keyboard| + +| | | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Which Input Method Editors (IME) in 19H1 are not supported? | +| **A:** | The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in WDAG.
                                                              Vietnam Telex keyboard
                                                              Vietnam number key-based keyboard
                                                              Hindi phonetic keyboard
                                                              Bangla phonetic keyboard
                                                              Marathi phonetic keyboard
                                                              Telugu phonetic keyboard
                                                              Tamil phonetic keyboard
                                                              Kannada phonetic keyboard
                                                              Malayalam phonetic keyboard
                                                              Gujarati phonetic keyboard
                                                              Odia phonetic keyboard
                                                              Punjabi phonetic keyboard | +
                                                              -| | | -|---|----------------------------| -|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?| -|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.| + +| | | +|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? | +| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |What is the WDAGUtilityAccount local account?| -|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.| + +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | What is the WDAGUtilityAccount local account? | +| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |How do I trust a subdomain in my site list?| -|**A:** |To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com.| + +| | | +|--------|-----------------------------------------------------------------------------------------------| +| **Q:** | How do I trust a subdomain in my site list? | +| **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com. | +
                                                              diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index 30dc486fdc..3792441270 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -48,46 +48,46 @@ How to install, set up, turn on, and configure Application Guard for Enterprise- ### Install, set up, and turn on Application Guard Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard#install-application-guard). -2. Restart the device and then start Microsoft Edge. +2. Restart the device and then start Microsoft Edge. -3. Set up the Network Isolation settings in Group Policy: +3. Set up the Network Isolation settings in Group Policy: - a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. + a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. - b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. - c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. + c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. - ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) + ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) - d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. + d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. - e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. + e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. - ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) + ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) -4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. +4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. -5. Click **Enabled**, choose Option **1**, and click **OK**. +5. Click **Enabled**, choose Option **1**, and click **OK**. - ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) + ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) - >[!NOTE] - >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. + >[!NOTE] + >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. -6. Start Microsoft Edge and type _www.microsoft.com_. +6. Start Microsoft Edge and type www.microsoft.com. After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) -7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. +7. In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists. - After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. - ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) + ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) ### Customize Application Guard Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees. diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 99ef777067..4aadf6d205 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -16,7 +16,7 @@ manager: dansimp # Windows Defender Application Guard overview **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - + Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? @@ -39,55 +39,70 @@ Application Guard has been created to target several types of systems: ## Frequently Asked Questions -| | | -|---|----------------------------| -|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?| -|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | -||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | -||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.| -||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.| +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Can I enable Application Guard on machines equipped with 4GB RAM? | +| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | +| | HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | +| | HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. | +| | HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| -|**A:** |In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

                                                              In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.| + +| | | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Can employees download documents from the Application Guard Edge session onto host devices? | +| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

                                                              In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?| -|**A:** |Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.| + +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Can employees copy and paste between the host device and the Application Guard Edge session? | +| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?| -|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.| + +| | | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Why don't employees see their Favorites in the Application Guard Edge session? | +| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?| -|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.| + +| | | +|--------|---------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Why aren’t employees able to see their Extensions in the Application Guard Edge session? | +| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |How do I configure WDAG to work with my network proxy (IP-Literal Addresses)?| -|**A:** |WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher.| + +| | | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? | +| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?| -|**A:** |This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.| + +| | | +|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? | +| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. | +
                                                              -| | | -|---|----------------------------| -|**Q:** |What is the WDAGUtilityAccount local account?| -|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.| + +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | What is the WDAGUtilityAccount local account? | +| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. | +
                                                              ## Related topics diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index f0fbf8b27e..43cdc009e2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -135,7 +135,7 @@ An allowed application or service only has write access to a controlled folder a ```PowerShell Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe" ``` -Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app. + Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app. ![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 072bb8e1d5..8fd5f7cc13 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -112,27 +112,27 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. 3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: - - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation + - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section + - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation - >[!NOTE] - >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. + >[!NOTE] + >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may require a restart. + Changing some settings may require a restart. 4. Repeat this for all the system-level mitigations you want to configure. -3. Go to the **Program settings** section and choose the app you want to apply mitigations to: +5. Go to the **Program settings** section and choose the app you want to apply mitigations to: 1. If the app you want to configure is already listed, click it and then click **Edit** 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. -4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. +6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. @@ -179,28 +179,28 @@ Where: - \: - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. - For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: - - ```PowerShell -Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation -``` - - >[!IMPORTANT] - >Separate each mitigation option with commas. - - If you wanted to apply DEP at the system level, you'd use the following command: - - ```PowerShell -Set-Processmitigation -System -Enable DEP -``` - - To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. - - If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: + For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: ```PowerShell -Set-Processmitigation -Name test.exe -Remove -Disable DEP -``` + Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation + ``` + + >[!IMPORTANT] + >Separate each mitigation option with commas. + + If you wanted to apply DEP at the system level, you'd use the following command: + + ```PowerShell + Set-Processmitigation -System -Enable DEP + ``` + + To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. + + If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: + + ```PowerShell + Set-Processmitigation -Name test.exe -Remove -Disable DEP + ``` You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 844e912bd8..6240e524cc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -119,12 +119,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe 3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. 4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section: - - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - - Disable = 0 - - Block (enable ASR rule) = 1 - - Audit = 2 + - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: + - Disable = 0 + - Block (enable ASR rule) = 1 + - Audit = 2 - ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) 5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. @@ -145,13 +145,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe ```PowerShell Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode - ``` + ``` To turn off ASR rules, use the following cmdlet: ```PowerShell Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled - ``` + ``` >[!IMPORTANT] >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 2eab6a3387..0c1ff68ba4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -77,13 +77,13 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## SCCM 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -1. Click **Home** > **Create Exploit Guard Policy**. -1. Enter a name and a description, click **Controlled folder access**, and click **Next**. -1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. +2. Click **Home** > **Create Exploit Guard Policy**. +3. Enter a name and a description, click **Controlled folder access**, and click **Next**. +4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**. >[!NOTE] >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. -1. Review the settings and click **Next** to create the policy. -1. After the policy is created, click **Close**. +5. Review the settings and click **Next** to create the policy. +6. After the policy is created, click **Close**. ## Group Policy diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index bb9dab319b..7a23a23e04 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -43,8 +43,10 @@ You might also be interested in enabling the features in audit mode - which allo ## Related topics -Topic | Description ----|--- +| Topic | Description | +|-------|-------------| +| | | + - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) - [Protect your network](network-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index f711fb28ce..dcffecd121 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -126,7 +126,6 @@ You can also manually navigate to the event area that corresponds to the feature - ``` ## List of attack surface reduction events @@ -140,7 +139,7 @@ You can access these events in Windows Event viewer: 2. Expand **Applications and Services Logs > Microsoft > Windows** and then go to the folder listed under **Provider/source** in the table below. 3. Double-click on the sub item to see events. Scroll through the events to find the one you are looking. - ![Animation showing using Event Viewer](images/event-viewer.gif) + ![Animation showing using Event Viewer](images/event-viewer.gif) Feature | Provider/source | Event ID | Description :-|:-|:-:|:- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index a5bdcbb066..7bf07fbce8 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -55,19 +55,19 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain: -1. [Copy the XML directly](event-views-exploit-guard.md). +1. [Copy the XML directly](event-views-exploit-guard.md). 2. Click **OK**. 3. This will create a custom view that filters to only show the following events related to network protection: - Event ID | Description --|- -5007 | Event when settings are changed -1125 | Event when network protection fires in audit mode -1126 | Event when network protection fires in block mode + Event ID | Description + -|- + 5007 | Event when settings are changed + 1125 | Event when network protection fires in audit mode + 1126 | Event when network protection fires in block mode - ## Related topics + ## Related topics Topic | Description ---|--- diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 49913c15b8..bbd62a44b6 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -58,8 +58,8 @@ You can enable network protection in audit mode and then visit a website that we ``` 2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). 3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. -> ->If network protection is not blocking a connection that you are expecting it should block, enable the feature. + > + >If network protection is not blocking a connection that you are expecting it should block, enable the feature. ```powershell Set-MpPreference -EnableNetworkProtection Enabled diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 61d24fcec0..5431868198 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -38,7 +38,7 @@ The Windows Security interface is a little different in Windows 10 in S mode. Th For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode). -##Managing Windows Security settings with Intune +## Managing Windows Security settings with Intune In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts. diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index 60b6e86ae6..f9fb884957 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -33,29 +33,29 @@ Starting with Windows 10, version 1703 your employees can use Windows Security t 2. In the **App & browser control** screen, choose from the following options: - - In the **Check apps and files** area: + - In the **Check apps and files** area: - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. - - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. - - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **SmartScreen for Microsoft Edge** area: + - In the **SmartScreen for Microsoft Edge** area: - - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. - - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. - - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. - - In the **SmartScreen from Microsoft Store apps** area: + - In the **SmartScreen from Microsoft Store apps** area: - - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue. + - **Warn.** Warns employees that the sites and downloads used by Microsoft Store apps are potentially dangerous, but allows the action to continue. - - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Security, SmartScreen controls](images/windows-defender-smartscreen-control.png) + ![Windows Security, SmartScreen controls](images/windows-defender-smartscreen-control.png) ## How SmartScreen works when an employee tries to run an app Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index b3633b51d2..d74524355b 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -29,7 +29,7 @@ After you test the GPOs for your design on a small set of devices, you can deplo **Caution**   For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode. -  + The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md). @@ -81,9 +81,9 @@ From an elevated command prompt, type the following: gpresult /r /scope:computer ``` -  + -  + diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index d04b9d10f6..bb381856b4 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -44,5 +44,5 @@ The GPOs for isolated servers are similar to those for an isolated domain. This | Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -  + Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index 6bcbe9bf79..260980b98d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -40,6 +40,6 @@ The following checklists include tasks for configuring connection security rules | Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| | Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| -  + Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index e83af55fbe..1537a9a193 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -33,50 +33,50 @@ To complete these procedures, you must be a member of the Domain Administrators **To configure authentication methods** -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. +2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**. -3. On the **IPsec Settings** tab, click **Customize**. +3. On the **IPsec Settings** tab, click **Customize**. -4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following: +4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following: - 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default. + 1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default. - 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. + 2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials. - 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. + 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. + 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. - 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. + 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. - 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. + 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. - The first authentication method can be one of the following: + The first authentication method can be one of the following: - - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. + - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. + - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. - - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes. + - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes. - If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - The second authentication method can be one of the following: + The second authentication method can be one of the following: - - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. + - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. - - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule. + - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule. - If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - >**Important:**  Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + >**Important:** Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. -5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor. +5. Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index 4e8241f5d4..7fde7baa03 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -27,25 +27,25 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To modify an authentication request rule to also require encryption** -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the navigation pane, click **Connection Security Rules**. +2. In the navigation pane, click **Connection Security Rules**. -3. In the details pane, double-click the connection security rule you want to modify. +3. In the details pane, double-click the connection security rule you want to modify. -4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**. +4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**. -5. In the navigation pane, right-click **Windows Defender Firewall – LDAP://CN={***guid***}**, and then click **Properties**. +5. In the navigation pane, right-click **Windows Defender Firewall – LDAP://CN={**guid**}**, and then click **Properties**. -6. Click the **IPsec Settings** tab. +6. Click the **IPsec Settings** tab. -7. Under **IPsec defaults**, click **Customize**. +7. Under **IPsec defaults**, click **Customize**. -8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**. +8. Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**. -9. Click **Require encryption for all connection security rules that use these settings**. +9. Click **Require encryption for all connection security rules that use these settings**. - This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone. + This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone. 10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index c6680a6fc6..e9c8024043 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -31,23 +31,23 @@ To complete this procedure, you must be a member of the Domain Administrators gr **To make a copy of a GPO** -1. Open the Group Policy Management console. +1. Open the Group Policy Management console. -2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. +2. In the navigation pane, expand **Forest:**YourForestName, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. -3. In the details pane, right-click the GPO you want to copy, and then click **Copy**. +3. In the details pane, right-click the GPO you want to copy, and then click **Copy**. -4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. +4. In the navigation pane, right-click **Group Policy Objects** again, and then click **Paste**. -5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. +5. In the **Copy GPO** dialog box, click **Preserve the existing permissions**, and then click **OK**. Selecting this option preserves any exception groups to which you denied Read and Apply GPO permissions, making the change simpler. -6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. +6. After the copy is complete, click **OK**. The new GPO is named **Copy of** *original GPO name*. -7. To rename it, right-click the GPO, and then click **Rename**. +7. To rename it, right-click the GPO, and then click **Rename**. -8. Type the new name, and then press ENTER. +8. Type the new name, and then press ENTER. -9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. +9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. 10. In the confirmation dialog box, click **OK**. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index 0f40f065f6..b790f7d1ac 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -31,22 +31,22 @@ To complete this procedure, you must be a member of the Domain Administrators gr To create a new GPO -1. Open the Group Policy Management console. +1. Open the Group Policy Management console. -2. In the navigation pane, expand **Forest:***YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. +2. In the navigation pane, expand **Forest:**YourForestName, expand **Domains**, expand *YourDomainName*, and then click **Group Policy Objects**. -3. Click **Action**, and then click **New**. +3. Click **Action**, and then click **New**. -4. In the **Name** text box, type the name for your new GPO. +4. In the **Name** text box, type the name for your new GPO. - >**Note:**  Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. + >**Note:** Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. -5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**. +5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**. -6. If your GPO will not contain any user settings, then you can improve performance by disabling the **User Configuration** section of the GPO. To do this, perform these steps: +6. If your GPO will not contain any user settings, then you can improve performance by disabling the **User Configuration** section of the GPO. To do this, perform these steps: - 1. In the navigation pane, click the new GPO. + 1. In the navigation pane, click the new GPO. - 2. In the details pane, click the **Details** tab. + 2. In the details pane, click the **Details** tab. - 3. Change the **GPO Status** to **User configuration settings disabled**. + 3. Change the **GPO Status** to **User configuration settings disabled**. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index ebc4253394..2f97c1e3a7 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -28,7 +28,7 @@ In almost any isolated server or isolated domain scenario, there are some device **Important**   Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Defender Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list. -  + **Administrative credentials** To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index ee3d44e753..2c3d3fccae 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -38,34 +38,34 @@ This topic describes how to create a standard port rule for a specified protocol **To create an inbound port rule** -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). -2. In the navigation pane, click **Inbound Rules**. +2. In the navigation pane, click **Inbound Rules**. -3. Click **Action**, and then click **New rule**. +3. Click **Action**, and then click **New rule**. -4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. +4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. - >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. + >**Note:** Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. -5. On the **Program** page, click **All programs**, and then click **Next**. +5. On the **Program** page, click **All programs**, and then click **Next**. - >**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. + >**Note:** This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria. -6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. +6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number. - If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall. + If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall. - To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. + To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. - When you have configured the protocols and ports, click **Next**. + When you have configured the protocols and ports, click **Next**. -7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. +7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. -8. On the **Action** page, select **Allow the connection**, and then click **Next**. +8. On the **Action** page, select **Allow the connection**, and then click **Next**. -9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. +9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**. - >**Note:**  If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. + >**Note:** If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type. 10. On the **Name** page, type a name and description for your rule, and then click **Finish**. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 3ef0418544..2330b6ee32 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -57,7 +57,7 @@ The GPO for devices that are running at least Windows Server 2008 should includ **Important**   Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. -   + - A registry policy that includes the following values: diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 9dcdf6b827..9bdbf322d4 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -20,18 +20,20 @@ ms.date: 08/17/2017 # Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals **Applies to** -- Windows 10 +- Windows 10 - Windows Server 2016 Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios. The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals: -| Deployment goal tasks | Reference links | -| --- | --- | -| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals:

                                                              • [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

                                                              • [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

                                                              • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

                                                              • [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
                                                              -| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. |
                                                              • [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
                                                              -| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
                                                              • [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

                                                              • [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
                                                              + +| Deployment goal tasks | Reference links | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals:

                                                              • [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

                                                              • [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

                                                              • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

                                                              • [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
                                                              | +| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. |
                                                              • [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
                                                              | +| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
                                                              • [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

                                                              • [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
                                                              | +
                                                              **Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index eb5af5aeea..e00e35ccff 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -27,8 +27,8 @@ Procedures in this guide that refer to GPOs for earlier versions of the Windows **To open a GPO to the IP Security Policies section** -1. Open the Group Policy Management console. +1. Open the Group Policy Management console. -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. -3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (***YourDomainName***)**. +3. In the navigation pane of the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, and then click **IP Security Policies on Active Directory (**YourDomainName**)**. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index addaa10b1f..8bea94a26f 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -27,8 +27,8 @@ Most of the procedures in this guide instruct you to use Group Policy settings f To open a GPO to Windows Firewall with Advanced Security -1. Open the Group Policy Management console. +1. Open the Group Policy Management console. -2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. +2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**. -3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={***GUID***},cn=…**. +3. In the navigation pane of the Group Policy Management Editor, navigate to **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - LDAP://cn={**GUID**},cn=…**. diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 021242e6ab..9c6966b525 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -132,10 +132,10 @@ New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet Make sure that you install the required certificates on the participating computers. ->**Note:**   -- For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). -- You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. -- For remote devices, you can create a secure website to facilitate access to the script and certificates. +> **Note:** +> - For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). +> - You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. +> - For remote devices, you can create a secure website to facilitate access to the script and certificates. ## Troubleshooting @@ -187,9 +187,9 @@ You might not find the exact answer for the issue, but you can find good hints. - [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md) -  + -  + diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index fc324ea151..f2f806c37f 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -81,16 +81,17 @@ Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.asp **Microsoft Products** -| Name | Details | Security Tools | -|---|---|---| -Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)| -|Internet Explorer 10|[Technet](https://technet.microsoft.com/library/jj898540.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | -|Internet Explorer 9|[Technet](https://technet.microsoft.com/library/hh539027.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) -|Internet Explorer 8|[Technet](https://technet.microsoft.com/library/ee712766.aspx)|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) -|Exchange Server 2010|[Technet](https://technet.microsoft.com/library/hh913521.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) -|Exchange Server 2007|[Technet](https://technet.microsoft.com/library/hh913520.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) -|Microsoft Office 2010|[Technet](https://technet.microsoft.com/library/gg288965.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) -|Microsoft Office 2007 SP2|[Technet](https://technet.microsoft.com/library/cc500475.aspx)| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) + +| Name | Details | Security Tools | +|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------| +| Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) | +| Internet Explorer 10 | [Technet](https://technet.microsoft.com/library/jj898540.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Internet Explorer 9 | [Technet](https://technet.microsoft.com/library/hh539027.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Internet Explorer 8 | [Technet](https://technet.microsoft.com/library/ee712766.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Exchange Server 2010 | [Technet](https://technet.microsoft.com/library/hh913521.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Exchange Server 2007 | [Technet](https://technet.microsoft.com/library/hh913520.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Microsoft Office 2010 | [Technet](https://technet.microsoft.com/library/gg288965.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) | +| Microsoft Office 2007 SP2 | [Technet](https://technet.microsoft.com/library/cc500475.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
                                                              diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index ca62dbde8c..98413f9962 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -20,7 +20,7 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -31,21 +31,22 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "ms.author": "justinha", - "ms.date": "04/05/2017", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-threat-protection", - "folder_relative_path_in_docset": "./" - } - } - }, + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows", + "ms.topic": "article", + "ms.author": "justinha", + "ms.date": "04/05/2017", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-threat-protection", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], - "dest": "win-threat-protection" + "dest": "win-threat-protection", + "markdownEngineName": "markdig" } } diff --git a/windows/update/docfx.json b/windows/update/docfx.json index 0e654307a9..c5ef1b98ba 100644 --- a/windows/update/docfx.json +++ b/windows/update/docfx.json @@ -30,15 +30,16 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.windows-update", - "folder_relative_path_in_docset": "./" - } - } - }, + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.windows-update", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], - "dest": "windows-update" + "dest": "windows-update", + "markdownEngineName": "markdig" } } diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index c55d8e939d..f71dfffeea 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -48,14 +48,14 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) -4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) +4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: + - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) - - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) + - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) -5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. +5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**. @@ -63,15 +63,15 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner The **Comparing changes** screen shows the changes between your version of the article and the original content. -7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. (Occasionally there are merge conflicts, where you've edited the file one way, while someone else edited the same lines in the same file in a different way. Before you can propose your changes, you need to fix those conflicts.) +7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. (Occasionally there are merge conflicts, where you've edited the file one way, while someone else edited the same lines in the same file in a different way. Before you can propose your changes, you need to fix those conflicts.) - If there are no problems, you’ll see the message, **Able to merge**. + If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) + ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) -8. Click **Create pull request**. +8. Click **Create pull request**. -9. Enter a title and description to let us know what’s in the request. +9. Enter a title and description to let us know what’s in the request. 10. Scroll to the bottom of the page, and make sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people. @@ -79,6 +79,6 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner 12. If you aren't a Microsoft employee, you need to [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories. A bot running in GitHub checks whether you've signed the CLA - if not, you'll be prompted, in the pull request, to sign it. - If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step. + If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step. Next, the pull request is sent to one of our writers to review your edits for technical and editorial accuracy. If we have any suggestions or questions, we'll add them to the pull request where we can discuss them with you. If we accept your edits, you'll see your changes the next time the article is published. diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 8095c10abd..1903ec7f9a 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -20,7 +20,7 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -31,24 +31,24 @@ "overwrite": [], "externalReference": [], "globalMetadata": { - "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "ms.author": "trudyha", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-whats-new", - "folder_relative_path_in_docset": "./" - } - } - }, + "uhfHeaderId": "MSDocsHeader-WindowsIT", + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows", + "ms.topic": "article", + "ms.author": "trudyha", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "_op_documentIdPathDepotMapping": { + "./": { + "depot_name": "MSDN.win-whats-new", + "folder_relative_path_in_docset": "./" + } + } + }, "fileMetadata": {}, "template": [], "dest": "win-whats-new", - "markdownEngineName": "dfm" + "markdownEngineName": "markdig" } } diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 67993266dd..c20bd31308 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -244,10 +244,10 @@ Enterprises have the following identity and management choices. | Grouping | Domain join; Workgroup; Azure AD join | | Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - > **Note**   + > **Note**   With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). -  + ### Device lockdown diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index ec7a80b661..dfa92423f4 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -83,11 +83,11 @@ Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC: #### New Bitlocker features -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. ### Security auditing diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 22521f2e83..c60b88f548 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -82,31 +82,31 @@ Endpoint detection and response is improved. Enterprise customers can now take a Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: - - [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) - - [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) - - [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) - - [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) - - [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) +- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) +- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) +- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) +- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) - Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). - New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: - - [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) - - [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) - - [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) +- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) - We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). - **Endpoint detection and response** is also enhanced. New **detection** capabilities include: - - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. - - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. - - Upgraded detections of ransomware and other advanced attacks. - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + **Endpoint detection and response** is also enhanced. New **detection** capabilities include: +- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + - Upgraded detections of ransomware and other advanced attacks. + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. - **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: - - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: +- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. Additional capabilities have been added to help you gain a holistic view on **investigations** include: - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index ad0f8366a5..cfc863d9b5 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -20,7 +20,7 @@ Below is a list of some of the new and updated features included in the initial >[!NOTE] >For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). -  + ## Deployment @@ -47,11 +47,11 @@ With Windows 10, you can create provisioning packages that let you quickly and e #### New Bitlocker features in Windows 10, version 1511 -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. +- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. + It provides the following benefits: + - The algorithm is FIPS-compliant. + - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. + >**Note:** Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. #### New Bitlocker features in Windows 10, version 1507 @@ -280,10 +280,10 @@ Enterprises have the following identity and management choices. | Grouping | Domain join; Workgroup; Azure AD join | | Device management | Group Policy; System Center Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) | - > **Note**   + > **Note**   With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512). -  + ### Device lockdown @@ -355,9 +355,9 @@ We also recommend that you upgrade to IE11 if you're running any earlier version - [Windows 10 release information](https://technet.microsoft.com/windows/release-info) -  + -  + diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 41a0e83637..1d839ac866 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -98,17 +98,17 @@ The draft release of the [security configuration baseline settings](https://blog - [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone. - [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements: - - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. + - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. To try this extension: - 1. Configure WDAG policies on your device. - 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. - 3. Follow any additional configuration steps on the extension setup page. - 4. Reboot the device. - 5. Navigate to an untrusted site in Chrome and Firefox. + 1. Configure WDAG policies on your device. + 2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension. + 3. Follow any additional configuration steps on the extension setup page. + 4. Reboot the device. + 5. Navigate to an untrusted site in Chrome and Firefox. - - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. + - WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates. - [Windows Defender Application Control (WDAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker. - [Multiple Policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.